Posted October 8, 20222 yr I wanna use UrlDownloadToFileA in my patch. After I patch the the code and restart the PE, the <call UrlDownloadToFileA> always changes to <call some wired address>. I compared the patch and the source call function, they are different as that in the pictures: call <JMP.&URLDownloadToFileA> (source) call <urlmon.URLDownloadToFileA> (patch) How to make the patch instruction same as the source?
October 8, 20222 yr The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code). Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API to be the same on every system ... and usually it's not the case. You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader. You could also assemble a "call [x]" where x is still the in-IAT address location. Try to look/analyze better the "(source)" call ... Hope this helps Regards, Tony Edited October 9, 20222 yr by tonyweb
October 8, 20222 yr Author 2 hours ago, tonyweb said: The fact that your bytes "change" between restarts, might indicate you're writing inside a block where relocations (a.k.a. fixups) are applied: make sure you deal with them correctly (or move your code). Generally speaking, using a direct call to call an API is not the way to go, cause when you assemble such a call, you're wrongly requiring the address of that API will be at that same address on every system ... and usually it's not the case. You should do like the (source) and do a call x, where x is the address where you can find a JMP [y] instruction where y is the address, in the IAT, of the URLDownloadToFileA address saved by Windows loader. You could also assemble a "call [x]" where x is still the in-IAT address location. Try to look/analyze better the "(source)" call ... Hope this helps Regards, Tony Thank you so much for your precious advice. I got there!
Create an account or sign in to comment