1
00:00:00,900 --> 00:00:04,350
So in this video, we are going to fix the base relocations.

2
00:00:04,710 --> 00:00:09,920
So before, uh, let's quickly discuss about this base relocations.

3
00:00:09,930 --> 00:00:13,680
Suppose you have a program that contains some pointers.

4
00:00:13,680 --> 00:00:20,070
So let's say eight is equals to ten and there is a pointer.

5
00:00:24,940 --> 00:00:37,660
Pointing to this address of this variable, let's say a value is at 2000 hexadecimal and also image

6
00:00:38,500 --> 00:00:41,680
based address is 5000.

7
00:00:43,090 --> 00:00:49,570
So that means this pointer will point it to the address of this variable that is from the base address

8
00:00:49,660 --> 00:00:51,400
to this 2000 hit offset.

9
00:00:51,400 --> 00:00:53,830
That is 7000 hit job offset.

10
00:00:54,460 --> 00:01:02,890
Now, whenever we run the program, this image base just may change because there may be some other

11
00:01:02,890 --> 00:01:04,210
module at this address.

12
00:01:04,210 --> 00:01:10,570
Then this image address is going to be changed for the entire executable and then this pointer value

13
00:01:11,200 --> 00:01:12,910
become invalid.

14
00:01:13,510 --> 00:01:23,020
So let's say a new image based address is 15,000 hits and then this address becomes invalid.

15
00:01:23,020 --> 00:01:31,960
So what you need to do is you need to find the difference between the loaded new image based address

16
00:01:31,960 --> 00:01:33,670
and the preferred based on this.

17
00:01:33,670 --> 00:01:38,350
So the preferred base set is 5000 and the new Reloaded based address is 15,000.

18
00:01:38,350 --> 00:01:41,890
So if we go and subtract this 15.

19
00:01:42,670 --> 00:01:49,120
And the rich and old prefer the base address that is you going to get 10,000 hedge.

20
00:01:49,570 --> 00:01:55,270
Now this value is called Delta, so we are going to add this delta value to this address.

21
00:01:56,020 --> 00:01:58,360
So you get 17,000 hits.

22
00:01:58,990 --> 00:02:05,470
So which is 2000 which offset from the base address similar to the previous one?

23
00:02:05,980 --> 00:02:12,820
So this is the process we need to do for all the variables that are hardcoded like this.

24
00:02:14,810 --> 00:02:20,360
So here, if you go to optional header, if you go to this base education table, this address points

25
00:02:20,360 --> 00:02:21,500
to the first

26
00:02:24,500 --> 00:02:25,870
basically regression table.

27
00:02:25,880 --> 00:02:29,180
So if you go to this, this one is the first one.

28
00:02:29,180 --> 00:02:36,530
So this does not have any fixture size, but it has two members.

29
00:02:37,070 --> 00:02:40,190
So here you can see our first eight bytes.

30
00:02:45,980 --> 00:02:49,060
So first four bytes are page are we.

31
00:02:49,070 --> 00:02:52,970
So this page aria is our offset to the page.

32
00:02:52,970 --> 00:02:57,770
So in that page we have some addresses and those need to be fixed.

33
00:02:58,770 --> 00:03:05,360
So the first four pages are page is page three and you can see its 022000.

34
00:03:05,370 --> 00:03:12,600
So here it is, this 22,000 is page are here and the second member is.

35
00:03:18,240 --> 00:03:19,770
And the second number is size.

36
00:03:19,770 --> 00:03:22,860
So the size of the the structure.

37
00:03:24,960 --> 00:03:27,090
He's the second member that is

38
00:03:28,690 --> 00:03:32,930
118018.

39
00:03:32,940 --> 00:03:34,560
So that is the size.

40
00:03:36,120 --> 00:03:47,130
And this first eight eight bites are the two members and the next two members are the addresses, the

41
00:03:47,130 --> 00:03:50,380
offsets, the addresses need to be fixed.

42
00:03:51,210 --> 00:03:57,690
So the first eight bytes are the page area and the size.

