admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: calculate offset into .rdata (tmp)

Browse Source
This commit is contained in:
Dobin
2024-03-03 16:58:44 +00:00
parent d3a750288e
commit 286ad055d3
3 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helper.py
+19
View File
@@ -148,3 +148,22 @@ def file_to_lf(filename):
data = data.replace(b'\r\n', b'\n') data = data.replace(b'\r\n', b'\n')
with open(filename, 'wb') as f: with open(filename, 'wb') as f:
f.write(data) f.write(data)
def find_first_utf16_string_offset(data, min_len=8):
current_string = bytearray()
start_offset = None # To keep track of the start of the current string
for i in range(0, len(data) - 1, 2):
# Check if we have a valid character
if data[i] != 0 or data[i+1] != 0:
if start_offset is None: # Mark the start of a new string
start_offset = i
current_string += bytes([data[i], data[i+1]])
else:
if len(current_string) >= min_len * 2: # Check if the current string meets the minimum length
return start_offset # Return the offset where the string starts
current_string = bytearray()
start_offset = None # Reset start offset for the next string
return None # No string found that meets the criteria
pe/superpe.py
+14
View File
@@ -8,6 +8,7 @@ from helper import hexdump
logger = logging.getLogger("superpe") logger = logging.getLogger("superpe")
class PeSection(): class PeSection():
def __init__(self, pefile_section: pefile.SectionStructure): def __init__(self, pefile_section: pefile.SectionStructure):
self.name: str = pefile_section.Name.rstrip(b'\x00').decode("utf-8") self.name: str = pefile_section.Name.rstrip(b'\x00').decode("utf-8")
@@ -16,6 +17,7 @@ class PeSection():
self.virt_addr: int = pefile_section.VirtualAddress self.virt_addr: int = pefile_section.VirtualAddress
self.virt_size: int = pefile_section.Misc_VirtualSize self.virt_size: int = pefile_section.Misc_VirtualSize
class SuperPe(): class SuperPe():
IMAGE_DIRECTORY_ENTRY_SECURITY = 4 IMAGE_DIRECTORY_ENTRY_SECURITY = 4
IMAGE_DIRECTORY_ENTRY_BASERELOC = 5 IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
@@ -88,6 +90,18 @@ class SuperPe():
return bytes(sect.get_data()) return bytes(sect.get_data())
def get_section_data(self, sect_name) -> bytes:
sect = self.get_section_by_name_b(sect_name)
return bytes(sect.get_data())
def get_section_by_name_b(self, name):
for sect in self.pe.sections:
if sect.Name.decode().lower().startswith(name.lower()):
return sect
return None
def write_code_section_data(self, data: bytes): def write_code_section_data(self, data: bytes):
sect = self.get_code_section() sect = self.get_code_section()
self.pe.set_bytes_at_offset(sect.PointerToRawData, data) self.pe.set_bytes_at_offset(sect.PointerToRawData, data)
phases/injector.py
+11 -3
View File
@@ -106,10 +106,18 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):
# nothing todo # nothing todo
return return
sect = exe_host.superpe.get_section_by_name(".rdata") # Offset of strings in .rodata
addr = sect.raw_addr + 0x1AB0 # NEEDED, > 1A00! sect = exe_host.superpe.get_section_by_name_b(".rdata")
sect_data = sect.get_data()
string_off = find_first_utf16_string_offset(sect_data)
if string_off == None:
raise Exception("Strings not found in .rdata section, abort")
if string_off < 100:
logging.warn("weird: Strings in .rdata section at offset {} < 100".format(string_off))
sect = exe_host.superpe.get_section_by_name(".rdata")
addr = sect.raw_addr + string_off
#with open(exe_path, "r+b") as f:
for datareuse_fixup in reusedata_fixups: for datareuse_fixup in reusedata_fixups:
var_data = datareuse_fixup.data var_data = datareuse_fixup.data
#print(" Addr: {} / 0x{:X} Data: {}".format( #print(" Addr: {} / 0x{:X} Data: {}".format(