In a Command Prompt, execute the program. It prints out a short message, as shown below.
Here's the source code for that program. It uses only one function: printf. How complicated could that be?
Examine the IMPORT Address Table. As shown below, this program uses dozens of Windows API calls.
Scroll to the bottom to see the DLL name. All these API calls come from a single library: KERNEL32.dll, as shown below.
Examine the .rdata section, as shown below.
Here you see a raw hexadecimal dump of the file contents, with the 32-bit word at FF00 containing the value 1711C in little-endian order, as shown below.
pFile addresses are actual locations in the PE file itself, which you can verify by examining the file with HxD, as shown below.
Examine the "IMPORT Hints/Names & DLL Names" section. RaiseException is at address 15F1C, as shown below (preceded by a 2-byte hint).
This address is 1200 bytes lower than the Data of 1711C.
The value 1711C is a RVA (Relative Virtual Address) -- the location in RAM of the object, relative to its Base Address.
To understand that, examine the IMAGE_SECTION_HEADER for the .rdata section.
This section loads at an RVA of 11000, but the "Pointer to Raw Data" (pFile address) is FE00, 1200 bytes lower, as shown below.
The program loads at a Base Address different from the preferred address of 400000, as shown below.
That's an annoyance we don't need.
Download the file, as shown below.
Unzip the file you downloaded, and place the setdllcharacteristics.exe in the same folder you have the hello4.exe file in.
In a Comand Prompt, in that folder, execute this command:
A help message appears, showing that a -d flag will clear DYNAMIC_BASE (ASLR), as shown below.
Close PEview and OllyDbg, if they are still open.
Then, in the Comand Prompt, execute this command:
The program changes DYNAMIC_BASE from 1 to zero, as shown below.
setdllcharacteristics -d hello4.exe
Now the code loads at 400000.
Left-click, then right-click the .rdata section, and click Dump, as shown below.
Scroll down and find the RaiseException data, at address 41711C, as shown below.
It's easy to see that this location is the RVA of 1711C plus the Base Address of 400000.
PMA 123.1: KERNEL32 "Hint" (10 pts)In PEview, examine the "IMPORT Directory Table", as shown below.
In OllyDbg, find the text KERNEL32.dll, as shown below.
The flag is the two bytes preceding that text, covered by a green rectangle in the image below.
PMA 123.2: DLL Name (5 pts)Download this file:
The file uses two DLLs. One is KERNEL32.dll. The flag is the name of the other DLL.
PMA 123.3: KERNEL32 Address (10 pts)Use the same file as the previous challenge.
Turn off ASLR, load the file in OllyDbg, and examine the .rdata section.
Find the address of the line containing KERNEL32, which is covered by a green rectangle in the image below.
That's the flag.
PMA 123.4: Broken (20 pts)Download this file:
The file is damaged and cannot run.
Fix it and run it to see the flag.
Hint: here's some of the source code: