5

After struggling for days, I'd like to ask the community :)

I have two exe files. Both at the same size and pretty big (around 80MB).

  • The first exe is the original file, which has been compiled some time ago. I also have the corresponding PDB file.
  • The second file is almost identical to the first, but it has been binary patched at several locations.

I managed to decompile the files with Cutter (Radare2 GUI), but thinking about the file-size, it's almost impossible to go through every single method.

With an Hex Editor (Hex Fiend), I managed to get every single offset location, where the patch has been applied. Now I'm trying to find these offsets with Cutter to decompile the locations.

The Question is: How? When I open the Hexdump in Cutter, it seems that everything is not in place and I might need an offset. Setting an offset at the loading-screen in Cutter seems not to do anything. Am I using it wrong?

Example:

HexFiend

Offset                Hex Data                                         Text
474942-474956         47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41  GetModuleHandleA

Cutter

Offset                Hex Data                                         Text
0x0060713E-0x0060714D 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41  GetModuleHandleA

474942 is 0x73F3E, but that's far away from 0x0060713E

Maybe I need other tools? Any help is appreciated!

Knutwurst
  • 53
  • 2
  • 8
  • 1
    Of course the offsets are different. HexFied is a hex editor that shows the offset in the file. Cutter is a reverse engineering tool that shows the address the code in the process's RAM would have if the executable would be loaded/executed. – Robert Feb 03 '20 at 19:11
  • Robert, thank you! I thought, that the HexDump in Cutter also shows the offset in the file, but in this case, you are completely right. I needed to calculate the offsets, which I've done with a combination of "objdump" and "hexdump". – Knutwurst Feb 05 '20 at 07:34

0 Answers0