Re: Stripping functions from a DLL - offer wanted

"Frank de Groot" <franciad@xxxxxxxxx> écrivait
news:KrOdnU9jROFAT7vZRVnzvA@xxxxxxxxxxx:

"Betov" <betov@xxxxxxx> wrote in message
news:XnF9792C38AEACA8betovfreefr@xxxxxxxxxxxxxxxx


These are the Run-Time Addresses.

Sure, I am subtracting the image base address, of course.
But it doesn't work

This is "double-shot":

* Base Address.

* Section Displacement. Probably 01000h in the Run-time Address
and 0200h in the File Address.

That is, for example:

(GivenAddress - BaseAddress -01000h + 0200h)


: That DLL is loaded by /another/ DLL which appears
to do a checksum verification :(

Dispiting the guys who say that i am promoting _MY_ (???!!!...)
product... and again, the first thing to give a try to, is to
run RosAsm, to load the DLL, and to see (after having saved
to original version...), 1) If RosAsm is able or not (it may
as well fail...) to recompile the DLL. Then, to give a try to
the new DLL, to see if the functions, you want, still work in
an identical manner.

If all of this is OK, you take any Text Editor, and Copy-Paste,
to it, the Functions you want to keep. Inside RosAsm Editor,
you Right-Click upon the names of the called sub-routines, and
associated Data, and do the same, without forgetting anything.

Then you replace the Original Routines with the ones collected in
the external Editor. You, of course, have to keep untouched the
DLL "Main:" and eventually associated intitializations, if any.

Same for its "loader" making a CheckSum, where you just have to
kill the verification,... like in any good pirate would do (do
not think that we all are complete idiots, around... :).


Betov.

< http://rosasm.org >





.

Relevant Pages

  • Re: Preventing exploitation with rebasing
    ... one would rebase his entire system would he still be able to properly ... >Every image file, DLL or executable, has an "Image Base" and this base is ... The SQL Server running on this system, ...
    (Bugtraq)
  • Re: Is Delphi 2006 increase startup speed (like VS2005) ?
    ... files there is some useful info under the keyword "$imagebase" that got me exploring in the first place. ... This is the "image base", the base address that all JUMPS and CALLS in the executable are linked against. ... In Delphi, the default start address of a DLL or package is $00400000, too. ... dll's and packages with the default imagebase. ...
    (borland.public.delphi.non-technical)
  • Re: how do you start learning assembly language
    ... What is wrong with linking several ... RosAsm does not. ... that is - it'll make a .dll AFAIK(?)). ... With a linker you have a choice. ...
    (alt.lang.asm)
  • Re: how do you start learning assembly language
    ... The modular strategy has failed _completly_ And the next version of the OS may drag 40 more into the lot. ... It is not more work to compile an exe than a DLL, so if you think its easy to compile an exe, then exporting the needed functionality as a DLL is just as easy as that, which btw, means its 10 times the work of creating a DLL in RosAsm. ... With a linker you have a choice. ...
    (alt.lang.asm)
  • Re: Linux, X, ld, gcc, linking, shared libraries and stuff
    ... RosAsm to such an extent on the "level of support" it has for Windows ... the file really was a true PE DLL... ... Microsoft to do something screwed up and "hacked" than to do it ... if you call "MessageBeep" while the sound is already playing ...
    (alt.lang.asm)
Loading