- 1 year ago
The execution is not at AddressOfEntryPoint after patching .text section bytes
If you have patched the .text
section bytes of a PE file, the address of the AddressOfEntryPoint
in the PE header may not correspond to the actual entry point of the executable after patching. In this case, you can calculate the new entry point based on the offset of your patch and the address of the image base.
To calculate the new entry point, you can follow these steps:
Get the address of the image base from the PE header. This is the base address of the executable in memory.
javaimport pefile
pe = pefile.PE("your_executable.exe")
image_base = pe.OPTIONAL_HEADER.ImageBase
Get the offset of your patch in the
.text
section.makefiletext_section = pe.get_section_by_name(".text")
patch_offset = text_section.PointerToRawData + <offset_of_your_patch_in_text_section>
Calculate the new entry point by adding the image base address and the patch offset.
makefilenew_entry_point = image_base + patch_offset
You can then set the new entry point in the AddressOfEntryPoint
field of the PE header:
luape.OPTIONAL_HEADER.AddressOfEntryPoint = new_entry_point
pe.write("your_patched_executable.exe")
Note that modifying the .text
section of a PE file can break digital signatures and cause security issues, so be careful when making such modifications.