2

The following commands will change the files information gatherosstate.exe file. From looking at the hex values I can interpret that there are nop (0x00). The file changed in windows terminal. But what are more information can be extracted from it?

$bytes  = [System.IO.File]::ReadAllBytes("C:\Files\gatherosstate.exe")
$bytes[320] = 0xf8
$bytes[321] = 0xfb
$bytes[322] = 0x05
$bytes[324] = 0x03
$bytes[13672] = 0x25
$bytes[13674] = 0x73
$bytes[13676] = 0x3b
$bytes[13678] = 0x00
$bytes[13680] = 0x00
$bytes[13682] = 0x00
$bytes[13684] = 0x00
$bytes[32748] = 0xe9
$bytes[32749] = 0x9e
$bytes[32750] = 0x00
$bytes[32751] = 0x00
$bytes[32752] = 0x00
$bytes[32894] = 0x8b
$bytes[32895] = 0x44
$bytes[32897] = 0x64
$bytes[32898] = 0x85
$bytes[32899] = 0xc0
$bytes[32900] = 0x0f
$bytes[32901] = 0x85
$bytes[32902] = 0x1c
$bytes[32903] = 0x02
$bytes[32904] = 0x00
$bytes[32906] = 0xe9
$bytes[32907] = 0x3c
$bytes[32908] = 0x01
$bytes[32909] = 0x00
$bytes[32910] = 0x00
$bytes[32911] = 0x85
$bytes[32912] = 0xdb
$bytes[32913] = 0x75
$bytes[32914] = 0xeb
$bytes[32915] = 0xe9
$bytes[32916] = 0x69
$bytes[32917] = 0xff
$bytes[32918] = 0xff
$bytes[32919] = 0xff
$bytes[33094] = 0xe9
$bytes[33095] = 0x80
$bytes[33096] = 0x00
$bytes[33097] = 0x00
$bytes[33098] = 0x00
$bytes[33449] = 0x64
$bytes[33576] = 0x8d
$bytes[33577] = 0x54
$bytes[33579] = 0x24
$bytes[33580] = 0xe9
$bytes[33581] = 0x55
$bytes[33582] = 0x01
$bytes[33583] = 0x00
$bytes[33584] = 0x00
$bytes[33978] = 0xc3
$bytes[34189] = 0x59
$bytes[34190] = 0xeb
$bytes[34191] = 0x28
$bytes[34238] = 0xe9
$bytes[34239] = 0x4f
$bytes[34240] = 0x00
$bytes[34241] = 0x00
$bytes[34242] = 0x00
$bytes[34346] = 0x24
$bytes[34376] = 0xeb
$bytes[34377] = 0x63
[System.IO.File]::WriteAllBytes("C:\Files\gatherosstatemodified.exe", $bytes)
i_am_learning
  • 43
  • 2
  • 1
    This is missing some important items. Which operating system and processor? What research have you done so far? See https://reverseengineering.stackexchange.com/help/how-to-ask for guidance. – Edward Dec 04 '22 at 15:45
  • Hi and welcome to RE.SE. I concur, this question should be edited to include relevant information and then be voted for reopening. Right now we can only guess, since we don't know what's in the original. Certainly it is possible to see some context from a patch, but in this case there seems to be a manipulation of a header field (could even affect the entry point) and then some of whatever that other range points to. 320 == 0x140, could be the Checksum field of the optional header in a 64-bit binary, but we don't even know whether this is 64-bit. Besides, in theory the PE header could ... – 0xC0000022L Dec 05 '22 at 12:42
  • ... come way later, since its offset from the file start isn't hardcoded. So a lot of unknown variables here before anyone could attempt a meaningful answer. – 0xC0000022L Dec 05 '22 at 12:44

0 Answers0