| View previous topic :: View next topic |
| Author |
Message |
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
 Posted: Sat Jan 26, 2008 11:44 am Post subject: [ASM] Far Jmps |
 |
|
I was fixing up my Opcode.dll (it's not perfect, you know), and I was wondering about Far Jmps.
After you've found the bytes (like c9 or whatever for the jmp, then you've got the bytes for the address (after calculations)), do you store it in Little Endian?
_________________
|
|
| Back to top |
|
 |
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sat Jan 26, 2008 12:28 pm Post subject: |
|
|
Do you mean if its opposite order? lets say 0: jmp 00200005 would be "eb 00 00 02 00" I think, if thats what you mean. (+5 bytes since the jump's bytes are 5)
Last edited by Symbol on Sat Jan 26, 2008 12:29 pm; edited 1 time in total |
|
| Back to top |
|
|
mer0x
Advanced Cheater
![]() Reputation: 0
Joined: 06 Jan 2008
Posts: 63
|
| Posted: Sat Jan 26, 2008 12:29 pm Post subject: |
|
|
| Symbol wrote: | | Do you mean if its opposite order? lets say 0: jmp 00200000 would be "eb 00 00 02 00" I think, if thats what you mean. |
Isn't it suppose to be E9?
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sat Jan 26, 2008 12:39 pm Post subject: |
|
|
| Yea, sorry, eb is short jump.
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Sat Jan 26, 2008 12:55 pm Post subject: |
|
|
Yes, that's exactly what I mean, Symbol. Is it stored that way?
_________________
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sat Jan 26, 2008 1:07 pm Post subject: |
|
|
| Yes.
|
|
| Back to top |
|
|
FerrisBuellerYourMyHero
Master Cheater
 Reputation: 0
Joined: 14 Feb 2007
Posts: 401
Location: Inside your <kernel>
|
| Posted: Tue Jan 29, 2008 8:07 pm Post subject: |
|
|
This is how I do it:::
JMP DISTANCE = to - from - 5
but the to address has to be higher than the from lol...
| Code: |
_asm
{
pushad
mov eax, 0x006594A1 // to
mov ecx, 0x0063F21B // from
mov ebx, eax // copy "to" into ebx
sub eax, ecx // to - from
sub eax, 5 // - 5 = distance to jump
mov byte ptr [ebx], 0xE9 // E8 for call, E9 for JMP
mov dword ptr [ebx+1], eax
popad
}
|
then its HOOKED! 
_________________
You know, life moves pretty fast. If you don't stop and look around once in a while, You could miss it!
 |
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Jan 29, 2008 8:43 pm Post subject: |
|
|
I understand ASM, so no need to explain everything.
That's where I started my programming carreer.
I don't quite get what this is doing, though. Since you do "popad" at the end, that's negating everything that you've done up to that point, right?
_________________
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Jan 29, 2008 8:48 pm Post subject: |
|
|
no... the way he hooks is memory writing. set up the hooks by moving bytes accordingly and then restore the orginal register values
apparently you're "starting" language isn't going so well.
_________________
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Jan 29, 2008 10:22 pm Post subject: |
|
|
Well what I meant by "starting language" was AA.
I started with AA, and pretty much moved on to bigger and better things.
The thing is though, with Assembly, I only know what each instruction does; I hardly ever get the theory behind the instructions, which is why I like higher-leveled languages better--it's so easy to get what people are doing (especially .NET).
_________________
|
|
| Back to top |
|
|
mer0x
Advanced Cheater
![]() Reputation: 0
Joined: 06 Jan 2008
Posts: 63
|
| Posted: Tue Jan 29, 2008 11:38 pm Post subject: |
|
|
| samuri25404 wrote: | I understand ASM, so no need to explain everything.
That's where I started my programming carreer.
I don't quite get what this is doing, though. Since you do "popad" at the end, that's negating everything that you've done up to that point, right? |
popad means to pop all dx registers out of the stack. pushad means to push all dx register on to the stack.
|
|
| Back to top |
|
|
BEO-WULF
Expert Cheater
 Reputation: 0
Joined: 27 Jan 2008
Posts: 138
Location: Green Bay, Wisconsin
|
| Posted: Sat Feb 02, 2008 1:56 am Post subject: |
|
|
| FerrisBuellerYourMyHero wrote: | This is how I do it:::
JMP DISTANCE = to - from - 5
but the to address has to be higher than the from lol...
| Code: |
_asm
{
pushad
mov eax, 0x006594A1 // to
mov ecx, 0x0063F21B // from
mov ebx, eax // copy "to" into ebx
sub eax, ecx // to - from
sub eax, 5 // - 5 = distance to jump
mov byte ptr [ebx], 0xE9 // E8 for call, E9 for JMP
mov dword ptr [ebx+1], eax
popad
}
|
then its HOOKED! |
Its basicly just insert than relapse and start over again to the quotent and file/exe distotion
_________________
4 L1F3 ( + [__] : : ) 4 L1F3 |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
