Reverse Engineering Asked by Hai Zhang on September 30, 2021
I’m trying to patch a function in a Windows x86 DLL, however it turned out that I need a static variable to store some state that wasn’t correctly preserved by the original executable across calls.
I know that typically a static variable is stored in the .data
segment or in the .bss
segment, and the PE file headers SizeOf(Un)InitializedData
. However, I’m having a hard time finding out how to write the address of the added space in x86 assembly. Basically, I’m assuming that it would be something like mov eax, dword ptr ds:[??]
, but I don’t know what ??
I should put there.
The other way around would be to hack and re-use some memory area inside .data
segment that hopefully isn’t actually used. I tried to do this by looking at the Memory layout
tab in x32dbg
and finding the .data
segment address of the loaded DLL, then taking the address of somewhere near the end. This approach would work for seconds and the memory was indeed written, but the program crashes shortly afterwards due to some exception in RtlFreeHeap()
, which I’m also confused about because I supposed it’s the .data
segment, not the heap.
Could someone help me understand how to do this?
Inspecting the bss with ghidra will surely allow you to understand who is referencing what.
Without symbols it could be hard to infer whether allegedly unused space within the segment is part of more complex structures.
For this reason I suggest extending it via Ida or any PE editor. once you have the space, you can use the cross-references previously inferred to compute the address to use. You have to mimick the pattern, just increasing the reference value with the difference between your newly allocated space (the first byte) and and the cross reference you choose (the first byte).
Answered by Yennefer on September 30, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP