flat assembler
Message board for the users of flat assembler.
Index
> Main > Executing Opcodes Goto page 1, 2 Next |
Author |
|
Remy Vincent 24 Oct 2006, 21:31
TheLord wrote: Hi Any 32 bit value have bounds. For a variable, a bound is like a floor and a roof... But the idea is easyer to follow if you live under a flat roof, because signed 32 bit values have 2 flat bounds : [-2^31] and [2^31 - 1] mov [eax + 24], edi ;edi handle the address I need to add Sure you are just loading a value above the bound [2^31 - 1], so you store a negative 32bit number instead of storing a positive number between bounds [0..2^32] Sure |
|||
24 Oct 2006, 21:31 |
|
vid 24 Oct 2006, 21:45
maybe you don't have 4 bytes for immediate of jump reserved?
Code: api_opcode db 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0000h to Code: api_opcode db 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0,0,0,0 |
|||
24 Oct 2006, 21:45 |
|
vid 24 Oct 2006, 21:49
wait.. why +24? shouldn't it be +6 ?
|
|||
24 Oct 2006, 21:49 |
|
MazeGen 25 Oct 2006, 07:09
TheLord, it is probably because of your OllyDbg's settings. Try to switch off options -> debugging options -> analysis 1 -> autostart analysis of main module or right-click in code window -> analysis -> remove analysis.
|
|||
25 Oct 2006, 07:09 |
|
Remy Vincent 25 Oct 2006, 16:21
It's funny, this code is like a DELPHI16 code I have done: - Catching the FormCreate(f,c) - forbidden AutoCreate - Storing the 2 parameters - Then opening the form when USER dbl-click on the listbox... But it was done in DELPHI16, because I remember that writing a hook inside a Code Segment was possible, with something like CSToDSAlias() function.
I tried to do the same program with DELPHI32 but it was to much thinking and thinking... _________________ Groups lower your IQ |
|||
25 Oct 2006, 16:21 |
|
vid 25 Oct 2006, 16:26
sure, on 16bits there's no memory locking. On 32bits, your code segment may be read-only, you need to call VirtualProtect
|
|||
25 Oct 2006, 16:26 |
|
Remy Vincent 25 Oct 2006, 16:35
Hope this topic is going to be solved
_________________ Groups lower your IQ |
|||
25 Oct 2006, 16:35 |
|
TheLord 25 Oct 2006, 17:18
thx for replying
and thx to MazeGen, because yeah, it was my setting, btw, it's also better with eax + 6 lol . so from now I know my opcode is OK then this how I do the thing: Code: opcode : 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0000h,0000h,0000h,0000h wich is : Code: mov edi, edi push ebp mov ebp, esp + enough place to stick my address. Then this is my little piece of code: Code: Proc: lea eax, dword[opcode] mov [eax + 6], edi ;edi handle the address I need to jmp to call eax all seems fine to me, I debugged the compiled file, all is written normally, but .. I still get this Error executing 7CC0351A when the address I jmp to is 7C802447 wich point to: push 0 |
|||
25 Oct 2006, 17:18 |
|
Goplat 25 Oct 2006, 17:55
The immediate call instruction's address is relative to the end of the instruction, so you need to subtract (opcode + 11) from the address before you store it.
|
|||
25 Oct 2006, 17:55 |
|
TheLord 25 Oct 2006, 18:25
hmmm I dont understand this.
when I look in olly I have this info when the call is executed: EAX=004010C9 (test.004010C9) wich point to the beggining of the opcodes, I would have guessed it should execute this code from the beggining to the jmp and then continue its way normally ! |
|||
25 Oct 2006, 18:25 |
|
vid 25 Oct 2006, 18:40
no, the problem is E9 instruction. the 4byte immediate behind it is not ADDRESS where to continue, it's address relative to beginning of next isntruction behind jmp. so for example this instruction db 0E9h, 0, 0, 0, 0 does nothing. you can write it like this:
Code:
jmp _label
_label: then db 0E9h, 2, 0, 0, 0 is jmp _label+2 etc. so you need: Code: lea eax, dword[opcode] mov [eax + 6], edi ;edi handle the address I need to jmp to sub [eax+6], opcode+11 ;convert absolute to relative address call eax understand? PS: happy rootkittin' |
|||
25 Oct 2006, 18:40 |
|
TheLord 25 Oct 2006, 19:04
thx for replying. btw someone else told me to sub EIP ... I did a little something, a little calcul to check something:
My EIP when I call is: 004010C4 the address where my jmp point to is: 7C802447 If I add I get 7CC0350B And if I add 11 I got the address the error is tellin me: Error executing 7CC0351A is that stuff rely on what you're tellin me ? (I guess yes) not rootkittin' but yeah it's API hooking, I already have Reverend LDE wich is really good and does the job whitout needing me to hardcode anything, just learning and far away to be able to code a rk ! :p |
|||
25 Oct 2006, 19:04 |
|
vid 25 Oct 2006, 19:28
i just explained to you how "jmp near" instruction works. And you computation proves it (if i understood you right)
|
|||
25 Oct 2006, 19:28 |
|
Remy Vincent 25 Oct 2006, 19:47
@TheLord: I have a code like you need, neerly working, except the "MOV [EDI] , AL", with EDI pointing to a code segment... I don't know what to do!!