43
00:03:58,800 --> 00:04:03,000
So the next two bytes is an offset from this page.

44
00:04:03,310 --> 00:04:07,390
RV So the next two bites are 000.

45
00:04:07,470 --> 00:04:14,520
So if you go ahead and add that, you will get the offset in this page.

46
00:04:16,240 --> 00:04:21,580
And the next two debates and the next two debates and the next two weeks and so on, until you get the

47
00:04:21,580 --> 00:04:24,010
end are the entries.

48
00:04:24,400 --> 00:04:25,720
So we have these entries.

49
00:04:26,080 --> 00:04:28,990
So how we are going to calculate the entries counties.

50
00:04:30,580 --> 00:04:36,730
So we have this the first base relocation size is one eight, right?

51
00:04:36,730 --> 00:04:39,720
So one eight is the total structure size.

52
00:04:39,730 --> 00:04:43,240
So we can say one year, eight minus eight.

53
00:04:43,450 --> 00:04:46,270
So these eight bits are already occupied.

54
00:04:47,350 --> 00:04:52,240
And if I go and delete eight from this, you get the one here zero.

55
00:04:52,240 --> 00:04:53,140
So this.

56
00:04:54,490 --> 00:04:55,900
From here onwards we.

57
00:04:55,920 --> 00:05:02,560
How are the two weight values offsets up to one year zero.

58
00:05:02,560 --> 00:05:05,890
So one year zero or a number of bytes.

59
00:05:06,610 --> 00:05:09,630
But each entry takes two weights of space.

60
00:05:09,640 --> 00:05:14,530
So from this one year zero to get number of entries, you need to divide this value with two.

61
00:05:14,950 --> 00:05:16,480
And here we get the value.

62
00:05:17,890 --> 00:05:25,270
So that is what P does and passes into already passes and calculates.

63
00:05:25,270 --> 00:05:30,880
So we can just see and see that get C and get the value.

64
00:05:31,990 --> 00:05:35,940
So first we are going to do is the calculating the entries count.

65
00:05:35,980 --> 00:05:38,440
So that is very, very important thing.

66
00:05:39,700 --> 00:05:41,500
So let's go and.

67
00:05:47,000 --> 00:05:54,320
So we haven't had a lot of shareholder base relocation to address.

68
00:05:54,320 --> 00:06:01,610
So this when added to the base address gives us the.

69
00:06:03,870 --> 00:06:06,840
Well, our pointer to this one.

70
00:06:10,250 --> 00:06:13,280
So I'm carrying this first base pointer.

71
00:06:16,890 --> 00:06:21,870
And we are going to master this one master pointer.

72
00:06:23,620 --> 00:06:31,660
To structure and first base pointer and Marshall this match base relocation.

73
00:06:38,100 --> 00:06:41,280
So let me call this as first base.

74
00:06:43,000 --> 00:06:46,930
So don't confuse it with the first base point or points to the starting address.

75
00:06:46,930 --> 00:06:49,420
And the first base is the structure.

76
00:06:51,840 --> 00:06:57,900
Now I can go and print this first base dot page or we attached to string.

77
00:07:14,210 --> 00:07:15,400
And here we can see that.

78
00:07:15,410 --> 00:07:17,310
June 20, 2001 eight.

79
00:07:23,020 --> 00:07:28,510
So first we are going to count the entries so we can remove this print.

80
00:07:31,280 --> 00:07:34,520
So first base dot size.

81
00:07:38,330 --> 00:07:39,350
Minus eight.

82
00:07:47,540 --> 00:07:53,000
This gives you the total number of offset size.

83
00:07:53,180 --> 00:07:59,150
So to get the actual number of offsets, we need to divide with two because each offset takes two bytes.

84
00:08:00,640 --> 00:08:04,570
Now we can get the value into entries count.

85
00:08:17,050 --> 00:08:19,990
So we can go and print these entries count.

86
00:08:27,060 --> 00:08:29,550
So if you print this, we get the value, be zero.

