Closed tim-tim707 closed 1 year ago
I learned more about Relocation and Dynamic linking which I probably were confusing before. I'm trying to edit a static file where some addresses will get dynamically linked here.
Still trying things. Apparently I could put the string on the stack using multiple mov
and then push much more easily.
I still don't understand how I could push with an absolute address though
In my current understanding, the patch only works with ASLR disabled, which it is on wine, but not on Windows.
I wonder how I could make a similar patch work under ASLR in Windows. Maybe patch the relocation table is the way
Found a way in windows using this article https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode Adapting it to use LoadLibrary and GetProcAddress and it work properly
I looked into the assembly from the JK-hook.ips and I don't understand how it can work.
Here is the code:
I've managed to call
LoadLibraryA
andGetProcAddress
on a test file on my own, and patched manually an equivalentWindow_Main
function.However, I have no idea how to get the offsets for both
push
instructions that push the injected strings on the stack. The addresses in the original ips file are hardcoded but on my tests I always have aslr changing the addresses every time I run the program. How could this work ? (I'm a beginner in both assembly and reversing).How can I obtain the addresses specific for my program ? Is there a way to do a
push
instruction relative to $rip to push the address of a value (our char*) n bytes down the current instruction (about 20 bytes in this example) ?Thanks in advance