What happens if I delete the Relocation table address from PE Header?

Question

I'm analyzing some cracks, and one of them changed the Relocation Table address and size to 0. What the cracker was trying to achieve with this?

To provide more information, the objective of the crack is load another DLL, changing the name of a previous windows DLL name in load table for a custom one.

Answer 1

Deleting relocating table guarantees that DLL can't be relocated.
So new code (code of crack) don't need to calculate any address in DLL and can use constant address values.

Also often relocation table is not actually necessary, so it can be removed to reduce size of module, or to replace it with some data.

Answer 2

To change the name of a DLL to load, you would normally just change the import table. The rest is just guess work, without knowing the specifics of the binaries in question.

I believe it's important to realize that not all 'crackers' know what exactly they're doing, maybe you're analyzing into something that shouldn't be analyzed at all.

That said, you might want to remove relocation for a few reasons:

• in executables, relocation data is useless (and can be safely removed) unless they are ASLR-aware.
• possibly the crack added code which would require relocation entries. Instead of adding these, the cracker simply removed the reloc table altogether (possibly also disabling ASLR in the header)
• if the file was packed, you normally run a PE rebuilder on the unpacked file to remove useless section data on disk and clean up the PE header. By default most of these tools strip reloc data from the PE.

Answer 3

According to the Portable Executable Specification, a relocation table is only needed when a library must be loaded at another address than its preferred load address. So, deleting the relocation table from the directory does not have any impact as long as the library is loaded at its preferred address (which is as matter of fact taking place when the image does NOT support ASLR).