0

I want to make a "codecave" in an executable file using OllyDbg, but my issue is that I have no idea how can I add more space where I could write my own function to the file. So far I've only tried to extend it by adding zeros to the end of the file using a Hex editor, but after reopening it with Olly I didn't got more space for instructions.

Strangely I couldn't find any information about this topic on the internet, so I hope some of you here can help me out.

Sejt
  • 1
  • 1
  • You need to study the format of the .EXE at hand and then exploit possible areas that are safe to utilize. Alternatively throw out stuff that you know will not endanger the functioning of the program.https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjnusGwjbjuAhVYtqQKHUTnBSQQFjAAegQIBxAC&url=https%3A%2F%2Fwww.codeproject.com%2FArticles%2F20240%2FThe-Beginners-Guide-to-Codecaves&usg=AOvVaw3U95m-cOdh-kHFniXgHHR4 – Sep Roland Jan 25 '21 at 22:11
  • Thank you for the answer! Maybe can you explain why it is not possible to insert more instruction if the file is extended in a hex editor? – Sejt Jan 25 '21 at 22:16
  • Extending in a hex editor might not update the relevant info in the .EXE's header about the application's length. So the change will not be a permanent one. – Sep Roland Jan 25 '21 at 22:19
  • Use a tool like IDA Pro to edit binaries. It is usually difficult to extend the text segment as it might be immediately followed by another segment. The general approach is to make space somewhere by overwriting padding bytes (`CC`) or refactoring other code to be shorter. – fuz Jan 25 '21 at 22:23
  • Thank you guys for quick answers:) – Sejt Jan 25 '21 at 22:48
  • I've seen cases where Windows .EXE files were extended significantly by 1 or more megabytes, which required some sort of .EXE editor, but I don't know where to search for such a tool. For small functions, you could look for groups of hex CC (int 3) between sections that are aligned to 16 byte boundaries, using several of them for a single function, which doesn't require changing .EXE file size. – rcgldr Jan 26 '21 at 03:38

0 Answers0