Jump to content
Tuts 4 You

Using dll function in patch

minh

By minh
in x64dbg

Recommended Posts

minh

minh

Posted
Posted

I wanna use UrlDownloadToFileA in my patch. After I patch the the code and restart the PE, the <call UrlDownloadToFileA> always changes to <call some wired address>. I compared the patch and the source call function, they are different as that in the pictures:

call <JMP.&URLDownloadToFileA>         (source)

call <urlmon.URLDownloadToFileA>       (patch)

How to make the patch instruction same as the source?

 

Snipaste_2022-10-08_12-44-13.png

aaa.png

tonyweb

tonyweb

Posted
Posted (edited)

The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code).

Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API to be the same on every system ... and usually it's  not the case.

You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader.

You could also assemble a "call [x]" where x is still the in-IAT address location.

Try to look/analyze better the "(source)" call ... 

Hope this helps

Regards,
Tony
 

Edited by tonyweb
  • Like 1
minh

minh

Posted
  • Author
Posted
2 hours ago, tonyweb said:

The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code).

Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API will be at that same address on every system ... and usually it's  not the case.

You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader.

You could also assemble a "call [x]" where x is still the in-IAT address location.

Try to look/analyze better the "(source)" call ... 

Hope this helps

Regards,
Tony
 

Thank you so much for your precious advice. I got there!

Snipaste_2022-10-08_20-59-47.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...