Hi!

I am trying to write the code that would be injected into other process.
That code should create a file while reading the filename from the code segment, but when I
provide the API function with a proper buffer address the code recieves Access Violation :(.
I tries to set the data segment (DS) to code segment (CS), but it didn't do the trick.

Please, does anyone know how such thing can be done?

Here is some code to let you know what I want to do:

.code

start:
jmp main

filename db "c:\ggcache.log",0 ;I want to pass this data to the API function!!!
hFile dd 0
dwNum dd 0
buff db "DupA1234ziomex!",0

main:

invoke CreateFile,
offset filename,
GENERIC_WRITE,
FILE_SHARE_READ,
0,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
0

mov hFile,eax
Posted on 2004-03-29 15:37:03 by blackd0t
Hi,

Your code is apparently well (or at least the one shown here). Are you sure the buffer you pass for reading/writing is long enough? When invoking API calls, try Addr for addresses instead of Offset.

Regards,

rsala
Posted on 2004-03-29 15:42:03 by rsala
Yes, the code seems right also to me as it assembles normally.
It works only when I put all the data into the ".data" thing.

The access violation is as follows:

"The instruction under '0x77f941c9' refers to memory at address '0xffffffff'. Memory cannot by 'read' "
Posted on 2004-03-29 15:46:05 by blackd0t
Hi,

It is obvious that you are passing a bad address somewhere. If you want to post code, I'all have a good look at it.

Bye,

rsala
Posted on 2004-03-29 15:51:00 by rsala
Hmm, ok actually the CreateFile goes fine, but the problem is with

mov hFile,eax

It tells me that the memory cannot be written :(

When I put hFile into '.data' segment everything goes smoothly, but the code like:

I'm using WinXP, btw.
Posted on 2004-03-29 15:57:11 by blackd0t
Hi blackd0t,

I think I know what the problem is. Try this


.data

filename db "c:\ggcache.log",0 ;I want to pass this data to the API function!!!
hFile dd 0
dwNum dd 0
buff db "DupA1234ziomex!",0


.code

start:
;jmp main

;main:

invoke CreateFile,
offset filename,
GENERIC_WRITE,
FILE_SHARE_READ,
0,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
0

mov hFile,eax


As you can see a .data section has been added, where, all variables are. So, you don't need the jmp main an main label, that is why they are commented out. I guess it will work now.

Regards,

rsala
Posted on 2004-03-29 16:12:03 by rsala
Yes, rsala, thanks for reply, but I knew that :).

I want to inject my code into another process so there is now place for my own .data segment,
so I wanted to place all the variables in the .code segment, but as I see this memory is only
read-only :(.
Posted on 2004-03-29 16:20:22 by blackd0t
If you are injecting code into a foreign process, you cannot use any direct references to code or data. This means access to non-local variables, calls to API functions (since they depend on the fixed location of an IAT, et cetera).

So... any static offsets must be fixed up. This can either be done by writing a self-relocator, but the more common way is "the delta trick":


call delta
delta:
pop ebp
sub ebp, offset delta


From now on, every variable access must be done with EBP (or whatever register you chose) indirection. "mov eax, " becomes "mov eax, ", et cetera. Buffers should be allocated on the stack, rather than doing static storage.

API calls is where things become really interesting... A technique that should work on all current win32 versions (might stop working in the future, but it's not very likely) is the following... every process must import from kernel32, and system DLLs are loaded to the same offset in all processes, both on 9x and NT (this doesn't mean you can use hardcoded offsets though, locations can change even between service packs).

Anyway, kernel32.dll always loaded, and at the same address in all processes. Thus, you can GetProcAddress(hKernel32, "LoadLibrarya") and GetProcAddress(hKernel32, "GetProcAddress"), and store those two function pointers in the injected code. Those can then be called (indirectly with the delta-register) to obtain any other API you want. Of course there's other methods too, like your own manual GetProcAddress etc., but this approach is simpler.

Then you'll have to either manually call the imports, or use some macro or typedef definitions to ease the stuff.

If you want to do more than simple stuff with injected code, the best approach is to inject some very simple code that does LoadLibrary, and have all your injected code in the DLL - it simplifies things a LOT.
Posted on 2004-03-29 16:21:12 by f0dder
Whoa! Big thanks for this reply!

I think your solution will work! I'm going to look at it tommorow or rather today, but after school :).

Good Night!
Posted on 2004-03-29 16:38:29 by blackd0t
You can hop to http://f0dder.has.it and have a look at my XCOM patching stuff, I use one the DLL form of patching there. C/Asm code, but you should be able to manage, it's mostly API calls anyway.
Posted on 2004-03-29 16:52:47 by f0dder
I patched GTA2 myself, but I had no problems as I didn't use API functions and it is simplier when you modify your code later in SoftIce :).
Posted on 2004-03-30 08:41:59 by blackd0t
Whoa! BTW: I didn't there was a port made of UFO: Enemy Unknown!!
This is a great game! Do you know from where it can be downloaded?
Posted on 2004-03-30 11:47:07 by blackd0t
blackd0t, especially the last post is outside the scope of this board - no Warez talk here, please. I paid for the game at a local bookstore, all versions of XCOM for around $15.

And as for your GTA2 patch, don't mention it if it doesn't have a legit purpose.

Sorry if I sound harsh, but we want to keep this board alive, and violating international copyright rules doesn't really suit that goal very well :)
Posted on 2004-03-30 12:00:07 by f0dder
Ok, sorry, it's ok :).
My bad :D

Are game trainers illegal?
Posted on 2004-03-30 14:09:10 by blackd0t
Belive me or not, but yes they are, even if they don't hurt anyone. Even my XCOM patcher which brings nothing but benefits, also to the company, is "semi-illegal", because I did reverse engineering of the executable.

The weird thing is that, as far as I know (I Am Not A Lawyer) it was legal to do RE both in .eu and .us under some circumstances - RE'ers have even won lawsuits against companies suing them for RE'ing. But after the DMCA (Digital Millenium Copyright Act) was introduced, things have gotten very muddy.

And even if you don't reverse engineer but only use a memory scanner, this can be viewed as reverse engineering, too. So, better not mention these things directly on this board, we don't want any trouble.

My work is sorta okay, though - I contacted the company that bought the company that ported XCOM from the original company, and they basically told me it was okay but I should contact somebody - whose email was broken. The fix has been spread widely since that and I've only heard (a lot) of positive things, so I assume I haven't done anything wrong :stupid:
Posted on 2004-03-30 14:45:07 by f0dder