87
00:08:32,490 --> 00:08:35,880
So we need to, uh, loop over this.

88
00:08:35,880 --> 00:08:37,430
So how we are gonna report this?

89
00:08:37,440 --> 00:08:38,310
We need to.

90
00:08:40,680 --> 00:08:44,550
And it had the value of this size.

91
00:08:44,550 --> 00:08:53,340
So simply, if you had the size of one eight to this based address based pointer, you get the offset

92
00:08:53,340 --> 00:08:54,240
to the next one.

93
00:08:54,240 --> 00:08:56,130
So it's a very simple one.

94
00:08:57,150 --> 00:09:02,820
So what we're going to do is why first base dot size not is close to zero.

95
00:09:08,670 --> 00:09:12,980
And we are going to add the.

96
00:09:15,740 --> 00:09:17,030
To this point so far.

97
00:09:17,030 --> 00:09:22,130
To this point so far, two basis points, point presses equals two.

98
00:09:22,340 --> 00:09:25,910
We are going to add this one first to base dot size.

99
00:09:25,910 --> 00:09:28,220
So this is the of the structure.

100
00:09:34,210 --> 00:09:40,420
And after that, we need to master this one because after adding the size, it will be pointing to the

101
00:09:40,420 --> 00:09:41,890
next base relocation.

102
00:09:42,340 --> 00:09:44,290
So you can just copy this one.

103
00:09:46,330 --> 00:09:53,830
So now we'll be marshalling as the again first base so you don't have to change these variable names.

104
00:09:55,030 --> 00:09:57,190
Now, we can also put some.

105
00:09:58,520 --> 00:09:59,810
And count.

106
00:10:03,690 --> 00:10:13,260
So if you run this and we get digital e3818, which is exactly what we were showing us.

107
00:10:13,740 --> 00:10:15,870
So we got the entries contract.

108
00:10:15,870 --> 00:10:17,490
So what we're going to do is.

109
00:10:20,690 --> 00:10:21,530
Then.

110
00:10:27,280 --> 00:10:33,610
We are going to print these total offsets.

111
00:10:33,610 --> 00:10:36,550
So let's read this offset.

112
00:10:40,050 --> 00:10:41,910
So how you gonna read this?

113
00:10:41,910 --> 00:10:45,030
How is we going to.

114
00:10:45,030 --> 00:10:46,590
We know the number of entries, right?

115
00:10:46,590 --> 00:10:49,680
So these entries count defines the number of entries.

116
00:10:49,830 --> 00:10:55,890
So what we can do is we can loop over each entries and read these two bytes.

117
00:10:55,890 --> 00:11:00,210
So after reading these two weights, we can add these two weights to this page.

118
00:11:00,210 --> 00:11:03,540
Are we here to get the page offset?

119
00:11:04,590 --> 00:11:09,390
So 22000 +000.

120
00:11:11,490 --> 00:11:18,300
So let's first loop over this for entries close to zero.

121
00:11:18,300 --> 00:11:19,320
It is then.

122
00:11:21,380 --> 00:11:23,960
Entries count, I press.

123
00:11:23,960 --> 00:11:24,470
Press.

124
00:11:24,470 --> 00:11:26,990
So we are looping over all the entries.

125
00:11:29,530 --> 00:11:34,920
And one important thing we need to identify is the year.

126
00:11:34,960 --> 00:11:38,530
So here you can see the first bit.

127
00:11:38,530 --> 00:11:50,170
First to this, four bits are because if you go to P file format in the Microsoft documentation, this

128
00:11:50,170 --> 00:11:51,850
is a based on location types.

129
00:11:51,850 --> 00:11:55,810
So if it is 32 bit, we have the high and low value.

130
00:11:56,860 --> 00:12:04,240
But if it's 64, the first bit is the first four bits are the E.

131
00:12:04,480 --> 00:12:06,520
So ten means in Excel is one year.

132
00:12:06,520 --> 00:12:09,460
So we need to first identify whether it is here or not.

