Reverse Engineering Asked on June 4, 2021
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to memory that wasn’t supposed to be originally written to in the .data
section. Here’s an illustration:
I’m wondering what approach I should use tackle this. Right now, I used CFF Explorer to create a an exact copy of the .data
section, called .dataex
, which has double the size of .data
, and put it at the end of the binary:
My initial thought was that there is possibly some way to "shift" the references down so that the program will use the ones in .dataex
, and then do another "shift", but this time only from .dataex + n
. That way, there is more free space which the program can use to create new objects.
I realise I may be missing/overlooking/misunderstanding many things here, so please let me know if what I want to do is even possible, or if there exists a simpler solution.
Sounds possible, the difficulty of achieving it I think would depend on:
If it's just a small number of references and allocations then it might not matter which method you use - the easiest and fastest would be the best I guess.
If that isn't the case then the next best might be where the allocation is through an allocation function and the references are all indirect. In that case there's no need to fix the references and you'd just need to patch the allocator - to use your custom memory.
If the allocation is inline or the access is direct then fixing the allocations and references might be done with relative ease if they are done using references which are resolved during the loading of the program - i.e relocations (https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-54839.html). You might then iterate over all the relocations in the relocations section and modifying the ones that refer to the objects structure in the .data
section to point to your new .dataex
section.
You also might want to take a look at lief (https://lief.quarkslab.com/). I haven't found your specific use case - but it might help with the boilport in implementing your solution.
Correct answer by Moshe Green on June 4, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP