Hello everyone!

This is my second post here, as I see, this is a very great board! Congratulations for everyone!!

Well... I'll describe my problem...
I've donne a code to alloc some memory in another process and inject some ASM instructions into this allocated memory. Since here everything OK! Now I have the pointer of this allocated memory.
Since here everything ok.

Theres a place on the other process that does have an ASM instruction like this:

FF 15 64 BB 68

where the 0xFF represents a CALL to 0x68bb64.

Then I simple change the "64 BB 68" with my new pointer that I've alocated. That should work anh? But I'm getting Access Violation when the program try to call the new location...


Why does this happens? Please, someone try to help me out with this =)
Thank you!!!
Posted on 2004-09-09 07:18:40 by Nildo
It should be

FF 15 64 BB 68 00

and not

FF 15 64 BB 68

Access violation means either that memory does not have the correct permission to execute code or that you are calling the wrong address.
Posted on 2004-09-09 07:38:40 by roticv
It should be

FF 15 64 BB 68 00

and not

FF 15 64 BB 68


Yes, it is, I just forgot to mention the 0x00! sorry


Access violation means either that memory does not have the correct permission to execute code or that you are calling the wrong address.


If I patch my own process I don't get Access Violation. But if I do this in NotePad.exe (for example), I'll get Access Violation. What conclusions can you get? Could be wrong address or no access to memory?
Posted on 2004-09-09 07:44:21 by Nildo
Make use of VirtualProtectEx to change the permissions of the memory.
Posted on 2004-09-09 08:22:08 by roticv
IIRC,

FF 15 12 34 56 78

is

call dword ptr [78563412]

so possibly you don't want to change this address, but the content of it?
Posted on 2004-09-09 08:29:58 by japheth
japheth, I want to change the address, not the content.
Thats because I've allocated some code into the other process and I want to change that CALL to call my code instead of the original call. But I really don't want to put a JMP inside the original function that its calling because the original function does not exist, its CALLing an inexistent address, so my program will fix it, it will call the code that I've alocated instead of CALLing the inexistent address.
Posted on 2004-09-09 08:39:12 by Nildo
Make use of VirtualProtectEx to change the permissions of the memory.

I've used, but the protection was already PAGE_EXECUTE_READ_WRITE.

Thats strange, in my own process it works, but in another process does not work... grrrrr
Posted on 2004-09-09 08:42:40 by Nildo
No, FF 15 64 BB 68 00 is not a call to 68BB64h. It calls the address read from the DWORD at 68BB64h. Therefore you have to put the new address at this location. Or, if that doesn't exist either, replace it with a direct call and a NOP, or with an indirect call to a pointer that you place in the allocated memory.
Posted on 2004-09-09 11:44:40 by Sephiroth3
No, FF 15 64 BB 68 00 is not a call to 68BB64h. It calls the address read from the DWORD at 68BB64h. Therefore you have to put the new address at this location. Or, if that doesn't exist either, replace it with a direct call and a NOP, or with an indirect call to a pointer that you place in the allocated memory.


Annnn!!!! Thats it!!! I was using OllyDbg to see what was happening and its true! So, I'll have to use E8 64 BB 68 00 90? I'm still learning ASM...

I'm new here on this f?rum, but as I see i'll stay here for a long time! very good quality! Congratz to everyone!
Posted on 2004-09-09 11:51:26 by Nildo
No. The address is relative to the position of the call.

Call is encoded as

E8 followed by dword

Where the following dword is the displacement. Ie the address to call is current offset + displacement.
Posted on 2004-09-09 12:01:20 by roticv
Ohh... Isn't there a CALL to an absolute position, that I give the address that I want it to call?
Posted on 2004-09-09 12:05:34 by Nildo
No. Unless you want far calls.

Try something like


push address
call [esp]
add esp, 4
Posted on 2004-09-09 12:10:23 by roticv
Isn't there another way to do this? Like... Will work if I writte the address that I want to call it to, as Dword in the position 0064BB68, and do a FF 15 68 BB 64 ?
Posted on 2004-09-09 12:18:00 by Nildo
Yes that would do too.
Posted on 2004-09-09 12:31:57 by roticv
Hummm I got it people!!
I've put a relative address.... LoL!!!

Its working now!
Congratz for all of you!!
Posted on 2004-09-09 12:36:23 by Nildo
People, one more thing...

I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000

How did the disassembler gots the address "0x009F0000" from this: "E8FF0000" ??? :?

Thank you!
Posted on 2004-09-09 12:52:00 by Nildo
"E8FF0000" is a negative number.
Posted on 2004-09-09 12:56:25 by roticv
so.. How did he got 009F0000 from that negative number?
Posted on 2004-09-09 13:01:14 by Nildo
I am sorry. I made a mistake... Too sleepy



I'm in the offset 0x009E0013.
The instruction is: E8 E8FF0000
and the disassembled version of this line is: CALL 009F0000


9E0013 + FF8E = 9EFFFB
9EFFFB + 5 (length of the call) = 9F0000
Posted on 2004-09-09 13:12:19 by roticv
Hummmmmm Its working now!!!
Wuhuuuu! Thank you!
Posted on 2004-09-09 14:10:57 by Nildo