133
00:12:09,460 --> 00:12:15,520
If it's here, then we need to do the difference of 64, 64 bit difference.

134
00:12:19,550 --> 00:12:19,930
Sorry.

135
00:12:20,570 --> 00:12:22,260
64 bit edition.

136
00:12:22,310 --> 00:12:24,770
Additions to that delta.

137
00:12:29,550 --> 00:12:31,260
So how are you going to read this?

138
00:12:31,260 --> 00:12:41,220
So we know that first the West Point Press yet so this gives you the offset to the first entry, right?

139
00:12:41,220 --> 00:12:43,200
So first base point is this one.

140
00:12:43,200 --> 00:12:44,970
There are already eight bytes.

141
00:12:45,600 --> 00:12:47,340
That is page three and the size.

142
00:12:47,340 --> 00:12:54,380
So if you skip these eight bytes, you get the three to the first offset out of here.

143
00:12:54,810 --> 00:13:08,250
So this is like a first one and I need to add a into two because for each time we are we want to skip

144
00:13:08,250 --> 00:13:16,590
two bytes because each offset takes two weights and in the I and this for loop I value is like a iteration.

145
00:13:16,590 --> 00:13:22,680
So we can just simply say I into to for the first iteration, zero and 2 to 0, which gives you only

146
00:13:22,680 --> 00:13:28,440
this value which is of course offset pointer to this one.

147
00:13:28,440 --> 00:13:32,400
And if you use close to one, you'll get the two.

148
00:13:32,910 --> 00:13:38,940
That is, if you had two, you reach here and four, six, eight, ten, etc. So in this way we can

149
00:13:38,940 --> 00:13:39,900
loop over this one.

150
00:13:41,310 --> 00:13:43,110
So I can say in the pointer.

151
00:13:47,700 --> 00:13:49,040
Offset pointer.

152
00:13:51,830 --> 00:14:00,890
So we have this offset pointer and we can use Marshall to read into 64 reading 16 because we are going

153
00:14:00,890 --> 00:14:04,220
to read on it two or two bytes offset, Peter.

154
00:14:17,020 --> 00:14:19,620
So let's call this as offset here.

155
00:14:20,140 --> 00:14:22,180
So let's go and print this.

156
00:14:29,900 --> 00:14:32,900
So here we can see we got the.

157
00:14:34,920 --> 00:14:37,760
iff000.

158
00:14:38,130 --> 00:14:43,080
So we got the exact same values as of this.

159
00:14:46,790 --> 00:14:48,920
So what we're going to do is.

160
00:14:52,290 --> 00:14:57,420
Offset RBA is equal to offset RBA.

161
00:14:57,720 --> 00:15:00,120
I'm going to do the operation with this.

162
00:15:00,120 --> 00:15:00,470
F.

163
00:15:00,510 --> 00:15:01,080
F f.

164
00:15:02,670 --> 00:15:07,080
So now I get only this lawyer.

165
00:15:08,820 --> 00:15:09,690
Two bites.

166
00:15:11,500 --> 00:15:14,560
And here you can see we got the exact offsets.

167
00:15:16,720 --> 00:15:25,120
So zero zero starting and the ending is so there are so many entries, so you can just check we get

168
00:15:25,120 --> 00:15:26,800
the exact values.

169
00:15:39,310 --> 00:15:42,910
So we can call this a string value.

170
00:15:44,600 --> 00:15:52,840
And now what we're going to do is we are going to check if the starting character is here or not, if

171
00:15:52,850 --> 00:15:53,510
of.

172
00:15:54,740 --> 00:15:57,770
Value of zero is equal size equals to year.

173
00:15:58,430 --> 00:16:01,820
Then what we're going to do is we are going to remove the year from this one.

174
00:16:03,890 --> 00:16:05,030
Because we don't need that.

175
00:16:05,220 --> 00:16:12,260
Yeah, we want to add only the remaining value so we can do that using value, not remove.

176
00:16:13,220 --> 00:16:17,800
So we are going to remove the starting index and the length.

