First, your "push 0x0042001C" instruction might also happen to push a
number, instead of an offset. How do you distinguish between offsets and
numbers?

Second, what about jumptables? How are you going to relocate code like this?
Sure, the offset to the jumptable is easy, but what about the jumptable
itself?

cmp ebx,256
jae <my_error_handler>
call [0x004200C0 + ebx*4]

It might even get much more tricky than that. As an example, suppose the
first line ended with "eax" instead of "256"... suppose the jumptable was
followed by a unicode-string... and then suppose that eax was filled with a
value just read from a file/socket/etc. Unrealistic? I don't think so. Try
to find the end of the jumptable in this case!

Remember, relocation has to be perfect in order to work. No mistakes are
allowed. And without .reloc data, your relocator will have to start
guessing, which *will* result in mistakes.

Regards,

David (yes another one)

"David Litchfield" wrote:
> Going back to exe image files and rebasing. Surely they can be rebased
even
> without a .reloc section? All I need to do is edit the image base in the
PE
> header then parse the assembly looking for absolute addresses such as
> function addresses, static variables etc and modify these addresses, too.
>
> For example assume an image base for an exe is 0x00400000 and the c code
> does
>
> printf("hello");
>
> This will generate something like
>
> push 0x0042001C // push pointer to hello
> call 0x00401060 // call printf
>
> If I then make the image base 0x00410000 and I also change
>
> push 0x0042001C
> call 0x00401060
>
> to become
>
> push 0x0043001C
> call 0x00411060
>
> then the exe should still run (as long as you get all the absolute
> addresses) and it has been rebased.
>
> ?
> David
>

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-

[ reply ]