flat assembler
Message board for the users of flat assembler.

Index > Main > Inserting assembly in an existing program.

Author
Thread Post new topic Reply to topic
evanejk



Joined: 20 Sep 2010
Posts: 2
evanejk 21 Sep 2010, 02:08
I made a simple program in C++ that opens a message box in windows. My goal is to:

1. Encrypt the majority of the .TEXT section with an XOR 4A encryption (already did that). (I just chose 4A randomly.)

2. Change the entry point so when the program is opened it executes some assembly code that decrypts the .TEXT section, and then jumps to where the entry point was originally.

So this is where I'm at. I've made all the appropriate changes to the exe file (I think).
Image
Now I'm trying to get the assembly code to plug in. I've learned assembly for the sony psp processor in the past, so I thought this wouldn't be to bad of a jump. This is what I've came up with:
Code:
MOV ECX,3CB31h                  ;How long to go
MOV EAX,4ah                     ;load secrete secure decrypt code

decrypt:
MOV EBX,1240h                   ;Put on starting place
ADD EBX,ECX                     ;Add counter
XOR [EBX],EAX                   ;decrypt
loop decrypt

MOV EBX,1240h                   ;So we get that last address decrypted
XOR [EBX],EAX                   ;So we get that last address decrypted

MOV EAX,1240h                   ;Where real program starts
JMP EAX                         ;Jump to real, unencrypted program    

It gives me this hex:
Code:
66 B9 31 CB 03 00 66 B8 4A 00 00 00 66 BB 40 12 00 00 66 01 CB 67 66 31 03 E2 F1 66 BB 40 12 00 00 67 66 31 03 66 B8 40 12 00 00 66 FF E0    


So I put that in at my set entry point but it doesn't work. Is there something wrong with the code? Is there some type of address offset that I need to take account for?
Post 21 Sep 2010, 02:08
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 21 Sep 2010, 03:16
If that is the full source then yes, you missed "use32" part, fasm by default assembles 16-bit code unless otherwise specified (either with use* or by the format).

The other problem you have are the addresses, you are using the relative virtual addresses but them are not the actual addresses at run-time. In the case of the first MOV EBX, it is "MOV EBX, 401240h" what you probably need (if image base is 00400000).

PS: BTW, I think you want "MOV AL, 4Ah" instead of "MOV EAX, 4Ah" and also "XOR [EBX], AL" instead of "XOR [EBX], EAX"
Post 21 Sep 2010, 03:16
View user's profile Send private message Reply with quote
evanejk



Joined: 20 Sep 2010
Posts: 2
evanejk 21 Sep 2010, 03:40
LocoDelAssembly wrote:
If that is the full source then yes, you missed "use32" part, fasm by default assembles 16-bit code unless otherwise specified (either with use* or by the format).

The other problem you have are the addresses, you are using the relative virtual addresses but them are not the actual addresses at run-time. In the case of the first MOV EBX, it is "MOV EBX, 401240h" what you probably need (if image base is 00400000).

PS: BTW, I think you want "MOV AL, 4Ah" instead of "MOV EAX, 4Ah" and also "XOR [EBX], AL" instead of "XOR [EBX], EAX"



Hmm. It still didn't work. I loaded the program into ollydbg and searched for one of the opcodes and nothing came up. I never really used olly before so I might be doing something wrong there. Any other ideas?
Post 21 Sep 2010, 03:40
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 21 Sep 2010, 04:21
You don't need to search for the opcodes, if you correctly changed the entry point, then when you open the executable with olly, it should be pointing to "MOV ECX, 3CB31h" already (or "MOV CX, 0CB31h" followed by garbage if you are still forgetting to use "use32").

What error do you get? Access violation or invalid instruction or what? Could you show what you see in OllyDbg?
Post 21 Sep 2010, 04:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Sep 2010, 08:08
evanejk: Once you get your loop fixed up and working (it is broken as posted above) you will still have to account for the module base. The addresses you are using are relative, not absolute.
Post 21 Sep 2010, 08:08
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 763
guignol 21 Sep 2010, 08:48
Sorry, rev, but the search isn't very well in here, what are your works in code obfuscation?
Post 21 Sep 2010, 08:48
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 21 Sep 2010, 09:39
guignol wrote:
Sorry, rev, but the search isn't very well in here, what are your works in code obfuscation?
By putting "obfuscation" into "Search for Keywords" box, and "revolution" into "Search for Author", I get, among others, this post: http://board.flatassembler.net/topic.php?p=93017#93017
Wink
Post 21 Sep 2010, 09:39
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.