| View previous topic :: View next topic |
| Author |
Message |
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
 Posted: Sat Feb 14, 2009 3:13 pm Post subject: Analyzing A Piece of Assembly Code |
 |
|
I'm trying to analyze the logic behind a piece of assembly code from Iczelion's PE Tutorial 6: Import Table. I understand the assembly code, just not so much the logic behind it. Here's the function I'm analyzing (RVAToOffset):
| Code: |
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD
mov esi,pFileMap
assume esi:ptr IMAGE_DOS_HEADER
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
mov edi,RVA ; edi == RVA
mov edx,esi
add edx,sizeof IMAGE_NT_HEADERS
mov cx,[esi].FileHeader.NumberOfSections
movzx ecx,cx
assume edx:ptr IMAGE_SECTION_HEADER
.while ecx>0 ; check all sections
.if edi>=[edx].VirtualAddress
mov eax,[edx].VirtualAddress
add eax,[edx].SizeOfRawData
.if edi<eax ; The address is in this section
mov eax,[edx].VirtualAddress
sub edi,eax
mov eax,[edx].PointerToRawData
add eax,edi ; eax == file offset
ret
.endif
.endif
add edx,sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
assume edx:nothing
assume esi:nothing
mov eax,edi
ret
RVAToOffset endp
|
I get this is the basis of what it's doing:
| Quote: |
esi = pFileMap (address of file in memory)
esi = start of PE Header (IMAGE_NT_HEADERS)
edi = RVA
edx = esi (start of PE Header (IMAGE_NT_HEADERS))
edx = Start of Section Table (edx += sizeof(IMAGE_NT_HEADERS), IMAGE_SECTION_HEADER)
ecx = [esi].FileHeader.NumberOfSections (IMAGE_NT_HEADERS.FileHeader.NumberOfSections)
while loop all sections (ecx>0)
check if edi (the RVA) is more than or equal to [edx].VirtualAddress (IMAGE_SECTION_HEADER.VirtualAddress)
{
if so move [edx.VirtualAddress] (IMAGE_SECTION_HEADER.VirtualAddress) into eax
add SizeOfRawData to eax
check if edi (the RVA) is less than eax
if so move [edx].VirtualAddress (IMAGE_SECTION_HEADER.VirtualAddress) into eax
subtract eax from edi (the RVA)
move [edx].PointerToRawData (IMAGE_SECTION_HEADER.PointerToRawData) into eax
add edi (the RVA) to eax
return with the correct offset in eax
}
if not add sizeof(IMAGE_SECTION_HEADER) to edx (move on to next section)
decrease the value of ecx (number of sections) by one
|
My problem is with the whole bolded part. I just don't get the logic behind it all.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
 |
tony2108
Advanced Cheater
 Reputation: 0
Joined: 26 Nov 2008
Posts: 63
Location: Hacking Battlefield
|
| Posted: Sat Feb 14, 2009 4:04 pm Post subject: |
|
|
well it's the computer's language what can you say about it?
You created it O,o
Though what was the reason you created it for?
_________________
"Dark Angel is watching you" |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sat Feb 14, 2009 4:14 pm Post subject: |
|
|
That was totally irrelevant. Perhaps you should re-read the post or not spam?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
tony2108
Advanced Cheater
Reputation: 0
Joined: 26 Nov 2008
Posts: 63
Location: Hacking Battlefield
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sat Feb 14, 2009 4:37 pm Post subject: |
|
|
I know what it does tony lol. I just don't get the logic behind the section in bold:
| Quote: |
check if edi (the RVA) is more than or equal to [edx].VirtualAddress (IMAGE_SECTION_HEADER.VirtualAddress)
{
if so move [edx.VirtualAddress] (IMAGE_SECTION_HEADER.VirtualAddress) into eax
add SizeOfRawData to eax
check if edi (the RVA) is less than eax
if so move [edx].VirtualAddress (IMAGE_SECTION_HEADER.VirtualAddress) into eax
subtract eax from edi (the RVA)
move [edx].PointerToRawData (IMAGE_SECTION_HEADER.PointerToRawData) into eax
add edi (the RVA) to eax
return with the correct offset in eax
}
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
tony2108
Advanced Cheater
Reputation: 0
Joined: 26 Nov 2008
Posts: 63
Location: Hacking Battlefield
|
| Posted: Sat Feb 14, 2009 4:50 pm Post subject: |
|
|
oh i thought that the logic was all about converting T_T
_________________
"Dark Angel is watching you" |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Feb 15, 2009 12:33 pm Post subject: |
|
|
What I don't get is that the RVAs are relative to the image base. But when you load the file into memory, wouldn't the RVAs become relative to the address in memory where it got loaded.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sun Feb 15, 2009 12:51 pm Post subject: |
|
|
More coherent Explanation..
