Dr.XJ Posted April 6, 2012 Posted April 6, 2012 (edited) Hello everyoneI have an EXE file packed by ASPACK.I want to write to a memory byte in real-time using asm code "mov byte ptr ds:[xxxxxxxx],xx"but when I do so, I get access violation error.I checked the EXE with some PE editors, code section flags was set to read/write/execute. so this won't gonna help me. what I need to do is, changing memory access in real time by using asm codes or any other way.when I load the EXE in olly and set memory mapping to full access, there will be no access violation error.I'll be pleased if anyone help me. thanks in advence Edited April 6, 2012 by Dr.XJ
LCF-AT Posted April 6, 2012 Posted April 6, 2012 Hi,so if you want to write some code into a memory block like you said..."mov byte ptr ds:[xxxxxxxx],xx"...and you get a AV then it can be that1. Your mem address is not there [was changed to other mem block]2. Mem block is write | protectedSo in your case I would not use static addresses to write your code somewhere."mov byte ptr ds:[02900000],90" // not like thisSo you should catch the place where your app allocated this memory block which is dynamic.Lets say your app used also VirtualAlloc API then you can hook this API and read the used parameters so on this way you will get always the right used memory block address.Or just follow the code after VirtualAlloc and see whether the app stored this mem block address somewhere into your main exe.If so then you can try to read this store location.PS: Flags can also be changed in realtime.If you want to write some code on XY then use also VirtualProtect on this code and set it to writeable.greetz
Raham Posted April 6, 2012 Posted April 6, 2012 if you used Some Inline Patcher For ASPack, you should take care about:Stub will VirtualProtect the code section before jump to OEP. you shouldfind the point of calling VirtualProtect, i think there was a PUSH 1 near that, make it PUSH 2, it will set Code Section as Writable....but best solution is Upload your file here;)
Dr.XJ Posted April 6, 2012 Author Posted April 6, 2012 Thank both of you dears. I removed the call to VirtualProtect and it worked like a charm
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now