Question over the JK.EXE patching

[tim-tim707]

I looked into the assembly from the JK-hook.ips and I don't understand how it can work.

Here is the code:

// code of the JK-hook.ips
68 70 E7 50 00             push  0x50e770 // df2_reimpl.dll
FF 15 98 05 8F 00          call  dword ptr [0x8f0598] // LoadLibraryA
68 80 E7 50 00             push  0x50e780 // hook_init_win
50                         push  eax
FF 15 1C 05 8F 00          call  dword ptr [0x8f051c] // GetProcAddress
FF E0                      jmp   eax
C3                         ret

// padding
00 00                      add   byte ptr [eax], al
00 00                      add   byte ptr [eax], al
00 00                      add   byte ptr [eax], al

// Here, two strings df2_reimpl.dll and hook_init_win in hex
64 66 32 5F 72             xor   bl, byte ptr fs:[edi + 0x72]
65 69 6D 70 6C 2E 64 6C    imul  ebp, dword ptr gs:[ebp + 0x70], 0x6c642e6c
6C                         insb  byte ptr es:[edi], dx
00 00                      add   byte ptr [eax], al
68 6F 6F 6B 5F             push  0x5f6b6f6f
69 6E 69 74 5F 77 69       imul  ebp, dword ptr [esi + 0x69], 0x69775f74
6E                         outsb dx, byte ptr [esi]
00 00                      add   byte ptr [eax], al

I've managed to call LoadLibraryA and GetProcAddress on a test file on my own, and patched manually an equivalent Window_Main function.

However, I have no idea how to get the offsets for both push instructions that push the injected strings on the stack. The addresses in the original ips file are hardcoded but on my tests I always have aslr changing the addresses every time I run the program. How could this work ? (I'm a beginner in both assembly and reversing).

How can I obtain the addresses specific for my program ? Is there a way to do a push instruction relative to $rip to push the address of a value (our char*) n bytes down the current instruction (about 20 bytes in this example) ?

Thanks in advance

[tim-tim707]

I learned more about Relocation and Dynamic linking which I probably were confusing before. I'm trying to edit a static file where some addresses will get dynamically linked here.

Still trying things. Apparently I could put the string on the stack using multiple mov and then push much more easily. I still don't understand how I could push with an absolute address though

[tim-tim707]

In my current understanding, the patch only works with ASLR disabled, which it is on wine, but not on Windows.

I wonder how I could make a similar patch work under ASLR in Windows. Maybe patch the relocation table is the way

[tim-tim707]

Found a way in windows using this article https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode Adapting it to use LoadLibrary and GetProcAddress and it work properly