- Joined
- May 26, 2007
- Messages
- 5,545
- Reaction score
- 1,315
Okay, so this is essentially a follow-up, or alternative to Gregoorys' guide on doing the same thing with a tool called
Now I don't want to put any bad vibes Gregoory's way, because what he says is right, and as I say ToPo is very very good for doing just this. Problem is, there is no really good reason to do this, unless you want to "infect" an executable file with some new data... of course, when we add and replace routines and data in PT Clients and Servers, this is exactly what we want to do... but more offten than not, this is used for doing something really nasty and devious. So a lot of Anti-Virus, Anti-SpyWare and Anti-MalWare tools flag ToPo as a bad boy.
: Poor old ToPo.
This concerns a lot of people... and there is a tool in my RCE (Reverse Code Engineering) toolbox, which can do this and much more besides. It's called
Okay... go grab a copy, and install it. It's still being developed, and Daniel is a big fan of DotNet, (unlike me) so most of his tools support DotNet and x64 executables to some extent, I've seen a fair few changes to this tool over the past few years I've been using it, but the basic interface has remained pretty much the same. I expect more to come.
Right... now CFF Explorer is installed on your PC, you should be able to right click (Context click) your executable (Client, Server, anything you like) and select "Open with CFF Explorer"
There he is. Right off, you get some basic details about the file... We can see that it was probably originally compiled with Microsoft Visual C++ 7 for example. (That's only a guess CFF makes from the routines inside) We can also see it's MD5 and SHA-1 checksums, we could compare those with another file that seemed similar, and if they didn't match exactly we know that one of them has been edited.
What we really want to do right now though, is add a new section to this executable. So if we click the Section Headers (highlighted in the illustration above) off the tree view on the left... we can see what sections are there right now.
Now we can see all the sections in the executable already, and have a peek at the hex data each bit stores, or; before we select a section, (as in the illustration above) the entire file.
Back to the point, this executable already has a KPTTrans Section, but now we want to add another... an Item, or Exp table. To do that, right click in the grey space (that's gray if you happen to live state side of the pond) below the list of sections, as indicated in the last illustration, and pick "Add Section (Empty Space)".
Of course, if you have your data, tables or whatever then you could "Add Section (File Data)" but I'm assuming you (like me) don't have that much fore thought.
Now... next you need to decide how big a section to add. That depends how big the table or whatever is, but I'm just going to add a 512 byte section.
By default the section can be read from, and written to during execution, but cannot contain code. So it's great for storing extra variables.
You can change that by right clicking the section in the list, and selecting "Change Section Flags".
If you want to store constants or tables of them which should not change throughout play, you should untick "Writeable" and tick "Contains Initialized Data". If you want to place extra code, you should tick "Executable".
Really... you shouldn't have "Executable" and "Writeable" ticked at the same time... unless you intentionally want to use "self modifying code". This is a complex technique which can help hide the purpose of your code, but will also leave it more vulnerable to modification by malicious software.
You must be registered to see links
(By MrCrimson, his site no longer exists, so I link to the Woodman repository copy) which is specificity designed to do just this.Now I don't want to put any bad vibes Gregoory's way, because what he says is right, and as I say ToPo is very very good for doing just this. Problem is, there is no really good reason to do this, unless you want to "infect" an executable file with some new data... of course, when we add and replace routines and data in PT Clients and Servers, this is exactly what we want to do... but more offten than not, this is used for doing something really nasty and devious. So a lot of Anti-Virus, Anti-SpyWare and Anti-MalWare tools flag ToPo as a bad boy.
: Poor old ToPo.This concerns a lot of people... and there is a tool in my RCE (Reverse Code Engineering) toolbox, which can do this and much more besides. It's called
You must be registered to see links
from NTCore, AKA Daniel Pistelli. (Thanks Daniel)Okay... go grab a copy, and install it. It's still being developed, and Daniel is a big fan of DotNet, (unlike me) so most of his tools support DotNet and x64 executables to some extent, I've seen a fair few changes to this tool over the past few years I've been using it, but the basic interface has remained pretty much the same. I expect more to come.
Right... now CFF Explorer is installed on your PC, you should be able to right click (Context click) your executable (Client, Server, anything you like) and select "Open with CFF Explorer"
What we really want to do right now though, is add a new section to this executable. So if we click the Section Headers (highlighted in the illustration above) off the tree view on the left... we can see what sections are there right now.
Back to the point, this executable already has a KPTTrans Section, but now we want to add another... an Item, or Exp table. To do that, right click in the grey space (that's gray if you happen to live state side of the pond) below the list of sections, as indicated in the last illustration, and pick "Add Section (Empty Space)".
By default the section can be read from, and written to during execution, but cannot contain code. So it's great for storing extra variables.
You can change that by right clicking the section in the list, and selecting "Change Section Flags".
Really... you shouldn't have "Executable" and "Writeable" ticked at the same time... unless you intentionally want to use "self modifying code". This is a complex technique which can help hide the purpose of your code, but will also leave it more vulnerable to modification by malicious software.
Last edited:
