flat assembler
Message board for the users of flat assembler.

Index > Main > code injection

Author
Thread Post new topic Reply to topic
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 01 Feb 2004, 00:17
hi all, I had a need for writing opcode to a buffer and using is as a trampoline to other code.
any ideas on how to make this work?
code snippet below, thanks for help Smile

;trouble figurin' offset
mov al,???
mov byte [cave],0e9h
mov byte [cave+1],al
jmp cave

@i:
invoke MessageBox,0,test1,captioN,MB_OK
invoke ExitProcess,eax

cave:
;make this a jmp to @i
times 5 db ?

_________________
Plez xcuce mi spelng
Post 01 Feb 2004, 00:17
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 01 Feb 2004, 00:40
Code:
mov byte [cave],c1
mov byte [cave+1],c2
jmp cave

@i:
invoke MessageBox,0,test1,captioN,MB_OK
invoke ExitProcess,eax

cave rb 5 ; make this a jmp to @i

virtual at cave
 jmp @i
 load c1 from cave
 load c2 from cave+1
end virtual    
Post 01 Feb 2004, 00:40
View user's profile Send private message Visit poster's website Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 01 Feb 2004, 01:48
thats an interesting solution!
so the virtuel simulates the logic out of the load statements?

_________________
Plez xcuce mi spelng
Post 01 Feb 2004, 01:48
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 01 Feb 2004, 02:57
Here is what I use:
Code:
OFFSET equ
glFlushold    rb      05h

stdcall memcpy,OFFSET glFlushold,[glFlush],5
stdcall hook,[glFlush],OFFSET opengl32glFlush

memcpy:
 mov     esi,[esp+08h]
       mov     edi,[esp+04h]
       mov     ecx,[esp+0Ch]
       rep     movsb
       retn    0Ch

hook:
        mov     edx,[esp+04h]
       mov     eax,[esp+08h]
       sub     eax,edx
     sub     eax,5
       mov     byte [edx],0E9h
     mov     [edx+01h],eax
       retn    08h

opengl32glFlush:
     ; call
      push    esi edi
     stdcall memcpy,[glFlush],OFFSET glFlushold,5
        call    watermark
   pop     edi esi
     push    dword [esp]
 pop     [caller]
    mov     dword [esp],OFFSET .ret
     jmp     [glFlush]
.ret:  ; return
    push    eax
 stdcall hook,[glFlush],OFFSET opengl32glFlush
       mov     eax,[caller]
        xchg    eax,[esp]
   retn
    

_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 01 Feb 2004, 02:57
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 01 Feb 2004, 11:06
Paul6253 wrote:
thats an interesting solution!
so the virtuel simulates the logic out of the load statements?

"virtual" just generates some code as if it were under the specified address, but doesn't put this code in the output file; while "load" directive loads byte values from that code (while it still exists in memory during the assembly - note that it loads from its "current" address space, so "load from cave" loads byte from "cave" address within virtual block, but if you put that load outside the virtual block, it will load byte from the "cave rb 5" declaration) and these values can be used in other parts of code, as in this example.
Post 01 Feb 2004, 11:06
View user's profile Send private message Visit poster's website Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 07 Feb 2004, 14:04
thats wicked man!
you still need to know the op-code length...
I mean the jmp is two-bytes so can load two byte registers
bit what if it was a 7 byte jump and you didnt know it?

_________________
Plez xcuce mi spelng
Post 07 Feb 2004, 14:04
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8354
Location: Kraków, Poland
Tomasz Grysztar 07 Feb 2004, 14:19
You can add some check so the code will warn you if you have not used all the bytes from virtual block.
Also you could make some more complex macros to generate sequence of mov's for code of any length. Let me know if you need some example. The above was just the most simple one to show how you can utilize "virtual" for such purposes (and it was assuming that the jump is short just like your initial code sample).
Post 07 Feb 2004, 14:19
View user's profile Send private message Visit poster's website Reply with quote
Paul6253



Joined: 19 Oct 2003
Posts: 31
Location: NY
Paul6253 07 Feb 2004, 14:50
yes, that would be nice...thankyou. I would like to
post more -- i have other stuff to say concerning this and it's relationship
with C++ function overloading feature.
regards,

_________________
Plez xcuce mi spelng
Post 07 Feb 2004, 14:50
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.