Hi,who can help me?
I want to write SMC "self-modifying code" for Win32 applications
code like this:
-------------------------------
START:
CALL MODIFY

BLAH:
MOV AH,09h
MOV DX,OFFSET HELLO
INT 21h

MODIFY:
MOV DI,OFFSET NEWBYTES
MOV WORD PTR ,DI
RET

NEWBYTES:
MOV AH,4Ch

HELLO DB "Hello World$"
--------------------------------
but I have a defficulties to write a SMC with MASM32:(
Posted on 2003-05-31 01:28:30 by Balha
START:

CALL MODIFY

BLAH:
MOV AH, 09h
MOV DX, OFFSET HELLO
INT 21h

MODIFY:
MOV DI, WORD PTR [NEWBYTES]
MOV WORD PTR [BLAH], DI
RET

NEWBYTES:
MOV AH, 4Ch

HELLO DB "Hello World$"
Person who attempts to run when they do not know how to crawl will only flail about on the ground - except for the rug burns, it kind of looks like they are swimming. :)
Posted on 2003-05-31 02:20:20 by bitRAKE
You mean something like


call delta
delta:
pop ebx
...
call finddebugger


finddebugger:
add ebx,offset;offset to Isdebuggerpresent
lea edi,callfunction
mov al,0ffh
stosb
mov al,0d3h
stosb
mov al,0C3h
stosb
callfunction:
nop
nop
nop
popad
popad
popad
ret



?
Posted on 2003-05-31 10:25:21 by roticv
Sorry for my disastrous english.
I know what's the difference between win32 and dos apps,it's just a simple
dos example to explain you what I really need.

donkey,
------------------------------------------------------------
...Like where your moving the new OFFSET to,
it appears to overwrite you mov command.
------------------------------------------------------------

we call that SMC(replacing an instruction with another one),
and it's exactly what I need,I'm new to win32asm
and it seems that there'is a different approach for win32 apps.

thanks roticv for your interesting, :)

but pop ebx
and add ebx,offset ;offset to Isdebuggerpresent
not enough clear for me.

and this is a disastrous SMC code(masm32) that normally display a messagebox
but it didn't.


---------------------------------------------------------------------------------
.data
Titre db "anti-debug tricks",0
Texte db "example",0

.code
start:
invoke newcode
oldcode:
nop
nop
nop
nop
nop ;invoke MessageBox, NULL,addr Texte,addr Titre,MB_OK

invoke ExitProcess,NULL

newcode:
lea edi,oldcode
mov al,0e8h
stosb
mov al,007h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
ret

end start
---------------------------------------------------------------------

:confused:
Posted on 2003-05-31 16:49:14 by Balha
Balha, win32 doesn't like writing in code section (defaults to readonly) - I use the stack, but you could change the linker settings.
Posted on 2003-05-31 16:54:39 by bitRAKE
newcode:

lea edi,oldcode
mov al,0e8h
stosb
mov al,007h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
mov al,000h
stosb
ret

If the above code is supposed to generate the hex bytes equivalent the invoke MessageBox, NULL,addr Texte,addr Titre,MB_OK instruction, I would think that you are short quite a number of bytes. For instance, the MessageBox function needs 4 parameters which are expected to be on the stack. This means 4 push instructions requiring 2 or more bytes each.

Assuming that the bytes you are inserting would effectively call the MessageBox function, (a) it would not have the data to display as expected and (b) would probably crash due to a page fault trying to access data outside the allowed range.

Raymond
Posted on 2003-05-31 23:16:02 by Raymond
There is also one


mov al,000h
stosb

too much isn't there?!
Posted on 2003-06-01 01:53:55 by david
How about this, it works on my computer :) :

( It is first time I use VirtualProtect api, so can anybody confirm I use it correctly?? )



.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data

szErr db "error virtualprotect",0
szTitle db "smc test",0
szText db "hello world",0

.data?
oldProt dd ?

.code
start:

mov esi, (ProgramEnd-start)
invoke VirtualProtect, 401000h, esi, PAGE_EXECUTE_READWRITE, ADDR oldProt ; enable write to code section
test eax, eax
jnz _patch
invoke MessageBox, NULL, szErr, szErr, MB_OK ; error, show it and quit
jmp _end

_patch:
lea edi, _change
mov al, 0e8h ; call opcode
stosb
mov eax, 00000008h ; Will be 08 00 00 00 when written to memory
stosd

invoke VirtualProtect, 401000h, esi, oldProt, ADDR oldProt ; restore the old protection settings

_msgBox: push NULL
push offset szTitle
push offset szText
push NULL
_change: nop ; here will be inserted 'call MessageBox'
nop
nop
nop
nop
_end: invoke ExitProcess, NULL
ProgramEnd:

end start
Posted on 2003-06-01 02:05:20 by david