@vid: do you know someone who know how to write inside the CODE SEGEMENT Code: FORMAT PE GUI 4.0 ENTRY Start INCLUDE "C:\Prog\Fasm164\FasmW\INCLUDE\win32a.inc" SECTION '.data' DATA READABLE WRITEABLE C_Track01 DB 'Music track 01',0 C_Track02 DB 'Music track 02',0 C_Track03 DB 'Music track 03',0 C_Track04 DB 'Music track 04',0 C_Title DB 'OLLLLLD TITLE',0 C_NewTitle DB '----- NNEEEEEEEEEEWW TIIIIIIITLE -----',0 G_KEEP_MyMuBePl DB 0,0,0,0, 0,0,0,0 SECTION '.code' CODE READABLE EXECUTABLE Start: ;--------------- Usual CALL --------------- PUSH C_Track01 CALL MyMusicBeeingPlayed ;--------------- Installing an """indirect call""" --------------- ;----- 1. Keep current code MOV ESI , MyMusicBeeingPlayed MOV EDI , G_KEEP_MyMuBePl MOV EAX , [ESI] MOV [EDI] , EAX ADD ESI , 4 ADD EDI , 4 MOV EAX , [ESI] MOV [EDI] , EAX ;----- 2. Install JMP to NEW_TITLEPROC MOV EDI , MyMusicBeeingPlayed MOV AL , 0xE9 ;--PROBLEM!!!!!!!!!!!! MOV [EDI] , AL INC EDI MOV EAX , NEW_TITLEPROC ;--MOV [EDI] , EAX ;--------------- INDIRECT call --------------- ;--YES, WORKING IF CALLED DIRECTLY-- ;--PUSH C_Track01 -- ;--CALL NEW_TITLEPROC -- PUSH C_Track01 CALL MyMusicBeeingPlayed ;--------------- Deleting the """indirect call""" --------------- ;--------------- Usual call AGAIN --------------- PUSH C_Track01 CALL MyMusicBeeingPlayed ;--------------- / --------------- PUSH 0 CALL [ExitProcess] MyMusicBeeingPlayed: PUSH EBP MOV EBP , ESP MOV EBX , +8 MOV EDX , [EBP+EBX] PUSH MB_OK + MB_ICONEXCLAMATION PUSH C_Title PUSH EDX PUSH 0 CALL [MessageBox] POP EBP RET NEW_TITLEPROC: PUSH EBP MOV EBP , ESP MOV EBX , +8 MOV EDX , [EBP+EBX] PUSH MB_OK + MB_ICONEXCLAMATION PUSH C_NewTitle PUSH EDX PUSH 0 CALL [MessageBox] POP EBP RET SECTION '.idata' IMPORT DATA READABLE WRITEABLE library kernel , "KERNEL32.DLL" ,\ user , "USER32.DLL" import kernel ,\ ExitProcess , "ExitProcess" import user ,\ MessageBox , "MessageBoxA" SECTION '.reloc' FIXUPS DATA READABLE DISCARDABLE |
|||
25 Oct 2006, 19:47 |
|
vid 25 Oct 2006, 20:07
Remy: study VirtualAlloc from Win32API
|
|||
25 Oct 2006, 20:07 |
|
TheLord 25 Oct 2006, 20:51
yeah Vid, in fact I was calculating this and when I came here I saw your answer, wich is just great thx to you all, my prob is solved I can continue ^^
|
|||
25 Oct 2006, 20:51 |
|
vid 25 Oct 2006, 21:37
glad to help
|
|||
25 Oct 2006, 21:37 |
|
Remy Vincent 26 Oct 2006, 20:50
Adding this code, it's INCREDIBLE, writing to the CODE SEGMENT is working
I was planning to use the constant: PAGE_EXECUTE_READWRITE but in fact, this constant is enough: PAGE_READWRITE Conclusion: First constant is too much, just readwrite is enough for a code segment. Also It's funny, the usual FASM code segment HEADER seems to be ignored, because the VirtualQuery() function says that the segment is ReadOnly "only"... ==> SECTION '.code' CODE READABLE EXECUTABLE Code: ;----- 2. Enable access to memory block MOV EDX , G_OLD_Protect PUSH EDX MOV EDX , PAGE_READWRITE PUSH EDX MOV EDX , 20 PUSH EDX MOV EDX , MyMusicBeeingPlayed PUSH EDX CALL [VirtualProtect] MOV [G_ReadWritePtr] , MyMusicBeeingPlayed Code: ;----- 4. Disable access to memory block PUSH G_OLD_Protect PUSH [G_OLD_Protect] PUSH 20 PUSH MyMusicBeeingPlayed CALL [VirtualProtect] I swear that the PAGE_READWRITE is enough, there is no need to use the "stronger" PAGE_EXECUTE_READWRITE constant!!! |
|||
26 Oct 2006, 20:50 |
|
Remy Vincent 26 Oct 2006, 20:56
Tomorow I will try to restore the call to previous procedure... Because the DEMO program is frustrating because the first procedure is not called anymore, so the DEMO PROGRAM seems "not finished"...
==> "Old title" THEN ==> "NEW TITLE", thanks to the writing to the CODE SEGMENT THEN ==> "NEW TITLE" again, instead of displaying "Old title" again... my DEMO looks "no way to do another step"... it's not funnny |
|||
26 Oct 2006, 20:56 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.