| View previous topic :: View next topic |
| Author |
Message |
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
 Posted: Wed Aug 18, 2021 10:30 pm Post subject: How can I inject two lines or more into one script? |
 |
|
I want to inject two lines of code into one script.
| Code: | sub [esi+00000088],edi
sub [eax+000001FC],edi |
As we know the traditional way just injects one line per script like that:
| Code: | [ENABLE]
aobscanmodule(INJECT,file.exe,29 BE 88 00 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
sub [esi+00000088],edi
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 29 BE 88 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
**How can I inject multi-lines into one script?**
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Thu Aug 19, 2021 12:49 am Post subject: |
|
|
| Code: | ...
code:
sub [esi+00000088],edi
sub [eax+000001FC],edi
jmp return
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Birdi
Expert Cheater
 Reputation: 0
Joined: 08 Jun 2020
Posts: 124
Location: Migrating
|
| Posted: Thu Aug 19, 2021 1:31 am Post subject: |
|
|
As above, you simply just add it in.
The standard aobscan template creates a nearby code section you have control over, and jmp's to it at where the original instruction(s) are, when enabled. In this sense you're just writing a larger chunk of instructions that all get ran before returning to the original injection point, where it will resume.
If you look at where you're injecting in the Memory Viewer you can see what's happening, and can follow the jmp when it's injected to see the code you wrote, if that helps you out.
You can write a lot, within some constraints, in that code cave it allocates.. others know more about the limitations than I do. That's the benefit of the aobscan template, compared to simply replacing bytes without a jump, where you need to be mindful of the byte count and surrounding instructions.
|
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Thu Aug 19, 2021 11:26 am Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | ...
code:
sub [esi+00000088],edi
sub [eax+000001FC],edi
jmp return
... |
|
Your code doesn't ignore the second line, so, the second line will be implemented twice as follow.
| Code: |
jmp 060C0000
nop
00A815A1: sub [eax+000001FC],edi
...
...
060C0000:
mov [esi+00000088],000000C8
mov [eax+000001FC],000000C8
jmp 00A815A1
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Thu Aug 19, 2021 12:08 pm Post subject: |
|
|
Oh. So you want the injection point to be bigger than it needs to be?
| Code: | [ENABLE]
aobscanmodule(INJECT,file.exe,29 BE 88 00 00 00 29 B8 FC 01 00 00) // should be unique
...
INJECT:
jmp newmem
nop 7
...
[DISABLE]
INJECT:
db 29 BE 88 00 00 00 29 B8 FC 01 00 00 |
But if you're not doing anything else, why not just nop the second instruction?
| Code: | [ENABLE]
aobscanmodule(INJECT,file.exe,29 BE 88 00 00 00 29 B8 FC 01 00 00)
registersymbol(INJECT)
INJECT+6:
nop 6
[DISABLE]
INJECT+6:
db 29 B8 FC 01 00 00 // sub [rax+000001FC],edi
unregistersymbol(INJECT) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Thu Aug 19, 2021 1:03 pm Post subject: |
|
|
| ParkourPenguin wrote: | Oh. So you want the injection point to be bigger than it needs to be?
| Code: | [ENABLE]
aobscanmodule(INJECT,file.exe,29 BE 88 00 00 00 29 B8 FC 01 00 00) // should be unique
...
INJECT:
jmp newmem
nop 7
...
[DISABLE]
INJECT:
db 29 BE 88 00 00 00 29 B8 FC 01 00 00 |
But if you're not doing anything else, why not just nop the second instruction?
| Code: | [ENABLE]
aobscanmodule(INJECT,file.exe,29 BE 88 00 00 00 29 B8 FC 01 00 00)
registersymbol(INJECT)
INJECT+6:
nop 6
[DISABLE]
INJECT+6:
db 29 B8 FC 01 00 00 // sub [rax+000001FC],edi
unregistersymbol(INJECT) |
|
Thank you the first one has worked fine, but what's the benefit of
Why did you add a number (7) next to the nop instruction?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Thu Aug 19, 2021 3:13 pm Post subject: |
|
|
A nop mnemonic with an integer operand is a pseudoinstruction CE adds that lets you nop a specified number of bytes at a time. nop 7 means CE will replace 7 bytes with an instruction that does nothing. 7 bytes is enough to cover the rest of the original instruction taken up by the jump (6 original bytes - 5 jump bytes = 1 extra) and the instruction after it (6 bytes).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Thu Aug 19, 2021 5:23 pm Post subject: |
|
|
I thank you again. 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
