修改十六进制的 exe 后,push 指令中的地址发生变化
在 Windows 7、32 位家庭专业版上运行
我在 Visual Studio 2008 中创建了一个非常简单的几行应用程序,在发布模式下与标准库编译并链接到可执行文件 test.exe。
c 中的代码如下:
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
}
MessageBoxA(0,test,test,0);
}
其结果是在 VS2008 中查看的以下机器代码和相应的程序集(下面重新设置地址,正常起始虚拟地址为 0x4001000)
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
00261000 68 CC BA ED FE push 0FEEDBACCh
}
MessageBoxA(0,test,test,0);
00261005 6A 00 push 0
00261007 68 F4 20 26 00 push offset string "h" (2620F4h)
0026100C 68 F4 20 26 00 push offset string "h" (2620F4h)
00261011 6A 00 push 0
00261013 FF 15 A4 20 26 00 call dword ptr [__imp__MessageBoxA@16 (2620A4h)]
}
现在我不想调用 MessageBox,而是将另一个字符串“h”向右推在push 0之后,所以使用hexedit我搜索包含FF15A420的部分...并将其覆盖为现在
90 68 CC BA ED FE
,如果我在IDA free中打开可执行文件,我会在我的.text部分中看到以下内容:
.text:00401000 push 0FEEDBACCh
.text:00401005 push 0
.text:00401007 push offset unk_4020F4
.text:0040100C push offset unk_4020F4
.text:00401011 push 0FFFFFF90h
.text:00401013 nop
.text:00401014 push 0FEEDBACCh
.text:00401019 retn
到目前为止,这看起来不错,我请参阅 0x401014 我的新推送声明。
现在,如果我在IDA free中调试exe突然我看到我的代码发生了变化(见下文),push 0FEEDBACC变成push 0FFA4BACC并且我不明白为什么前2个字节是改变了。
.text:00F71000 push 0FEEDBACCh
.text:00F71005 push 0
.text:00F71007 push offset unk_F720F4
.text:00F7100C push offset unk_F720F4
.text:00F71011 push 0FFFFFF90h
.text:00F71013 nop
.text:00F71014 push 0FFA4BACCh // im puzzled!
谁能解释一下这里发生了什么以及为什么我正在推送的数字会被修改?我尝试更改该地址的起始物理字节(怀疑某种对齐问题),但似乎没有什么区别。
谢谢,
斯基蒙
running on windows 7, 32bit home pro
I created a very simple few line app in visual studio 2008 , compiled and linked with standard libraries in release mode into executable test.exe.
The code in c is as follows:
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
}
MessageBoxA(0,test,test,0);
}
which results in the following machine code and corresponding assembly as viewed in VS2008 (addresses rebased below, normal starting virtual address of 0x4001000)
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
00261000 68 CC BA ED FE push 0FEEDBACCh
}
MessageBoxA(0,test,test,0);
00261005 6A 00 push 0
00261007 68 F4 20 26 00 push offset string "h" (2620F4h)
0026100C 68 F4 20 26 00 push offset string "h" (2620F4h)
00261011 6A 00 push 0
00261013 FF 15 A4 20 26 00 call dword ptr [__imp__MessageBoxA@16 (2620A4h)]
}
Now instead of calling MessageBox I want instead to push another string "h" right after the push 0, so using hexedit I search for the section containing FF15A420... and overwrite it to become
90 68 CC BA ED FE
Now if I open up the executable in IDA free i see the following in my .text section:
.text:00401000 push 0FEEDBACCh
.text:00401005 push 0
.text:00401007 push offset unk_4020F4
.text:0040100C push offset unk_4020F4
.text:00401011 push 0FFFFFF90h
.text:00401013 nop
.text:00401014 push 0FEEDBACCh
.text:00401019 retn
this looks good so far , i see at 0x401014 my new push statement.
Now, if I debug the exe in IDA free suddenly I see my code changes (see below) the push 0FEEDBACC becomes push 0FFA4BACC and I cant see why the first 2 bytes are changed.
.text:00F71000 push 0FEEDBACCh
.text:00F71005 push 0
.text:00F71007 push offset unk_F720F4
.text:00F7100C push offset unk_F720F4
.text:00F71011 push 0FFFFFF90h
.text:00F71013 nop
.text:00F71014 push 0FFA4BACCh // im puzzled!
Can anyone explain what is going on here and why the number I am pushing on is getting modified? I tried changing the starting physical byte of this address (suspecting some sort of alignment issue) but it didnt seem to make a difference.
Thanks,
skimon
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
最后两个屏幕之间的图像基础也发生了变化。
我认为它刚刚被重新定位(曾经有一个地址):0x15处的双字:
A4 20 26 00指向IAT,因此在重新定位后,其高位字(字节0x17 0x18)将被修改添加0x00F7 - 0x0040 = 0x00B7 即可。
尝试禁用基于图像的随机化(或仅删除重定位)。
The image base was changed too between the last two screens.
I think that it just got relocated (there used to be an address): the dword at 0x15:
A4 20 26 00points to IAT, so after relocation its high word (bytes 0x17 0x18) will be modified by adding0x00F7 - 0x0040 = 0x00B7 to it.
Try disabling image-base randomization (or just remove the relocations).