Expanding .data section at particular area
Reverse Engineering Asked on June 4, 2021
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to memory that wasn’t supposed to be originally written to in the .data section. Here’s an illustration:
I’m wondering what approach I should use tackle this. Right now, I used CFF Explorer to create a an exact copy of the .data section, called .dataex, which has double the size of .data, and put it at the end of the binary:
My initial thought was that there is possibly some way to "shift" the references down so that the program will use the ones in .dataex, and then do another "shift", but this time only from .dataex + n. That way, there is more free space which the program can use to create new objects.
I realise I may be missing/overlooking/misunderstanding many things here, so please let me know if what I want to do is even possible, or if there exists a simpler solution.
One Answer
Sounds possible, the difficulty of achieving it I think would depend on:
- how the objects are allocated (inline access vs allocator)
- the type of references (direct addressing vs indirect)
- the amount of references that there are to the objects
If it's just a small number of references and allocations then it might not matter which method you use - the easiest and fastest would be the best I guess.
If that isn't the case then the next best might be where the allocation is through an allocation function and the references are all indirect. In that case there's no need to fix the references and you'd just need to patch the allocator - to use your custom memory.
If the allocation is inline or the access is direct then fixing the allocations and references might be done with relative ease if they are done using references which are resolved during the loading of the program - i.e relocations (https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-54839.html). You might then iterate over all the relocations in the relocations section and modifying the ones that refer to the objects structure in the .data section to point to your new .dataex section.
You also might want to take a look at lief (https://lief.quarkslab.com/). I haven't found your specific use case - but it might help with the boilport in implementing your solution.
Correct answer by Moshe Green on June 4, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Joshua Engel on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?