| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Sun Nov 30, 2008 11:01 am Post subject: C++ ASM Question |
 |
|
i tried to convert an AA script into inline asm
the script disables the delay between nudges at msn
so first here's the original script
| Code: |
[enable]
alloc(newmem,1024)
label(returnhere)
00621530:
jmp newmem
nop
returnhere:
newmem:
push eax
mov eax,1
mov [esi+000002e0],eax
pop eax
jmp returnhere
[disable]
dealloc(newmem)
00621530:
mov [esi+000002e0],eax
|
now my code
| Code: |
#include <windows.h>
#define JMP(frm,to) (int)(((int)to - (int)frm) - 5)
DWORD NudgeAddy = (0x00621530 + 5);
DWORD dwOldPrt;
void __declspec(naked) DisableNudge(void)
{
__asm
{
push eax
xor eax,eax
inc eax
mov [esi+0x000002e0],eax
pop eax
jmp NudgeAddy + 1
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH){
VirtualProtect((LPVOID)0x00621530,6,PAGE_EXECUTE_READWRITE,&dwOldPrt);
*(BYTE*)0x00621530 = 0xE9;
*(DWORD*)(0x00621530 + 1) = JMP(0x00621530,DisableNudge);
*(BYTE*)NudgeAddy = 0x90;
}
}
|
the dll injects fine
and when i view the opcode at 00621530 with CE i can also see that there's jmp
but when i go to that specific address all i can see is ?? ?? ?? ??
how come i cannot see the code i wrote in DisableNudge?
_________________
Stylo |
|
| Back to top |
|
 |
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Nov 30, 2008 12:01 pm Post subject: |
|
|
You know you could simply do:
| Code: | | MOV DWORD PTR DS:[ESI+0x2E0],1 |
Which takes 10 bytes, or simply NOP that address:
| Code: | | memset(0x621530, 0x90, 6); |
There's really no point of making a code cave.
Edit: Eh, no, NOP'ing doesn't work, you can still overwrite the other bytes with this 10 bytes instruction and 2 NOPs.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sun Nov 30, 2008 12:05 pm Post subject: |
|
|
i know i can nop the 6 bytes of 621530 but that's not the point
i want to learn how to make a code cave with inline asm
edit: i chose that script cuz it's the simple one i could think of
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Nov 30, 2008 12:27 pm Post subject: |
|
|
Well, make sure you DLL is still running and not unloaded.
What did you expect, the function of the DLL will remain in the memory after freeing the DLL from the memory? 
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sun Nov 30, 2008 12:38 pm Post subject: |
|
|
now that you say it i think it did unload from the memory
how can i make sure it won't free the DLL?
|
|
| Back to top |
|
|
sloppy
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2008
Posts: 123
|
| Posted: Sun Nov 30, 2008 12:47 pm Post subject: |
|
|
| Add return TRUE; to DllMain.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sun Nov 30, 2008 1:09 pm Post subject: |
|
|
oh right... can't believe i forgot that
now something weird i got here
now i can see at address 621530 - jmp virtualprotect+ffffff6aa
when i go there i see code that doesn't even look like i wrote !?
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
