| View previous topic :: View next topic |
| Author |
Message |
MooMooCow
Newbie cheater
![]() Reputation: 0
Joined: 07 Jun 2007
Posts: 21
|
 Posted: Tue Jul 08, 2008 11:53 am Post subject: [Help] Using memory addresses in an .exe. |
 |
|
Hello. It seems like there should be an easy solution to this problem, but I have not been able to figure it out. I have been using a code cave in memory to route a function to my own code, however, I don't want to use an external program everytime to do this. I would like to route the funtion to my own code in the .exe itself, but I can't seem to find any trace of the function in the .exe. When I load the .exe with IDA Pro I get the address of the function, but I can't seem to find that address, or equivalent, in the .exe. Ollydbg didn't seem to be much help either, but that may have been because I was testing it on a debug build of an application. Any ideas on how I can find where the address of the function is in the .exe file itself? Thanks for any help on this subject.
Example:
Say I want to insert 54 34 54 00 32 at 0x0040205F. How would I find where 0x0040205F would be located in the .exe file.
Also, the file was pacted, but I unpacked it. Could that be a problem?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Jul 08, 2008 12:51 pm Post subject: |
|
|
You are attempting to locate the address in the exe incorrectly probably. The base of the exe is 400000 when it is loaded, but not while its just in the exe. Instead, you need to use the relative address to the code.
If you are using IDA, you can get that easily as it shows in the status bar at the bottom. For example, I have a MessageBox call here:
| Code: | .text:0041225F push 0 ; uType
.text:00412261 push offset Caption ; "Hello!"
.text:00412266 push offset Text ; "Hello!"
.text:0041226B push 0 ; hWnd
.text:0041226D call ds:MessageBoxA
|
While the program is loaded and running, the address of the call would be at 41226D. Now click on the call to select that line, then in the status bar you can find the relative address which in this case would be:
1166D
So in hex that would look like this:
FF 15 2C 31 41 00
Then open the exe in a hex editor, goto the offset of 1166D, and in my case the above hex is there, which is the call.
Edit as needed in the hex editor, save, and test it out.
_________________
- Retired. |
|
| Back to top |
|
|
Chaosis13
Master Cheater
![]() Reputation: 0
Joined: 14 Aug 2007
Posts: 372
|
| Posted: Tue Jul 08, 2008 1:54 pm Post subject: |
|
|
Or you could use a pointer to a function. I think this will work:
| Code: | dword pointer;
int 1337function() {
}
*(DWORD*)pointer = 1337function();
cout << "1337function is located at: " << pointer << "!\n"; |
This can be done with alot of other things too.[/code]
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Jul 08, 2008 1:55 pm Post subject: |
|
|
| Chaosis13 wrote: | Or you could use a pointer to a function. I think this will work:
| Code: | dword pointer;
int 1337function() {
}
*(DWORD*)pointer = 1337function();
cout << "1337function is located at: " << pointer << "!\n"; |
This can be done with alot of other things too.[/code] |
That's not what he is trying to do according to his first post.
_________________
- Retired. |
|
| Back to top |
|
|
MooMooCow
Newbie cheater
![]() Reputation: 0
Joined: 07 Jun 2007
Posts: 21
|
| Posted: Tue Jul 08, 2008 2:57 pm Post subject: |
|
|
Awesome. Thank you so much, Wiccaan. That is exactly what I needed. I should have opened my eyes a little more when using IDA Pro. 
@Chaosis13: That information was helpful too, but for a different project.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
