doldolekim Posted May 24, 2016 Share Posted May 24, 2016 After referencing above post, I decided to modify sp 1's update.exe. I opened it with IDA and found validateUpdateSingleFile blah blah, but I can't change the word, 'test' to 'xor'. How do I change 'test' to 'xor'? Link to comment Share on other sites More sharing options...
jaclaz Posted May 24, 2016 Share Posted May 24, 2016 Maybe you want to change the text "jnz" to "jz" or "jmp" instead .. Seriously , what you posted is the disassembly view, you need to change the OPCODE(s) in the binary, that is the idea of the given commands: First one search and replaces a number of hex bytes: gsar -o -s:xE8:x02:xBA:x02:x00:x85:xC0:x75:x41 -r:xE8:x02:xBA:x02:x00:x31:xC0:xEB:x41 update.exe Second one re-validates the PE checksum: pechecksum -c update.exe In the -s hex the 85C0 is "test eax,eax", and 75 is "jnz", in the -r hex this becomes 31C0 for "xor eax. eax" and (you never know) the EB is "jmp" (short, unconditional), see (example):http://www.mathemainzel.info/files/x86asmref.html You will need to change the other bytes before and after in the gsar command line to match the different binary you have (or use an hex editor, maybe easier). In any case make sure and double sure that gsar finds the right occurrence/area before adding the -r vaues. jaclaz 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now