Jump to content

How to modify update.exe?


doldolekim

Recommended Posts

After referencing above post, I decided to modify sp 1's update.exe.

I opened it with IDA and found validateUpdateSingleFile blah blah, but I can't change the word, 'test' to 'xor'.

Cap 2016-05-24 23-40-00-168.png

How do I change 'test' to 'xor'?

Link to comment
Share on other sites


Maybe you want to change the text "jnz" to "jz" or "jmp" instead .. :w00t::ph34r:

Seriously :), what you posted is the disassembly view, you need to change the OPCODE(s) in the binary, that is the idea of the given commands:

First one search and replaces a number of hex bytes:
gsar -o -s:xE8:x02:xBA:x02:x00:x85:xC0:x75:x41 -r:xE8:x02:xBA:x02:x00:x31:xC0:xEB:x41 update.exe

Second one re-validates the PE checksum:

pechecksum -c update.exe

In the -s hex the 85C0 is "test eax,eax", and 75 is "jnz", in the -r hex this becomes 31C0 for "xor eax. eax" and (you never know) the EB is "jmp" (short, unconditional), see (example):
http://www.mathemainzel.info/files/x86asmref.html

You will need to change the other bytes before and after in the gsar command line to match the different binary you have (or use an hex editor, maybe easier).

In any case make sure and double sure that gsar finds the right occurrence/area before adding the -r vaues.

jaclaz


 



 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...