| Code: |
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD
mov esi,pFileMap
assume esi:ptr IMAGE_DOS_HEADER
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
mov edi,RVA ; edi == RVA
mov edx,esi
add edx,sizeof IMAGE_NT_HEADERS
mov cx,[esi].FileHeader.NumberOfSections
movzx ecx,cx
assume edx:ptr IMAGE_SECTION_HEADER
.while ecx>0 ; check all sections
;RVA's being offsets into the Dll
;if RVA Greater then or equal to the virtual address (OFFSET>=Current Virtual Address
;this means that if OFFSet is biggger or equal to current Section
;int 3 step here to see good stuff and understand better
.if edi>=[edx].VirtualAddress
;image section header virtual address
;VirtualAddress
;The address of the first byte of the section when loaded into
;memory, relative to the image base.
;VA to eax
mov eax,[edx].VirtualAddress
;add the size of the rawdata in that section
;VA+Sizeof(Data)
add eax,[edx].SizeOfRawData
;if edi is <
;VA+SizeOfRawData
.if edi<eax ; Then The address is in this section
;we found our RVA is within the current section
;current VA to EAX
mov eax,[edx].VirtualAddress
;this is where i get a lil fuzzy why subtract eax, from edi..
sub edi,eax
; file pointer to the first page within the COFF file
;they mean to say its a pointer to the image Base Address
mov eax,[edx].PointerToRawData
;add image Base + RVA and get our current Virtual Address(not to be confused with Offset)..
add eax,edi ;
ret
.endif
.endif
add edx,sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
assume edx:nothing
assume esi:nothing
mov eax,edi
ret
RVAToOffset endp
|
regards BanMe
_________________
don't +rep me..i do not wish to have "status" or "recognition" from you or anyone.. thank you.
Last edited by BanMe on Mon Feb 16, 2009 11:26 am; edited 2 times in total |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Feb 15, 2009 2:14 pm Post subject: |
|
|
That didn't really help. I can figure out what the assembly is doing fine, I just don't get the logic behind it. And as I said before, can't you just use the same RVAs but relative to the address where the file was l oaded in memory?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Feb 15, 2009 4:02 pm Post subject: |
|
|
Oh, I get it now. But still, why can't we just use the same RVAs but relative to the address where the file got loaded in memory?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sun Feb 15, 2009 4:22 pm Post subject: |
|
|
I Meant to say you just take the RVA and add GetModuleHandle("ModuleName") to it to locate that data ..
regards BanMe
_________________
don't +rep me..i do not wish to have "status" or "recognition" from you or anyone.. thank you.
Last edited by BanMe on Sun Feb 15, 2009 9:26 pm; edited 1 time in total |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sun Feb 15, 2009 4:23 pm Post subject: |
|
|
| oib111 wrote: | | Oh, I get it now. But still, why can't we just use the same RVAs but relative to the address where the file got loaded in memory? |
Because of sections. The data is mapped to memory based on sections. (The section header describes where the section starts and ends etc). So it's not the same as it is in the file.
For example:
data section A: 1234
data section B: 5678
Then in the file, it's stored as: [section A header],1234,[maybe some padding 0's],[section B header],5678,[maybe some padding 0's]
But in memory, it gets stored differently, so instead of the data of each section being right after each other, they are on different pages.
So for example:
04001000: 1234
04002000: 5678
So in memory, there's almost 1000 bytes in between the data, while in the file there are only a few bytes in between.
I hope that explains it.
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Feb 15, 2009 7:58 pm Post subject: |
|
|
Thanks tombana that did. Question for BanMe though. What is "OldModuleBase" and "NewModuleBase"?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sun Feb 15, 2009 8:22 pm Post subject: |
|
|
i made a mistake in my thought process on that one..i admit it..
i forgot the RVA was already the Offset MINUS The BaseAddress of the Module in memory..
quoted wikipedia..
| Quote: |
Relative Virtual Addresses (RVAs) are not to be confused with standard virtual addresses. A relative virtual address is the virtual address of an object from the file once it is loaded into memory, minus the base address of the file image. If the file were to be mapped literally from disk to memory, the RVA would be the same as that of the offset into the file, but this is actually quite unusual.
Note that the RVA term is only used with objects in the image file. Once loaded into memory, the image base address is added, and ordinary VAs are used.
|
sadly i made that mistake xD
regards BanMe
_________________
don't +rep me..i do not wish to have "status" or "recognition" from you or anyone.. thank you. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
