EXE edit like a trojan

[PureLeo]

When I was younger I used to play with my friends with stuff like Sub7, famous trojan horse...
(I know. Sad.)


It worked like this:
you had server.exe and editor.exe


One used to edit the server.exe with the editor.exe to match his will

Ofcourse I don't want to make anything harmful to anyone, just wondering...
How would one 'edit' an already compiled EXE? Or even reproduce It, or produce EXEs with diferent settings, like in this case?

[blueznl]

You mean change the settings / configuration of a program by modifying the executable? I think a better question would be: why would you want to change those settings? Why not simply recompile?

[epidemicz]

In sub7's case, they could be editing the memory to change variables according to whatever the user wants to enable/disable on the server.

Have you ever used a hex editor? It's similar to that only this would be done programmatically.

edit: not really happy with the way I explained it so maybe if you look at these examples you might see what I'm getting at.


"server" -- compile this as exe in c:\ or wherever you want, just make sure to change the editor code to open the right file

Code: Select all

OpenWindow(0, 0, 0, 200, 200, "Test Window")
Repeat
  event = WaitWindowEvent(1)
Until event = #PB_Event_CloseWindow

edit "server"

Code: Select all

file$ = "c:\server.exe"
OpenFile(1, file$)
FileSeek(1, $320D) ;hard coded address - i found this using a hex editor
WriteData(1, @"Modified Window Text", 20)
CloseFile(1)

Compile the first code section somewhere on your disk then tell the second snippet to open it. You should see that after the second snippet has ran it has modified the window title permanently. Now, instead of a window title this variable could really be anything. You just need to know the memory location of the variable that you want to change.

[blueznl]

I still fail to see a practical application...

[epidemicz]

Practical? I'm sure our definitions may differ on this but sure, I can think of many "practical" applications that can come from editing an exe's memory.

But ethical? Well, that's a different story.

[Thorium]

In most cases this is simply done by adding some data to end of the exe. Changing the actual code would be much to complicated. If you need more complex changes than changing variables you can simply add a script to the end of the exe. All the pseudocode compiler like Visual Basic (in pseudo code compile mode) do it.

I still fail to see a practical application...

There are tons of applications.
pseudocode Compiler. The exe is the interpreter followed by a byte code script.
selfextracting archives

I have done a modloader for a game. I wanted the mods as single files, so the mod loader is a precompiled exe and you can apply modded files to it with a mod builder and save it as a single file mod, that dont need any software installed to run other than the actual game.

[PureLeo]

You mean change the settings / configuration of a program by modifying the executable? I think a better question would be: why would you want to change those settings? Why not simply recompile?

I've seen many apps doing that, can't get many practical examples right now but I guess "selfextracting archives" could be one of them. Or even an install maker or something...
An app that produces an exe, but this exe can't be always the same... I mean, it is, but slightly modified, enough to still let it work.

Have you ever used a hex editor? It's similar to that only this would be done programmatically.

Yes. A hex editor was the first thing i thought of, but I remember when I was editing something that it needed to have same lenght of the last data. I tried your example, ofc, fixed the path and stuff but didn't get it to work :/ the address might be different for every machine.

Practical? I'm sure our definitions may differ on this but sure, I can think of many "practical" applications that can come from editing an exe's memory.

But ethical? Well, that's a different story.

I want to know how to reproduce an exe, which would have different specifications for each user... not like a compiler, just a little modification. And yes, i got the curiosity from how a trojan editor works, but I'm sure there could be other uses.

There are tons of applications.
pseudocode Compiler. The exe is the interpreter followed by a byte code script.
selfextracting archives

It looks close! I thought about using lua or something in a string var, but still, it needs to be one file only, and I still had to modify the exe to change the script.

[Thorium]

It looks close! I thought about using lua or something in a string var, but still, it needs to be one file only, and I still had to modify the exe to change the script.

Well thats the easy part.
Just open the .exe like a normal file and write the script to the end of the file. Then write the length of the script in bytes to the file.

So your file looks like that:

------------
actual EXE
------------
script
------------
size of script
------------

The .exe can easiely read the script by opening itself as a file. Read the size of the script from lof() - 4. (or -8 if you want to use a quad to support files bigger than 4GB)
And than read the script from lof() - 4 - size of script

[PureLeo]

Cool... Thank you!

Couldn't it crash my exe by adding too much stuff to the end of file? Corrupt the exe or something?

This way I don't even need to use lua, just create my own script and interpret it

[Thorium]

Couldn't it crash my exe by adding too much stuff to the end of file? Corrupt the exe or something?

No, it doesnt corrupt it.

[PureLeo]

So writing something to the end or to the begining of a file doesn't corrupt it...
Good, this helps a lot!


I would also like to know about other ways to do that, IF any.


Also, how does an 'install maker' work, for instance?
I mean, you compile an EXE(your install maker), and it is able to generate another exe(the installer) with some needed settings and the actual App embeded.

[Rook Zimbabwe]

It just sounds like you are looking for a way to register your software that allegedly cannot be hacked easy...

If you have code added to the end of the exe you may set off some AV programs...

[netmaestro]

------------
actual EXE
------------
script
------------
size of script
------------

If this is a program you wrote, why not use a datasection? In my Cryptor project I create an executable key that contains a datasection with room for the key and initialization vector all initialized with zeros. The main app dumps it, opens it as a file, then searches down until it finds a string identifying the start of key data:

Code: Select all

DataSection
  Data.s "[Cryptor Key]" 
 
  keyid:
  Data.a 0
  
  key:
  Data.a 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
  
  iVector:
  Data.a 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
  
  Data.a 0,0,0,0
EndDataSection

then it writes the key data and closes the file. The result is an executable file that sends a key to the main program, which can be anywhere on the system as long as it's running. That suits the needs of my little program but you could put anything at all in there. It would be a great place to store a script to be read at runtime or any number of useful things.

[Thorium]

So writing something to the end or to the begining of a file doesn't corrupt it...

No no. Writing something to the beginning of the file does corrupt it. If you do write to the beginning you overwrite the file. You have to write to offset lof(), so you dont overwrite anything and the exe gets bigger.

I would also like to know about other ways to do that, IF any.

Like most problems there are more than one possible solution. But i think thats the easiest. Another not to hard way would be to use windows ressources and update them but i never did that.

Also, how does an 'install maker' work, for instance?
I mean, you compile an EXE(your install maker), and it is able to generate another exe(the installer) with some needed settings and the actual App embeded.

Same way.

If this is a program you wrote, why not use a datasection? In my Cryptor project I create an executable key that contains a datasection with room for the key and initialization vector all initialized with zeros. The main app dumps it, opens it as a file, then searches down until it finds a string identifying the start of key data:

For storing a key or checksum this is ok.
But it's not very dynamic. If you dont know how big the data is that could be embedded after compiling. For example for a installer. You dont want to reserve 2GB in the installer.exe. ^^

[moogle]

So writing something to the end or to the begining of a file doesn't corrupt it...
Good, this helps a lot!

Only end I think, always has to be the exe at the beginning or it doesn't run.