Jump to content
Tuts 4 You

Assebly Modification

Dave Prost

By Dave Prost
in Programming and Coding

Recommended Posts

Dave Prost

Dave Prost

Posted
Posted

Hi

I'm looking at a C++ program and have identified the changes I need to make but I'm not sure how to do them. I'm not very well versed in assembly apart from the basics. I'm also using ollydbg which i'm not even sure is the best tool for the job.

The existing code looks like this...


00422777     8B00                    MOV EAX,DWORD PTR DS:[EAX]
00422779     83F8 07                 CMP EAX,7

And what I need to do is have EAX equal to 6 so I need to load it somehow. I'm thinking in line 422777 but when i try to bruteforce it I break the program so I'm sure I'm doing it wrong.

Any help or suggestions would be welcomed.

Regards

DP

Link to comment
kao

kao

Posted
Posted 

B8 06 00 00 00  mov eax,6

is 5 bytes long intruction. Obviously, you cannot replace 2 bytes long instruction with 5 bytes long, it will mess up next instruction. As a result, `cmp` instruction get replaced too, CPU flags are not set correctly and next jump will not behave in the expected way.

So, you need to find another place to modify, or another way to achieve the result you want. Posting a few more instructions before/after the ones you mentioned would be helpful. :)

Cheers,

kao.

Link to comment
Dave Prost

Dave Prost

Posted
  • Author
Posted

Thanks as alwasy Kao :D

What about this place? It's the area just before the call to the code I showed previous...


0042288A  |. 84C0                    TEST AL,AL
0042288C  |. 0F84 8D000000           JE G-Record.0042291F
00422892  |. 8BC6                    MOV EAX,ESI
00422894  |. E8 DEFEFFFF             CALL G-Record.00422777

Any way I could change the JE code to move 6 into ESI? Just a thought.

Regards

DP

Link to comment
kao

kao

Posted
Posted

Any way I could change the JE code to move 6 into ESI

Of course you could, but it won't work - the reason why it won't you should find out yourself.

Currently I don't see a simple way for you to achieve what you want, so... It's a good opportunity for you to learn about codecaves. :) Google is your friend, as always.

Link to comment
Dave Prost

Dave Prost

Posted
  • Author
Posted

Found this article re codecaves.


http://www.codeproject.com/KB/cpp/codecave.aspx

It'll take me a few reads to even begin to get my head around it :D

It's frustrating because when I'm in olly I can just change the register to 6 and the code runs fine. I just want to hard code that in there. Obviously you're the expert and if you tell me a codecave is the only way then that's what I'll do.

I'll keep reading and see where I get.

Thanks Kao

DP

Link to comment
Killboy

Killboy

Posted
Posted

If you know that eax only has the low 8 bits set (ie. AL), you can set AL:

mov al, 6

(bytecodes A0 06 if I'm reading the x86 reference correctly)

That only takes up 2 bytes.

But only works if values in eax are always (in sane scenarios) below 256

Link to comment
kao

kao

Posted
Posted

Ok, I think I owe you some explanations. :)

I didn't suggest patching at address 0042288A because it's unknown whether this jump is useful or not.

Also, you don't need `to move 6 into ESI`, you need to write value 6 to memory address pointed by ESI. Proper instruction for that is "mov dword ptr [esi],6" which is 6 bytes long.

If you know that eax only has the low 8 bits set (ie. AL), you can set AL:

mov al, 6

(bytecodes A0 06 if I'm reading the x86 reference correctly)

That only takes up 2 bytes.

But only works if values in eax are always (in sane scenarios) below 256

I didn't suggest 'mov al,6' for that exact reason - it has limitations. :)

Here's one solution that won't break anything and will work the way you want. Make 2 patches:


00422892  31 C0 xor eax, eax
00422777  B0 06 mov al, 6

First one sets EAX=0, second one will make EAX=6 just like Killboy suggested. However, it's an ugly way and I really do not recommend it. Codecaves are the universal solution for such problems, even though they might be hard to grasp at first.

Link to comment
Dave Prost

Dave Prost

Posted
  • Author
Posted

Kao

I made the changes you suggested although I didn't really understand them. The program through an error. When I tried to debug it showed the error at...


0042288A  test        al,al  
0042288C  mov         al,byte ptr ds:[A006A006h]  
00422891  push        es  
00422892  xor         eax,eax

...offset 42288c UNHANDLED EXCEPTION

DP

Link to comment
kao

kao

Posted
Posted 

0042288A  test        al,al  
0042288C  mov         al,byte ptr ds:[A006A006h]  
00422891  push        es  
00422892  xor         eax,eax

Obviously, you didn't patch it properly. Try again, and pay attention to which addresses you are changing. ;)

Link to comment
Dave Prost

Dave Prost

Posted
  • Author
Posted

Thanks again guys.

In the end I decided to just patch it as kao suggested initially. I simply replaced the two lines with one which removed the cmp. The program ran fine so I'm ok with it. Maybe not the most elegant solution but it works and codecaves are a bit beyond me at the moment.

Cheers

DP

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...