Assembly Absolute JMP/CALL to Relative JMP/CALL Tool/Plugin?

StackOverflow https://stackoverflow.com/questions/7384493

  •  29-10-2019
  •  | 
  •  

Question

I have this program I'm trying to reverse engineer. I don't know whether or not it was the compiler's optimizer or obfuscation, but now some parts of the code that call other functions are calculated by math then called such as

CALL EAX

It works properly until it's loaded as a DLL in another program. The base address offsets are changed so now all relative code works properly, but all the math calculated calls/jmps don't go to the proper areas.

So I figured i'd fix this easily by making all absolute calls into relative calls.

While stepping the code and letting all the math get calculated I get the correct jmp/call offset.

I am not having problems like not enough space to allocate the patch. Since the absolute call is usually using the line before which I could use as well to fix things up

Absolute call, this is where the math ends:

seg000:0044F7D1                 add     eax, 3B882683h
seg000:0044F7D6                 call    eax

to be converted to like

seg000:0044F7D1                 call     3B882683h

Well the above of course will not work as eax was already something, but it's just a pseudo code example

Well my question is not how to do this, but is there any plugin that automatically does this for me in OllyDbg or IDA Pro?

Was it helpful?

Solution

you want to get the calculated adress of the variable calls, thats really hard to figure out because they are not equal, how you explained it in this part

seg000:0044F7D1 add eax, 3B882683h seg000:0044F7D6 call eax

would be realy easy to make such an plugin, but its never just like that. The EAX could change in that part of code thats why the call is an "variable". Just imagine, a part of code controlls a door in a game or whatever, if you are not allowed to pass EAX or any other register would change to call the function to dont let you pass, otherwise you are allowed because you have a key or something like that and the code will change EAX to the adress that the call executes code to open the door. That was just an example because there are calls with variables. A Plugin that you think about, must listen all there possible calls that can be a really gigantic mass and would cause to bugs or no overview.

So the easiest way for you is to break untill this call and read the register. I hope that can help you to understand or I did not answered the right, your question is a little bit misleading because you said things about JMPs and a dll inject that irritates me. You can tell it me more detailed in a private message or here.

OTHER TIPS

you can use LoadLibrary

use KERNEL32.LoadLibraryA

KERNEL32.GetProcAddress

call eax

KERNEL32.FreeLibrary

also when you import a header all functions addresses are save to the stable addresses. address of functions are changes but you always call these stable addresses not address of your functions.

you can see address of dll functions by some program like "pe explorer". enter image description here

you always call 00402008h ,but 00402008h is not address of your function. value of 00402008 is address of your function.

  • FF25 08204000 will call value of 00402008
  • E8 05000000 will call eip + 00000005
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top