Jump to content
Tuts 4 You

Assebly Modification


Dave Prost

Recommended Posts

Dave Prost

Hi

I'm looking at a C++ program and have identified the changes I need to make but I'm not sure how to do them. I'm not very well versed in assembly apart from the basics. I'm also using ollydbg which i'm not even sure is the best tool for the job.

The existing code looks like this...


00422777 8B00 MOV EAX,DWORD PTR DS:[EAX]
00422779 83F8 07 CMP EAX,7

And what I need to do is have EAX equal to 6 so I need to load it somehow. I'm thinking in line 422777 but when i try to bruteforce it I break the program so I'm sure I'm doing it wrong.

Any help or suggestions would be welcomed.

Regards

DP

Link to comment

B8 06 00 00 00 mov eax,6

is 5 bytes long intruction. Obviously, you cannot replace 2 bytes long instruction with 5 bytes long, it will mess up next instruction. As a result, `cmp` instruction get replaced too, CPU flags are not set correctly and next jump will not behave in the expected way.

So, you need to find another place to modify, or another way to achieve the result you want. Posting a few more instructions before/after the ones you mentioned would be helpful. :)

Cheers,

kao.

Link to comment
Dave Prost

Thanks as alwasy Kao :D

What about this place? It's the area just before the call to the code I showed previous...


0042288A |. 84C0 TEST AL,AL
0042288C |. 0F84 8D000000 JE G-Record.0042291F
00422892 |. 8BC6 MOV EAX,ESI
00422894 |. E8 DEFEFFFF CALL G-Record.00422777

Any way I could change the JE code to move 6 into ESI? Just a thought.

Regards

DP

Link to comment

Any way I could change the JE code to move 6 into ESI

Of course you could, but it won't work - the reason why it won't you should find out yourself.

Currently I don't see a simple way for you to achieve what you want, so... It's a good opportunity for you to learn about codecaves. :) Google is your friend, as always.

Link to comment
Dave Prost

Found this article re codecaves.


http://www.codeproject.com/KB/cpp/codecave.aspx

It'll take me a few reads to even begin to get my head around it :D

It's frustrating because when I'm in olly I can just change the register to 6 and the code runs fine. I just want to hard code that in there. Obviously you're the expert and if you tell me a codecave is the only way then that's what I'll do.

I'll keep reading and see where I get.

Thanks Kao

DP

Link to comment

If you know that eax only has the low 8 bits set (ie. AL), you can set AL:

mov al, 6

(bytecodes A0 06 if I'm reading the x86 reference correctly)

That only takes up 2 bytes.

But only works if values in eax are always (in sane scenarios) below 256

Link to comment

Ok, I think I owe you some explanations. :)

I didn't suggest patching at address 0042288A because it's unknown whether this jump is useful or not.

Also, you don't need `to move 6 into ESI`, you need to write value 6 to memory address pointed by ESI. Proper instruction for that is "mov dword ptr [esi],6" which is 6 bytes long.

If you know that eax only has the low 8 bits set (ie. AL), you can set AL:

mov al, 6

(bytecodes A0 06 if I'm reading the x86 reference correctly)

That only takes up 2 bytes.

But only works if values in eax are always (in sane scenarios) below 256

I didn't suggest 'mov al,6' for that exact reason - it has limitations. :)

Here's one solution that won't break anything and will work the way you want. Make 2 patches:


00422892 31 C0 xor eax, eax
00422777 B0 06 mov al, 6

First one sets EAX=0, second one will make EAX=6 just like Killboy suggested. However, it's an ugly way and I really do not recommend it. Codecaves are the universal solution for such problems, even though they might be hard to grasp at first.

Link to comment
Dave Prost

Kao

I made the changes you suggested although I didn't really understand them. The program through an error. When I tried to debug it showed the error at...


0042288A test al,al
0042288C mov al,byte ptr ds:[A006A006h]
00422891 push es
00422892 xor eax,eax

...offset 42288c UNHANDLED EXCEPTION

DP

Link to comment

0042288A test al,al
0042288C mov al,byte ptr ds:[A006A006h]
00422891 push es
00422892 xor eax,eax

Obviously, you didn't patch it properly. Try again, and pay attention to which addresses you are changing. ;)

Link to comment
Dave Prost

Thanks again guys.

In the end I decided to just patch it as kao suggested initially. I simply replaced the two lines with one which removed the cmp. The program ran fine so I'm ok with it. Maybe not the most elegant solution but it works and codecaves are a bit beyond me at the moment.

Cheers

DP

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...