Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Using dll function in patch

minh
minh
in x64dbg

Featured Replies

Posted

I wanna use UrlDownloadToFileA in my patch. After I patch the the code and restart the PE, the <call UrlDownloadToFileA> always changes to <call some wired address>. I compared the patch and the source call function, they are different as that in the pictures:

call <JMP.&URLDownloadToFileA>         (source)

call <urlmon.URLDownloadToFileA>       (patch)

How to make the patch instruction same as the source?

 

Snipaste_2022-10-08_12-44-13.png

aaa.png

The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code).

Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API to be the same on every system ... and usually it's  not the case.

You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader.

You could also assemble a "call [x]" where x is still the in-IAT address location.

Try to look/analyze better the "(source)" call ... 

Hope this helps

Regards,
Tony
 

Edited by tonyweb

    • Like 1
    • Author
    2 hours ago, tonyweb said:

    The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code).

    Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API will be at that same address on every system ... and usually it's  not the case.

    You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader.

    You could also assemble a "call [x]" where x is still the in-IAT address location.

    Try to look/analyze better the "(source)" call ... 

    Hope this helps

    Regards,
    Tony
     

    Thank you so much for your precious advice. I got there!

    Snipaste_2022-10-08_20-59-47.png

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.