Post-Compile Functionality Edition aka Hex Edition
introduce the subject of post-compile edition, we begin with this code in VB:
Const data As String = "This is some data"
If data = "This is some data" Then
With a single glance at this code, anyone would say "The Else section is absolutely useless because the condition will never be false and the Else section would never be executed." They are totally WRONG. Although the Else section will never be followed in design time, but when the code has been compiled to an exe file, the Else section CAN be followed. Welcome to the world of post-compile edition, changing the behavior of a program after it has been compiled into an exe file.
Before we start to talk about editing the functionality of an exe file, let us first learn about the basics. We all know about variables. There are many types of variables; integers, floats, strings, characters, longs etc. The only one which we would be dealing here with are the strings. Let us begin with this VB code:
Dim data As String
data = InputBox("Enter a string value")
Dim num As Integer
num = CInt(Text1.Text)
Here we are telling the compiler to show an input box and store the value given by the user in the string. And there is also an integer value that is being read from a textbox. Here the user can input any value whichever he wants. This is rather uncool a situation with our plan. We need a string whose value has been defined. This asks for this type of code:
Dim data As String
data = "This is a string"
Dim num As Integer
Here we are not only reserving memory for our string but we are also initializing the string to a predefined value.
Now when this code is compiled into an exe file, both the initialization values ("This is a string" and 1000) are saved in the exe file just they way they are being used here in the code. But then integers are 2 byte variables and hence the value 1000 is stored in the exe file as a 16 bit binary value (that is 0000001111101000 in binary or 03E8 in hex). This means that it is rather difficult and uncool to search for integer initialization values in a compiled exe file. Now let us take the case of the string. The good (and rather astonishing for me, to be honest) news is that the initialization value of the strings are stored in an exe file EXACTLY as they are declared in the code. This means, in simple words, that since we have initialized our string to "This is a string", when we view the exe file in notepad we will see the exact value "This is a string" in the file.
These initialization values, which are "printed" in an exe file are known as "hard codes". The name derives from the fact that these values are sort of permanently wired in the functionality instruction of the program.
Now you would be thinking "All right, so the string initializations are hard coded in an exe, but what does it have to do with the Else statement being true." Again more good news are that we can manually edit these hard coded values to those of our own use. This means that in our example, we can edit the exe file and replace the "This is a string" with any value of our choice only taking into account that the new value must not exceed the length of the original hard code. That means, in simple words that when we are editing the hard code, we can only use a string of length not more than 16 which is the length of our original hard coded string.
Have you started to get the picture yet? This means that in our first example, we can edit the "This is some data" from the exe file with any string of our own choice. Then the If condition would stand false and the Else section would be followed. This means, in short, that the so called 'constant' don't stand so constant in the end.
Now that we have learned about editing the hard coded values in an exe file, the immediate question that comes into mind is "What is all this hocus and pocus good for?" What are the situations when we need to edit the hard codes of an exe file?
Editing an application after compilation is a good idea whenever we need an application that carries dynamic data. For example we design an application which the users can use to send emails. We declare the email address as a constant string:
Const emailadd As String = "email@example.com"
Now many users are going to use this program. Shall we recompile the code again and again only to edit the email address in the program? Editing the exe file itself is a far better idea. We can make another sister application which can be used to edit the email address in the program so that all the users can modify the email address to their needs. This frees us a whole life. Otherwise we would have to recompile the code every time for another email address.
Lets take another example. We create an application that shows a welcome message when the program starts. Now after some time we think that the wording of the welcome message is unsuitable and we decide to change it. The code of the welcome message is like this:
MsgBox "Welcome to the baby-loan software"
When we decide to edit the welcome message we will have to edit the code and then recompile it to exe. Instead of digging up the old graves again, why not just incise the application, operate our string and get out? Its a faster, easier and better way.
These were two cases of the uses of post-compile editing. The real power and effectiveness of this technique is witnessed when programming hacking applications. We can let the user decide which registry entries does he want to create and what value does he want in them. Subseven uses this method to let the user personalise the server part of the trojan.
Programming for keyloggers we can let the user decide what name does he want to keep for his logfile, the path of the logfiles, the titles to log etc. The possibilities are endless.
The technique used in hex-edition is simple. We first find out the location of our required string in all the data of the exe file. Then we copy the part of data from the beginning to the starting point of our string. We also copy the part of data from the end of our string to the end of the file. Now we can edit the program. We simple write the beginning data in our new exe file and then our edited string and then the ending part of the data and we have a function, edited exe file. Sounds simple, doesn't it? It is!
Last but not least, it must be kept in mind that the hard codes in an application cannot be edited while the application is opened in a text editing program. This is because most (if not all) text editors tend to parse the binary characters into printable ASCII characters. We need a general hex editor to edit an application or we can create our own dedicated editors.
Now that all is said, it is time for us to view a simple example of post-compile edition of an application. This program has been written in VB6 and has two parts. There is a main program that shows a message and a sister program that is used to edit the functionality of the program.
Private Sub Form_Load()
Me.Print "Four days of love, and then the departure. The long departure."
Run this program and see the input. Make an an exe file of the code and name it as "example.exe"
'editor program for editing the functionality of the main program
'first place a textbox and a command button on the form. textbox name txtMessage and command button name is cmdEdit
Dim data As String, searchstring As String
Dim p1 As Long, p2 As Long
Private Function MixWithNull(ByRef str As String) As String
Dim i As Integer
Dim res As String
For i = 1 To Len(str)
res = res & Mid(str, i, 1) & Chr(0)
MixWithNull = res
Private Sub cmdEdit_Click()
Dim data_before As String, data_after As String, data_message As String
data_message = txtMessage.Text
If data_message = "" Then
MsgBox "You need to specify something as your message"
If Len(data_message) < Len(searchstring) Then data_message = data_message & String$(Len(searchstring) - Len(data_message), " ")
data_before = Left(data, p1)
data_after = Mid(data, p2)
Open App.Path & "\edited.exe" For Output As #1
Print #1, data_before;
Print #1, MixWithNull(data_message);
Print #1, data_after;
MsgBox "File edited and saved as edited.exe"
Private Sub Form_Load()
Dim file As String
file = App.Path & "\example.exe"
Open file For Binary As #1
data = String$(LOF(1), " ")
Get #1, , data
searchstring = "Four days of love, and then the departure. The long departure."
txtMessage.MaxLength = Len(searchstring)
p1 = InStr(data, MixWithNull(searchstring)) - 1
p2 = p1 + Len(MixWithNull(searchstring)) + 1
If p1 = 0 Then
MsgBox "Either the file 'example.exe' does not exist in the directory or it is not the required file. Cannot continue."
Now run this code in the same directory where there is the example.exe file. Now just write some message in the textbox (txtMessage) and press the button. If successful, a message will appear telling you that the file has been edited and saved as edited.exe Just open that file and you will see that your message has been changed. Note that we have changed the message in the EXE FILE, without reprogramming the whole thing. This is the bliss of the post compile hex edition. And remember, this is only an example, the possibilities are endless.