2

I'm analyzing some cracks, and one of them changed the Relocation Table address and size to 0. What the cracker was trying to achieve with this?

To provide more information, the objective of the crack is load another DLL, changing the name of a previous windows DLL name in load table for a custom one.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Filipe Carvalho
  • 608
  • 2
  • 8
  • 26

3 Answers3

4

Deleting relocating table guarantees that DLL can't be relocated.
So new code (code of crack) don't need to calculate any address in DLL and can use constant address values.

Also often relocation table is not actually necessary, so it can be removed to reduce size of module, or to replace it with some data.

Abyx
  • 12,345
  • 5
  • 44
  • 76
  • 1
    "...replace it with some data"! Interessting! Could it be the reason why some executables (which are never relocated) have a Relocation Directory? See question (http://stackoverflow.com/questions/8534858/why-do-some-windows-applications-contain-a-relocation-directory) – mox Dec 17 '11 at 16:25
2

According to the Portable Executable Specification, a relocation table is only needed when a library must be loaded at another address than its preferred load address. So, deleting the relocation table from the directory does not have any impact as long as the library is loaded at its preferred address (which is as matter of fact taking place when the image does NOT support ASLR).

mox
  • 6,084
  • 2
  • 23
  • 35
1

To change the name of a DLL to load, you would normally just change the import table. The rest is just guess work, without knowing the specifics of the binaries in question.

I believe it's important to realize that not all 'crackers' know what exactly they're doing, maybe you're analyzing into something that shouldn't be analyzed at all.

That said, you might want to remove relocation for a few reasons:

  • in executables, relocation data is useless (and can be safely removed) unless they are ASLR-aware.
  • possibly the crack added code which would require relocation entries. Instead of adding these, the cracker simply removed the reloc table altogether (possibly also disabling ASLR in the header)
  • if the file was packed, you normally run a PE rebuilder on the unpacked file to remove useless section data on disk and clean up the PE header. By default most of these tools strip reloc data from the PE.
pezcode
  • 5,490
  • 2
  • 24
  • 37
  • "To change the name of a DLL to load, you would normally just change the import table" - no, exports can be forwarded to former DLL. – Abyx Dec 17 '11 at 15:54
  • @Abyx, I said 'normally', not 'always'. Forwarding is an option, but harder to implement than just modifying the dll name in the import table. – pezcode Dec 17 '11 at 16:12
  • @Abyx, oh I see what you were getting at. I didn't imply changing the name of the dll that was loaded, but changing the dll that will be loaded (by changing the filename) – pezcode Dec 17 '11 at 16:15