http://www.magma.ca/~wjr/ - Get PEview

OllyDebug version 1.09d would always complain about executables
produced by ALINK + NASM. It claimed that since the entry point is
outside the code section (which it wasn't). As a result, I could not
set a single breakpoint anywhere in my code!!! After some
investigation, I decided to more carefully examine the values found
under IMAGE_NT_HEADERS -> IMAGE_OPTIONAL_HEADER. Walla, the Base of Code and Base of Data were zero valued! I decided to correct those
fields by placing the RVAs of the CODE and DATA sections and whadya
know, no more OllyDebug complaints!

I wrote a patcher that would open the executable (I harcoded
"asmbot.exe") and fix this issue.

EXTERN CreateFileA
IMPORT CreateFileA kernel32.dll

EXTERN SetFilePointer
IMPORT SetFilePointer kernel32.dll

EXTERN WriteFile
IMPORT WriteFile kernel32.dll

EXTERN CloseHandle
IMPORT CloseHandle kernel32.dll

EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll

EXTERN MessageBoxA
IMPORT MessageBoxA user32.dll

%include "win32n.inc"



SECTION CODE USE32 CLASS=CODE
..start:

ptch_establish_frame:
push ebp
mov ebp, esp
sub esp, 8

ptch_open_bot:
push 0
push 0
push 3
push 0
push 1
push GENERIC_READ | GENERIC_WRITE
push DWORD asmbot
call
cmp eax, -1
je ptch_close_bot
mov DWORD , eax

ptch_fix_code_base:
push DWORD FILE_BEGIN
push DWORD NULL
push DWORD 0000009Dh
push eax
call

push DWORD 0 ; no overlapped
push ebp
pop ebx
add ebx, 4
push ebx ; discard num bytes written
push 1 ; write 1 byte
push DWORD code_base
push DWORD
call
or eax, eax
je ptch_error_msg

ptch_fix_data_base:
push DWORD FILE_BEGIN
push DWORD NULL
push DWORD 000000A1h
push DWORD
call

push DWORD 0 ; no overlapped
push ebp
pop ebx
add ebx, 4
push ebx ; discard num bytes written
push 1 ; write 1 byte
push DWORD data_base
push DWORD
call

ptch_close_bot:
push dword
call

ptch_destroy_frame:
mov esp, ebp
pop ebp

ptch_exit:
push DWORD 0
call

ptch_error_msg:
push DWORD MB_OK
push DWORD error_msg_caption
push DWORD error_write_failed
push DWORD
call
jmp ptch_close_bot

SECTION DATA USE32 CLASS=DATA

asmbot db "asmbot.exe", 0
code_base db 10h
data_base db 20h
error_write_failed db "Another process is currently accessing the file", 0
error_msg_caption db "error", 0
Posted on 2004-09-04 06:09:34 by Al_Leitch
I hope you have informed olly of this bug!
Posted on 2004-09-04 07:24:37 by f0dder