Dave Prost Posted May 31, 2011 Posted May 31, 2011 HiI'm looking at a C++ program and have identified the changes I need to make but I'm not sure how to do them. I'm not very well versed in assembly apart from the basics. I'm also using ollydbg which i'm not even sure is the best tool for the job.The existing code looks like this...00422777 8B00 MOV EAX,DWORD PTR DS:[EAX]00422779 83F8 07 CMP EAX,7And what I need to do is have EAX equal to 6 so I need to load it somehow. I'm thinking in line 422777 but when i try to bruteforce it I break the program so I'm sure I'm doing it wrong.Any help or suggestions would be welcomed.RegardsDP
kao Posted May 31, 2011 Posted May 31, 2011 B8 06 00 00 00 mov eax,6 is 5 bytes long intruction. Obviously, you cannot replace 2 bytes long instruction with 5 bytes long, it will mess up next instruction. As a result, `cmp` instruction get replaced too, CPU flags are not set correctly and next jump will not behave in the expected way. So, you need to find another place to modify, or another way to achieve the result you want. Posting a few more instructions before/after the ones you mentioned would be helpful. Cheers, kao.
Dave Prost Posted May 31, 2011 Author Posted May 31, 2011 Thanks as alwasy Kao What about this place? It's the area just before the call to the code I showed previous... 0042288A |. 84C0 TEST AL,AL0042288C |. 0F84 8D000000 JE G-Record.0042291F00422892 |. 8BC6 MOV EAX,ESI00422894 |. E8 DEFEFFFF CALL G-Record.00422777 Any way I could change the JE code to move 6 into ESI? Just a thought. Regards DP
kao Posted May 31, 2011 Posted May 31, 2011 Any way I could change the JE code to move 6 into ESI Of course you could, but it won't work - the reason why it won't you should find out yourself. Currently I don't see a simple way for you to achieve what you want, so... It's a good opportunity for you to learn about codecaves. Google is your friend, as always.
Dave Prost Posted May 31, 2011 Author Posted May 31, 2011 Found this article re codecaves. http://www.codeproject.com/KB/cpp/codecave.aspx It'll take me a few reads to even begin to get my head around it It's frustrating because when I'm in olly I can just change the register to 6 and the code runs fine. I just want to hard code that in there. Obviously you're the expert and if you tell me a codecave is the only way then that's what I'll do. I'll keep reading and see where I get. Thanks Kao DP
Killboy Posted May 31, 2011 Posted May 31, 2011 If you know that eax only has the low 8 bits set (ie. AL), you can set AL:mov al, 6(bytecodes A0 06 if I'm reading the x86 reference correctly)That only takes up 2 bytes.But only works if values in eax are always (in sane scenarios) below 256
kao Posted May 31, 2011 Posted May 31, 2011 Ok, I think I owe you some explanations. I didn't suggest patching at address 0042288A because it's unknown whether this jump is useful or not. Also, you don't need `to move 6 into ESI`, you need to write value 6 to memory address pointed by ESI. Proper instruction for that is "mov dword ptr [esi],6" which is 6 bytes long. If you know that eax only has the low 8 bits set (ie. AL), you can set AL: mov al, 6 (bytecodes A0 06 if I'm reading the x86 reference correctly) That only takes up 2 bytes. But only works if values in eax are always (in sane scenarios) below 256 I didn't suggest 'mov al,6' for that exact reason - it has limitations. Here's one solution that won't break anything and will work the way you want. Make 2 patches: 00422892 31 C0 xor eax, eax00422777 B0 06 mov al, 6 First one sets EAX=0, second one will make EAX=6 just like Killboy suggested. However, it's an ugly way and I really do not recommend it. Codecaves are the universal solution for such problems, even though they might be hard to grasp at first.
Dave Prost Posted May 31, 2011 Author Posted May 31, 2011 KaoI made the changes you suggested although I didn't really understand them. The program through an error. When I tried to debug it showed the error at...0042288A test al,al 0042288C mov al,byte ptr ds:[A006A006h] 00422891 push es 00422892 xor eax,eax ...offset 42288c UNHANDLED EXCEPTIONDP
kao Posted May 31, 2011 Posted May 31, 2011 0042288A test al,al 0042288C mov al,byte ptr ds:[A006A006h] 00422891 push es 00422892 xor eax,eax Obviously, you didn't patch it properly. Try again, and pay attention to which addresses you are changing.
Dave Prost Posted June 1, 2011 Author Posted June 1, 2011 Thanks again guys.In the end I decided to just patch it as kao suggested initially. I simply replaced the two lines with one which removed the cmp. The program ran fine so I'm ok with it. Maybe not the most elegant solution but it works and codecaves are a bit beyond me at the moment.CheersDP
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now