Jump to content
Tuts 4 You

how to insert read text in exe

midnewbie

By midnewbie
in Programming and Coding

Recommended Posts

midnewbie

midnewbie

Posted
Posted (edited)

hello dears

there is a program exe i want to change its functionality i want to read a text file in the same directory and put it in memory i am using ollydbg.

program runs program states switchs to my code ---> my code reads text put in memory ---> return to the program state.

what are the requirements

i mean it has nice code cave

what else?

i appreciate if u can gimme the asm code which reads text and puts it in memory

thanks.

Edited by midnewbie
Nacho_dj

Nacho_dj

Posted
Posted

If you are referring to assembler code, I would test coding directly in OllyDbg these functions:

CreateFileA

ReadFile

OllyDbg informs you about the arguments it needs for such functions.

If you analyse any executable, probably you'll find both functions being used, so try to get with your code the same behaviour...

Best regards

Nacho_dj

midnewbie

midnewbie

Posted
  • Author
Posted (edited)

ya but i want more code snippet pls

and also how do i swtich from the program code to my code and return to program code

and what do i need beside codecave

Edited by midnewbie
ghandi

ghandi

Posted
Posted

A basic idea about assembler and its use within OllyDbg, plus an understanding of Win32 API and how they are called. To get these you need to read, read and read some more. Play with targets in OllyDbg until you get comfortable using the inbuilt assembler.

Asking somebody for a code example without even having an understanding of what it is you seek to do is pointless, because you wont learn anything except how to copy and paste code.

Generally speaking, Win32 API follow __stdcall convention, meaning the parameters are pushed on the stack before the call is made, in reverse order and the called function cleans the stack. This means that if you are looking at the Win32 help file or MSDN and the function look like:


BOOL SomeFunction(LPVOID *Parameter1,LPVOID *Parameter2,LPVOID *Parameter3);

Then the assembled call would be something like:


PUSH Parameter3
PUSH Parameter2
PUSH Parameter1
CALL SomeFunction

I agree with Nacho_dj, the API i would be looking at are:


CreateFile
GetFileSize
LocalAlloc/GlobalAlloc/VirtualAlloc/HeapAlloc
ReadFile
CloseHandle

One final thing, when assembling code in OllyDbg, beware the use of absolute calls to functions OUTSIDE the main executable image. If you want to call an API, you either need to use a pre-existing slot in the IAT (where the API is called by the target app), extend the import table to include your function or use LoadLibrary/GetModuleHandle and GetProcAddress (or walk the export table yourself) to get the address of the API.

Then, in your code you can have:


CALL DWORD PTR [XXXXXXXX]

Where the XXXXXXX = the address of the ptr to the API.

HR,

Ghandi

hypa

hypa

Posted
Posted (edited)

Here is some from one of my crackmes:


00402CD5   . 6A 00          PUSH 0                                   ; /pOverlapped = NULL
00402CD7   . 8D43 10        LEA EAX, [DWORD DS:EBX+10]               ; |
00402CDA   . 50             PUSH EAX                                 ; |pBytesRead
00402CDB   . 8B43 08        MOV EAX, [DWORD DS:EBX+8]                ; |
00402CDE   . 50             PUSH EAX                                 ; |BytesToRead
00402CDF   . 8B43 14        MOV EAX, [DWORD DS:EBX+14]               ; |
00402CE2   . 50             PUSH EAX                                 ; |Buffer
00402CE3   . 8B03           MOV EAX, [DWORD DS:EBX]                  ; |
00402CE5   . 50             PUSH EAX                                 ; |hFile
00402CE6   . E8 7DE5FFFF    CALL <JMP.&kernel32.ReadFile>            ; \ReadFile

00402D18   > 6A 00          PUSH 0                                   ; /pOverlapped = NULL
00402D1A   . 8D4424 04      LEA EAX, [DWORD SS:ESP+4]                ; |
00402D1E   . 50             PUSH EAX                                 ; |pBytesWritten
00402D1F   . 56             PUSH ESI                                 ; |nBytesToWrite
00402D20   . 8B43 14        MOV EAX, [DWORD DS:EBX+14]               ; |
00402D23   . 50             PUSH EAX                                 ; |Buffer
00402D24   . 8B03           MOV EAX, [DWORD DS:EBX]                  ; |
00402D26   . 50             PUSH EAX                                 ; |hFile
00402D27   . E8 64E5FFFF    CALL <JMP.&kernel32.WriteFile>           ; \WriteFile

00402DEC   . 6A 00          PUSH 0                                   ; /hTemplateFile = NULL
00402DEE   . 68 80000000    PUSH 80                                  ; |Attributes = NORMAL
00402DF3   . 51             PUSH ECX                                 ; |Mode
00402DF4   . 6A 00          PUSH 0                                   ; |pSecurity = NULL
00402DF6   . 52             PUSH EDX                                 ; |ShareMode
00402DF7   . 50             PUSH EAX                                 ; |Access
00402DF8   . 8D46 48        LEA EAX, [DWORD DS:ESI+48]               ; |
00402DFB   . 50             PUSH EAX                                 ; |FileName
00402DFC   . E8 3FE4FFFF    CALL <JMP.&kernel32.CreateFileA>         ; \CreateFileA

You need to pop it off into heap I think

Edited by hiya
midnewbie

midnewbie

Posted
  • Author
Posted

thank you all for your help let me do it and i will come back if i have problems.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...