177
00:16:17,810 --> 00:16:23,390
So how many number of characters you want to remove from this starting address?

178
00:16:23,390 --> 00:16:24,410
Starting index.

179
00:16:24,800 --> 00:16:26,420
So from zero index that is.

180
00:16:26,420 --> 00:16:33,680
Yeah, I want to remove one character so they will be removed so I can call this string.

181
00:16:39,630 --> 00:16:40,500
Javier.

182
00:16:42,790 --> 00:16:46,810
So I can go and print this page or we're.

183
00:16:49,150 --> 00:16:51,820
So if we get only the.

184
00:16:53,590 --> 00:16:55,210
Exact offsets without.

185
00:17:01,240 --> 00:17:04,660
So let's convert this into the bytes.

186
00:17:14,360 --> 00:17:22,670
So let's call this as bait or veer and we need to convert this into 64 bit integer so we can do that

187
00:17:22,670 --> 00:17:26,360
using convert to in 64.

188
00:17:35,810 --> 00:17:39,350
So we are going to provide the 16 as

189
00:17:42,380 --> 00:17:47,480
it's a trade to treat as a hexadecimal and convert this into integer.

190
00:18:37,660 --> 00:18:39,640
So I think we got the offset.

191
00:18:44,920 --> 00:18:49,870
So now the offset only points to the values without gate.

192
00:18:51,070 --> 00:18:56,890
So all we need to do is we need to add this to the first base page out here.

193
00:18:56,900 --> 00:19:00,520
So first the base dot page, are we a plus offset?

194
00:19:00,880 --> 00:19:08,020
So this gives you the offset from the image based address which contains the value that needs to be

195
00:19:08,020 --> 00:19:08,710
updated.

196
00:19:09,250 --> 00:19:17,080
So to 22,000 plus eight plus to zero, that is this one.

197
00:19:17,800 --> 00:19:25,630
So you need to read the eight bytes and add the data to this in a similar way.

198
00:19:26,470 --> 00:19:27,520
The second.

199
00:19:34,010 --> 00:19:35,810
So the second offset is.

200
00:19:40,010 --> 00:19:40,220
Yeah.

201
00:19:40,760 --> 00:19:41,730
008.

202
00:19:41,760 --> 00:19:48,540
So that means eight bytes from the page are where that is 2 to 0 zero eight.

203
00:19:49,380 --> 00:19:54,930
So if you go to this, these eight bytes needs to be updated to the add it to the Delta.

204
00:19:59,220 --> 00:20:01,410
So we can also add base address.

205
00:20:16,770 --> 00:20:17,880
Boom modify.

206
00:20:20,950 --> 00:20:21,460
PDF.

207
00:20:35,420 --> 00:20:42,590
So we have finally the pointer pointing to the exact address.

208
00:20:43,520 --> 00:20:48,320
So first, it does read martial art read into 64.

209
00:20:49,670 --> 00:20:51,500
So read the eight bytes.

210
00:21:04,090 --> 00:21:07,750
At the address modified pdf.

211
00:21:17,540 --> 00:21:20,030
So at its core, this has previous value.

212
00:21:22,360 --> 00:21:27,840
And this previous value or the data should be added to this previous value.

213
00:21:27,850 --> 00:21:29,620
So let's go and find the data.

214
00:21:33,160 --> 00:21:36,130
So in Peter Delta.

215
00:21:40,610 --> 00:21:45,530
So based address the two in 64 minus.

216
00:21:46,870 --> 00:21:53,500
The preferred way is address that is stored it in the header dot optional header dot image based.

217
00:22:10,240 --> 00:22:12,340
So we got this data value.

218
00:22:19,360 --> 00:22:25,270
So all you need to do is previous value proces equals to da da da two in 16.

219
00:22:32,030 --> 00:22:34,370
Now we are going to write this one.

220
00:22:37,130 --> 00:22:46,700
Right at the two modify pointer, which is pointing at that first address to be relocated and the value

221
00:22:46,700 --> 00:22:49,520
to be written.

