在可执行文件中查找指令,给定其在运行进程中的地址? [英] Find an instruction in an executable file, given its address in a running process?
问题描述
我正在修改旧的废弃软件游戏以拥有无限的生命.
I'm modifying an old abandonware game to have infinite lives.
具有指令dec ecx的地址与其在调试的.exe中的位置不同.
The Address that has the instruction dec ecx is not the same as its position in the .exe debugged.
我记得我的一个老朋友曾经告诉我,有一个公式可以通过.exe内的指令获取真实"地址.作弊引擎给了我内存地址.我记得在数学公式中,我需要获取模块,在OllyDbg中,我要获取它.但是我不记得这个公式.有人知道那个数学公式如何?公式很简单! 还有另一种获取文件位置以永久修改.exe的方法吗?
I remembered that an old friend of mine told me once that there was a formula to get the "true" address with the instruction inside the .exe. Cheat engine gives me the Memory Address. I remember that in the math formula, I needed to get the Module, in OllyDbg i get it. But i can't remember the formula. Somebody know how is that math formula? The formula it's very simple! There's another way to get the file position to permanently modify the .exe?
推荐答案
虽然有一个公式",但实际上您需要查看可执行文件的内部(尽管可以根据某些假设简化此公式).
There's a "formula" but you'll actually need to look inside the executable file (although this formula can be simplified based on some assumptions).
- 获取您感兴趣的指令/数据的内存地址(虚拟地址).[ VA ]
- 获取指令/数据所在模块的基地址. [ MODBASE ]
- 从VA中减去MODBASE,您将获得所谓的相对虚拟地址[ RVA ]:
- VA - MODBASE = RVA
- Get the in memory address (Virtual Address) of the instruction / data you are interested in. [VA]
- Get the base address of the module where the instruction / data lies. [MODBASE]
- Subtract MODBASE from VA, you obtain what is called a Relative Virtual Address [RVA]:
- VA - MODBASE = RVA
- RVA - SECRVA = 抵消
- RVA - SECRVA = OFFSET
- 偏移量 + SECRAWADDR = INSDATAOFFSET(指令或数据在磁盘文件中的偏移量).
- OFFSET + SECRAWADDR = INSDATAOFFSET (offset of the instruction or data in the file on disk).
假设
通常(我通常会坚持使用 ,有时并非如此),第一部分的[SECRVA]将为0x1000(恰好是代码部分),其[SECRAWADDR]将为为0x400.
Usually (I insist on usually, sometimes it is not the case), [SECRVA] will be 0x1000 for the first section - which happens to be the code section - and its [SECRAWADDR] will be 0x400.
因此,如果您要根据内存中的地址搜索指令的偏移量,通常可以假定:
So if you are searching for the offset of an instruction based on its address in memory, you can usually assume that:
-
SECRVA = 0x1000 -
SECRAWADDR = 0x400
SECRVA = 0x1000SECRAWADDR = 0x400
示例
基于cmd.exe的示例.
Example based on cmd.exe.
比方说,当程序加载到内存中时,我正在0x1C34B0处搜索此代码:
Let's say I'm searching for this code at 0x1C34B0 when the program is loaded into memory:
CPU Disasm
Address Hex dump Command Comments
001C34B0 /$ E8 B3040000 CALL 001C3968
001C34B5 \.^ E9 2EFEFFFF JMP 001C32E8
请注意,指令操作码(字节)为:0xE8B3040000
Notice the instruction opcodes (bytes) are: 0xE8B3040000
-
VA = 0x1C34B0 - 在内存中搜索模块库(使用调试器或ProcessExplorer;此处有趣的列在进程资源管理器中简称为"Base".):
-
MODBASE = 0x1B0000
-
VA - MODBASE = RVA ;
0x1C34B0 - 0x1B0000 = 0x134B0;RVA = 0x134B0
在PE编辑器中打开二进制文件(我使用CFF资源管理器):
Opening binary file in PE editor (I use CFF explorer):
- 让我们看看0x134B0位于哪个部分:
第一部分是.text,其虚拟地址为0x1000,其虚拟大小为0x23E4C(因此,该部分的末尾位于0x1000 + 0x23E4C = 0x24E4C).
first section is .text, its Virtual Address is 0x1000 and its Virtual Size is 0x23E4C (so the end of the section is at 0x1000 + 0x23E4C = 0x24E4C).
0x134B0在0x1000和0x24E4C之间吗?
Is 0x134B0 between 0x1000 and 0x24E4C?
-
0x1000 >= 0x134B0 < 0x24E4C-> True:因此地址位于.text部分.
0x1000 >= 0x134B0 < 0x24E4C-> True: so the address lies in the .text section.
注意:对每个部分重复相同的过程,直到找到正确的部分为止.
Note: repeat the same process for each section until you have found the right one.
-
SECRVA = 0x1000(虚拟地址部分)
RVA - SECRVA = 偏移; 0x134B0 - 0x1000 = 0x124B0
SECRAWADDR = 0x400(原始地址部分)
偏移量 + SECRAWADDR = INSDATAOFFSET; 0x124B0 + 0x400 = 0x128B0
OFFSET + SECRAWADDR = INSDATAOFFSET ; 0x124B0 + 0x400 = 0x128B0
如果我们查看文件中的0x128B0,则有:
If we look at 0x128B0 in the file we have:
所以我们发现文件(0xE8B3040000)中的字节与内存中的字节完全相同.
So we have found exactly the same bytes in file (0xE8B3040000) than in memory.
这篇关于在可执行文件中查找指令,给定其在运行进程中的地址?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
