Ok hello everyone im attempting some complicated stuff. I want to patch asm code in a process using WriteProcessMemory. My write buffer begins with 0xE8 (call byte) and my DWORD offset 5 bytes all together. My friend said i need the offset to be MyFunctionLocation - FunctionCallLocation. Can anyone shed any light on what my friend said? The code im overwriting with my call is my C++ DLL code: __asm{nop nop nop nop nop}.

Another thing what would be the best way to cast the 4 bytes of my DWORD to a string. Will wsprintf work ok?

Thx in advance
Posted on 2004-03-08 18:03:37 by Jaboo
Do you have MyFunctionLocation loaded into process as well? You would want to do E9 (jmp), not E8. If you are overwriting API function (first five bytes), and then return, you will probably crash on invalid instruction, or somewhere else. You need to use jmp (E9) instead, which jumps to your hook. In your hook, you do your work then overwrite the five bytes used for jmp to original bytes. You swap return address with your "hook reinstaller", which will again write jmp over the original bytes.
Posted on 2004-03-08 19:50:20 by comrade
The 5 bytes is just not a function just some asm operation related to the process. My Function with nops to pad out 5 bytes is in my DLL along with my hookinitate code. I can't use jump because the operation im hooking happens about 16 times it needs to be there all the time.
Posted on 2004-03-08 19:57:46 by Jaboo
What does it matter if it is called 16 times?
Posted on 2004-03-08 23:25:37 by comrade
MyFunctionLocation - FunctionCallLocation is this the correct DWORD that i should call?

It does matter because i only want to write over 1 statment
Posted on 2004-03-09 10:02:31 by Jaboo
Okay. You have two addresses, the callopcode-addr and destination-addr.
The call is 5 bytes long, and destination is relative to the end of the
call opcode. Thus, the 32bit immediate is calculated this way:

immed = destination-addr - (opcode-start + 5)
Posted on 2004-03-09 10:24:22 by f0dder

Okay. You have two addresses, the callopcode-addr and destination-addr.
The call is 5 bytes long, and destination is relative to the end of the
call opcode. Thus, the 32bit immediate is calculated this way:

immed = destination-addr - (opcode-start + 5)

Big thanks! What would be the best most efficient way to erm cast my DWORD to a char array ready to writeprocess with?
Posted on 2004-03-09 12:03:57 by Jaboo


Big thanks! What would be the best most efficient way to erm cast my DWORD to a char array ready to writeprocess with?
What are you talking about?? WriteProcessMemory does not require that you format anything as a string, it just wants a pointer to a buffer full of data. You could PUSH your 4 bytes (DWORD) onto the stack, then pass esp as the pointer to the buffer.

Something to note: i know that in this case you have located the exact sequence of bytes you want to replace, but in general it is not good practice to replace a group of bytes in the middle of a function, you should instead replace the bytes immediately at the start of the function. If you replace them in the middle, you will GPF nine times out of ten.
Posted on 2004-03-10 06:32:58 by sluggy
sluggy,

I think he is referring to coding in C whereby there's something called typecasting which is a pain in the ass to me.
Posted on 2004-03-10 06:53:14 by roticv


WriteProcessMemory(..... (char *) &imm32 ...)


or


WriteProcessMemory(..... static_cast<char*>(&imm32) ....)

Which is the new-age way of doing things in C++.
The '...' means "fill in the rest of the parameters yourself" :)
Posted on 2004-03-10 08:47:02 by f0dder
void __declspec(naked) BlankBytes() {

__asm {
nop
nop
nop
nop
nop
}

Does this seem ok?
Posted on 2004-03-10 09:07:27 by Jaboo
I guess so... as long as you reference it inside your app and it doesn't get inlined or optimized away. There's some __forcenoinline , or perhaps it was a pragma, to handle this in visual c++
Posted on 2004-03-10 09:37:45 by f0dder

sluggy,

I think he is referring to coding in C whereby there's something called typecasting which is a pain in the ass to me.


Why is he asking here then?
Posted on 2004-03-10 14:54:17 by comrade