Hello everyone!
This is my second post here, as I see, this is a very great board! Congratulations for everyone!!
Well... I'll describe my problem...
I've donne a code to alloc some memory in another process and inject some ASM instructions into this allocated memory. Since here everything OK! Now I have the pointer of this allocated memory.
Since here everything ok.
Theres a place on the other process that does have an ASM instruction like this:
FF 15 64 BB 68
where the 0xFF represents a CALL to 0x68bb64.
Then I simple change the "64 BB 68" with my new pointer that I've alocated. That should work anh? But I'm getting Access Violation when the program try to call the new location...
Why does this happens? Please, someone try to help me out with this =)
Thank you!!!
This is my second post here, as I see, this is a very great board! Congratulations for everyone!!
Well... I'll describe my problem...
I've donne a code to alloc some memory in another process and inject some ASM instructions into this allocated memory. Since here everything OK! Now I have the pointer of this allocated memory.
Since here everything ok.
Theres a place on the other process that does have an ASM instruction like this:
FF 15 64 BB 68
where the 0xFF represents a CALL to 0x68bb64.
Then I simple change the "64 BB 68" with my new pointer that I've alocated. That should work anh? But I'm getting Access Violation when the program try to call the new location...
Why does this happens? Please, someone try to help me out with this =)
Thank you!!!
It should be
FF 15 64 BB 68 00
and not
FF 15 64 BB 68
Access violation means either that memory does not have the correct permission to execute code or that you are calling the wrong address.
FF 15 64 BB 68 00
and not
FF 15 64 BB 68
Access violation means either that memory does not have the correct permission to execute code or that you are calling the wrong address.
It should be
FF 15 64 BB 68 00
and not
FF 15 64 BB 68
FF 15 64 BB 68 00
and not
FF 15 64 BB 68
Yes, it is, I just forgot to mention the 0x00! sorry
Access violation means either that memory does not have the correct permission to execute code or that you are calling the wrong address.
If I patch my own process I don't get Access Violation. But if I do this in NotePad.exe (for example), I'll get Access Violation. What conclusions can you get? Could be wrong address or no access to memory?
Make use of VirtualProtectEx to change the permissions of the memory.
IIRC,
FF 15 12 34 56 78
is
call dword ptr [78563412]
so possibly you don't want to change this address, but the content of it?
FF 15 12 34 56 78
is
call dword ptr [78563412]
so possibly you don't want to change this address, but the content of it?
japheth, I want to change the address, not the content.
Thats because I've allocated some code into the other process and I want to change that CALL to call my code instead of the original call. But I really don't want to put a JMP inside the original function that its calling because the original function does not exist, its CALLing an inexistent address, so my program will fix it, it will call the code that I've alocated instead of CALLing the inexistent address.
Thats because I've allocated some code into the other process and I want to change that CALL to call my code instead of the original call. But I really don't want to put a JMP inside the original function that its calling because the original function does not exist, its CALLing an inexistent address, so my program will fix it, it will call the code that I've alocated instead of CALLing the inexistent address.
Make use of VirtualProtectEx to change the permissions of the memory.
I've used, but the protection was already PAGE_EXECUTE_READ_WRITE.
Thats strange, in my own process it works, but in another process does not work... grrrrr
No, FF 15 64 BB 68 00 is not a call to 68BB64h. It calls the address read from the DWORD at 68BB64h. Therefore you have to put the new address at this location. Or, if that doesn't exist either, replace it with a direct call and a NOP, or with an indirect call to a pointer that you place in the allocated memory.
No, FF 15 64 BB 68 00 is not a call to 68BB64h. It calls the address read from the DWORD at 68BB64h. Therefore you have to put the new address at this location. Or, if that doesn't exist either, replace it with a direct call and a NOP, or with an indirect call to a pointer that you place in the allocated memory.
Annnn!!!! Thats it!!! I was using OllyDbg to see what was happening and its true! So, I'll have to use E8 64 BB 68 00 90? I'm still learning ASM...
I'm new here on this f?rum, but as I see i'll stay here for a long time! very good quality! Congratz to everyone!
No. The address is relative to the position of the call.
Call is encoded as
E8 followed by dword
Where the following dword is the displacement. Ie the address to call is current offset + displacement.
Call is encoded as
E8 followed by dword
Where the following dword is the displacement. Ie the address to call is current offset + displacement.
Ohh... Isn't there a CALL to an absolute position, that I give the address that I want it to call?
No. Unless you want far calls.
Try something like
Try something like
push address
call [esp]
add esp, 4
Isn't there another way to do this? Like... Will work if I writte the address that I want to call it to, as Dword in the position 0064BB68, and do a FF 15 68 BB 64 ?
Yes that would do too.
Hummm I got it people!!
I've put a relative address.... LoL!!!
Its working now!
Congratz for all of you!!
I've put a relative address.... LoL!!!
Its working now!
Congratz for all of you!!
People, one more thing...
I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000
How did the disassembler gots the address "0x009F0000" from this: "E8FF0000" ??? :?
Thank you!
I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000
How did the disassembler gots the address "0x009F0000" from this: "E8FF0000" ??? :?
Thank you!
"E8FF0000" is a negative number.
so.. How did he got 009F0000 from that negative number?
I am sorry. I made a mistake... Too sleepy
I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000
9E0013 + FF8E = 9EFFFB
9EFFFB + 5 (length of the call) = 9F0000
I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000
9E0013 + FF8E = 9EFFFB
9EFFFB + 5 (length of the call) = 9F0000
Hummmmmm Its working now!!!
Wuhuuuu! Thank you!
Wuhuuuu! Thank you!