Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Wednesday, October 27 2021 @ 08:51 PM CEST

Entrypoint reader/writer tool

   

CodingLevel : beginner

OS : windows
Language : ASM/C++

RPE is a small tool that can set the Entry Point to executables.
Examples given in readme.txt.
Source included! Although not everything is comment, I am sure you can understand it as it's all API wrapping :)

Have fun modifying your PE files!



The project contains a GUI written in C++, which uses a dll written in ASM.

The dll has 2 extern functions. ReadPE and WritePE.
The sourcecode for the dll (.def file in the attachment) :


.486                       ; create 32 bit code

.model flat, stdcall       ; 32 bit memory model

option casemap :none       ; case sensitive



include masm32includewindows.inc

include masm32includekernel32.inc

includelib masm32libkernel32.lib



.code



DllEntry proc hInst:DWORD, reason:DWORD, reserved1:DWORD

xor eax, eax

inc eax

ret

DllEntry Endp



ReadPE PROC myfile:DWORD, EP:DWORD, ImageBase:DWORD



.data?

bytwrit    dd ?

fhandle    dd ?



.code

start:

invoke CreateFile, [myfile], GENERIC_WRITE+GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0

cmp eax, INVALID_HANDLE_VALUE

je @end



mov [fhandle], eax



; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл

; look up for string "PE" here



push edi

push esi



invoke GetFileSize, [fhandle], 0

mov edi, eax



xor esi, esi

add esi, 20h ;skip the dosheader which is 20h long



@@:

invoke ReadFile, [fhandle], [EP], 4, ADDR bytwrit, 0

invoke SetFilePointer, [fhandle], esi, 0, FILE_BEGIN



inc esi



mov edx, offset mype

invoke lstrcmp, [EP], edx



cmp esi, edi

je @end2



test eax, eax

jne @B



pop esi

; look up ends here

; ллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл



; add another 27h after we found the "PE" string to get teh entrypoint ;-)

invoke SetFilePointer, [fhandle], 27h, 0, FILE_CURRENT

push eax



invoke ReadFile, [fhandle], [EP], 4, ADDR bytwrit, 0



; get image base

invoke SetFilePointer, [fhandle], 8, 0, FILE_CURRENT

invoke ReadFile, [fhandle], [ImageBase], 4, ADDR bytwrit, 0



mov edx, [fhandle]

pop eax



@end:

ret



@end2:

mov eax, dword ptr [EP]

mov edx, eax

add edx, 4

mov dword ptr [eax], 0

mov dword ptr [edx], 0



mov edx, [fhandle]

xor eax, eax



pop edi

jmp @end



mype db "PE", 0, "BoR0" ;) watermark!

ReadPE ENDP



WritePE PROC myfile:DWORD, EntryP:DWORD

.data?

EP2 dd ?

IB dd ?

fh dd ?



.code

invoke ReadPE, [myfile], ADDR EP2, ADDR IB

test eax, eax

je @end2



mov dword ptr [fh], edx

push edx



invoke SetFilePointer, [fh], eax, 0, FILE_BEGIN



invoke WriteFile, [fh], ADDR EntryP, 4, ADDR IB, 0



pop edx



@end2:

ret

WritePE ENDP



end DllEntry
Download binary and source here




What's Related

Story Options

Entrypoint reader/writer tool | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Entrypoint reader/writer tool
Authored by: BoR0 on Thursday, December 29 2005 @ 01:38 PM CET
s/comment/commented

Idea originally stolen by haggar's information about the lame packer that is bypassable by changing the OEP only (the one by ExeIcon) :)
Entrypoint reader/writer tool
Authored by: Angel-55 on Sunday, May 13 2007 @ 07:07 PM CEST
Not bad as a start for a PE tool but
i think that choosing the File using OpenFileName
is better than writting it's name especialy when the
file isn't in the same directory so improvment is needed !!

But still nice work mate keep it up :)
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.70 seconds