.Hello,
I basically want to execute a function from a Windows(TM) PE executable (.EXE) so I load it with LoadLibrary, assign the functions address to a function ptr and call it. The problem is that the .EXE gets loaded to 0x440000 instead of 0x400000 so for example "mov eax, dword ptr ds:OFFS" contains a wrong offset. Im working under linux/wine. I want a solution.
A preferred solution is probably to force the 0x400000 image base address on loading if thats possible. I haven't found something like that. Possible? (VrtulaAlloc also fails to allocate enough memory)
My current approach is to find all instructions that contain hardcoded offsets and skip all others (via http://www.devmaster.net/codespotlight/show.php?id=25). Does code like this probably already exist? I really don't want to reinvent the steel here ;-).
I suspect the length calculator (http://www.devmaster.net/codespotlight/show.php?id=25) to give wrong results for some kind of jump like "0xff 0x24 #imm32 <-> jmp ds:off[eax*4]" can somebody confirm this.
Regards
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}