222
00:22:51,330 --> 00:22:53,640
So we have successfully written this.

223
00:22:53,640 --> 00:23:00,570
So before any conforming, let's print out all these values and check by putting a breakpoint.

224
00:23:01,410 --> 00:23:02,460
So delta.

225
00:23:09,740 --> 00:23:16,700
So we already print we are already printing the base address in the previous statements.

226
00:23:16,700 --> 00:23:18,260
So we have the data.

227
00:23:18,290 --> 00:23:20,000
Let's also print the.

228
00:23:21,820 --> 00:23:22,540
Preferred.

229
00:23:25,430 --> 00:23:26,720
Bill's address.

230
00:23:30,500 --> 00:23:36,230
Anti header dot option had a dot image based dot to string.

231
00:23:41,140 --> 00:23:46,180
So we are printing the raw database address and preferred way is address and data.

232
00:23:47,290 --> 00:23:57,910
And also we are going to print this to modify pointer so we can directly examine the value at that address.

233
00:24:07,400 --> 00:24:10,820
So let me put a breakpoint here and.

234
00:24:12,900 --> 00:24:13,950
Let's run this.

235
00:24:14,970 --> 00:24:17,760
And we have memory allocated based address.

236
00:24:17,760 --> 00:24:19,650
And the preferred way is address.

237
00:24:20,930 --> 00:24:23,840
And if you go and subtract this period, the delta.

238
00:24:24,380 --> 00:24:26,510
So let's go and see this.

239
00:24:35,840 --> 00:24:36,840
Loaded base Sanders.

240
00:24:36,860 --> 00:24:38,550
Minus preferred base.

241
00:24:38,550 --> 00:24:39,200
Sanders.

242
00:24:41,800 --> 00:24:45,070
So here we can see we got the data value correct.

243
00:24:45,820 --> 00:24:53,140
And the hash to address first value that needs to be relocated is at this address.

244
00:24:53,140 --> 00:24:55,630
So let's go and check at this.

245
00:24:56,170 --> 00:25:00,700
And here we can see 1400 to be one zero.

246
00:25:01,210 --> 00:25:05,110
If you go to this one, you get the exact value.

247
00:25:06,130 --> 00:25:08,710
So after adding that delta.

248
00:25:10,810 --> 00:25:16,830
So this is the delta and this value will be added to this eight bytes.

249
00:25:16,840 --> 00:25:22,030
So 1400 to be one zero.

250
00:25:22,960 --> 00:25:25,150
So this value should be.

251
00:25:27,380 --> 00:25:28,330
We should see here.

252
00:25:28,340 --> 00:25:37,430
So let's go and click on next step into and here we shoot we can see one three of 70, we've v one.

253
00:25:37,610 --> 00:25:42,200
So we have successfully modified all of these values.

254
00:25:42,200 --> 00:25:49,160
So if I go and click on Continue and this next eight bytes will be modified.

255
00:25:51,890 --> 00:25:54,560
So you can see this, all of these.

256
00:25:57,830 --> 00:25:59,480
Values are being updated.

257
00:26:02,820 --> 00:26:04,410
So that's how far this video.

258
00:26:10,170 --> 00:26:13,530
We have successfully updated the base relocations.

259
00:26:13,980 --> 00:26:19,030
Now I think we are good to go to load the executable.

260
00:26:19,050 --> 00:26:22,560
In the previous video, we have already loaded the calculator.

261
00:26:22,980 --> 00:26:24,090
So let's.

262
00:26:27,450 --> 00:26:28,520
Let's roll that.

263
00:26:54,550 --> 00:26:58,120
So if you're going to run this, we should see greater.

264
00:27:01,930 --> 00:27:09,060
Also we can modify the script to load the executable in remote process.

265
00:27:09,060 --> 00:27:17,610
So all you need to do is you need to change these marked copy to read process memory and write process

266
00:27:17,610 --> 00:27:20,940
memory so that we are going to do in the next video.