Sign in to follow this  
Followers 0
Irongeek

HEX edit on a dll file

6 posts in this topic

#1 ·  Posted (edited)

I need to scan a dll and patch it by replacing an 8 byte string with another one, but I can't seem to figure out how. I tried with this sample code:

#include <File.au3>

$find = "MSFT 5.0"
$replace = "12345678"

$filename = "C:\Documents and Settings\me\Desktop\dhcpcsvc.dll"


$retval = _ReplaceStringInFile($filename,$find,$replace)
if $retval = -1 then
    msgbox(0, "ERROR", "The pattern could not be replaced in file: " & $filename & " Error: " & @error)
    exit
else
    msgbox(0, "INFO", "Found " & $retval & " occurances of the pattern: " & $find & " in the file: " & $filename)
endif

$msg = FileRead($filename, 1000)
msgbox(0,"AFTER",$msg)

but _ReplaceStringInFile does not seem to work on a binary blog. Any ideas?

Edited by Irongeek

Share this post


Link to post
Share on other sites



FileOpen in binary mode.

Share this post


Link to post
Share on other sites

Thanks, but I'm still working on figuring out how to search it and save it out without screwing it up. If anyone has done something like this before, it would help if I could see the code.

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

$find = "4d53465420352e30"

$replace = "12345678"

$filename = "C:\Documents and Settings\me\Desktop\dhcpcsvc.dll"

$new = "dhcpcsvc.dll"

$file = FileOpen(filename , 16)

$chars = FileRead($file , FileGetSize($file))

$replaced = StringReplace($chars, $find, $replace)

FileWrite($new, $replaced) ;create new updated file

Edited by Pain

Share this post


Link to post
Share on other sites

$find = "4d53465420352e30"

$replace = "12345678"

$filename = "C:\Documents and Settings\me\Desktop\dhcpcsvc.dll"

$new = "dhcpcsvc.dll"

$file = FileOpen(filename , 16)

$chars = FileRead($file , FileGetSize($file))

$replaced = StringReplace($chars, $find, $replace)

FileWrite($new, $replaced) ;create new updated file

Thanks, but that seems to just make a blank output file. This comes closer:

#include <string.au3>
;Base on work from piccaso

$line = "4d53465420352e30"
$lrepl= "4675636b20204954"

$file = FileOpenDialog("", @WorkingDir, "All (*.dll)", 1)
If @error Then Exit -1
$filesize = FileGetSize($file)
$data = FileRead($file)
If Not IsBinary ($data) Then $data = Binary ($data)
FileMove($file, "*.bak")
$hex = Hex($data)
;If StringInStr($hex,"55505830") And StringInStr($hex,"55505831") And StringInStr($hex,"55505821") Then
;    ConsoleWrite("Would you de-upx it for me?" & @LF)
;    Exit -2
;EndIf
$hex = StringReplace($hex,$line,$lrepl)
If @extended = 1 Then
    ConsoleWrite("Done" & @LF)
Else
    ConsoleWrite("Something bad happend with hex replace!" & @LF)
EndIf
FileWrite($file,Binary("0x" & $hex))
If FileGetSize($file) <> $filesize Then ConsoleWrite("Bad Filesize")

But the filesize comes back wrong for some reason.

Share this post


Link to post
Share on other sites

Ok, I figured out that the above code double wrote to the file, this one works:

#include <string.au3>
;Base on work from piccaso

$line = "4d53465420352e30"
$lrepl= "4675636b20204954"

$file = FileOpenDialog("", @WorkingDir, "All (*.dll)", 1)
If @error Then Exit -1
$filesize = FileGetSize($file)
$data = FileRead($file)
If Not IsBinary ($data) Then $data = Binary ($data)
FileMove($file, "*.bak")
$hex = Hex($data)
;If StringInStr($hex,"55505830") And StringInStr($hex,"55505831") And StringInStr($hex,"55505821") Then
;    ConsoleWrite("Would you de-upx it for me?" & @LF)
;    Exit -2
;EndIf
$hex = StringReplace($hex,$line,$lrepl)
If @extended = 1 Then
    ConsoleWrite("Done" & @LF)
Else
    ConsoleWrite("Something bad happend with hex replace!" & @LF)
EndIf
FileDelete("patched.dll")
FileWrite("patched.dll",Binary("0x" & $hex))
If FileGetSize($file) <> $filesize Then ConsoleWrite("Bad Filesize")

Thanks for the help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0