Jump to content
Tuts 4 You

Access Violation Error


Dr.XJ

Recommended Posts

Posted (edited)

Hello everyone

I have an EXE file packed by ASPACK.

I want to write to a memory byte in real-time using asm code "mov byte ptr ds:[xxxxxxxx],xx"

but when I do so, I get access violation error.

I checked the EXE with some PE editors, code section flags was set to read/write/execute. so this won't gonna help me. what I need to do is, changing memory access in real time by using asm codes or any other way.

when I load the EXE in olly and set memory mapping to full access, there will be no access violation error.

I'll be pleased if anyone help me. thanks in advence

Edited by Dr.XJ
Posted

Hi,

so if you want to write some code into a memory block like you said...

"mov byte ptr ds:[xxxxxxxx],xx"

...and you get a AV then it can be that

1. Your mem address is not there [was changed to other mem block]

2. Mem block is write | protected

So in your case I would not use static addresses to write your code somewhere.

"mov byte ptr ds:[02900000],90" // not like this

So you should catch the place where your app allocated this memory block which is dynamic.Lets say your app used also VirtualAlloc API then you can hook this API and read the used parameters so on this way you will get always the right used memory block address.Or just follow the code after VirtualAlloc and see whether the app stored this mem block address somewhere into your main exe.If so then you can try to read this store location.

PS: Flags can also be changed in realtime.If you want to write some code on XY then use also VirtualProtect on this code and set it to writeable.

greetz

Posted

if you used Some Inline Patcher For ASPack, you should take care about:

Stub will VirtualProtect the code section before jump to OEP. you should

find the point of calling VirtualProtect, i think there was a PUSH 1 near that, make it PUSH 2, it will set Code Section as Writable....

but best solution is Upload your file here;)

Posted

Thank both of you dears.

I removed the call to VirtualProtect and it worked like a charm ;)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...