Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Please Help run asm on specific address on c++

Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
Anyone can help me to solve my problem I have no knowledge about asm. I wat to run an asm to a specific address or offset.

example I want to run the block of asm in the address I specified 0x00424B1C?

Code:
#include "StdAfx.h"

void __declspec(naked) MyStuff() {
	__asm {
		PUSH EBP
			MOV EBP, ESP
			MOV EAX, DWORD PTR SS : [EBP + 0x8]
			MOV EAX, DWORD PTR DS : [EAX]
			XOR EAX, ENCPACKET
			MOV DWORD PTR SS : [EBP + 0x8], EAX
			MOV AX, WORD PTR SS : [EBP + 0xA]
			POP EBP
			RETN 0x4
	}
}

void SetStuff(){
	SetJmp((LPVOID)0x00424B1C,  MyStuff);
}
any idea? thanks in advance!!
 
Last edited:
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
What are you trying to achieve with this?

Thanks you for the response! I want to change some value in the specific offset and this is the beginning of offset 0x00424B1C.
 
[emoji848]
Legend
Joined
Dec 3, 2011
Messages
2,232
Reaction score
1,518
Hmm I'm not sure if I'm understanding the question correctly. Change a value at a memory offset? For a task like that you won't need ASM unless you work with some reversed ASM that needs to run or be called from somewhere (usually done on reversed code). I couldn't help you much with that but if you know certain memory is always located at 0x00424B1C (virtual ram offsets are usually different at each execution) you can access it by making it a pointer of the type you need.

If it's a function you can cast a function pointer out of it and call it through that with the params it takes. I don't think you can tell the compiler at which memory location to compile a function to, specially not at runtime. I'm not a pro on this though so I might be wrong. But you can redirect around or build code caves.
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
Hmm I'm not sure if I'm understanding the question correctly. Change a value at a memory offset? For a task like that you won't need ASM unless you work with some reversed ASM that needs to run or be called from somewhere (usually done on reversed code). I couldn't help you much with that but if you know certain memory is always located at 0x00424B1C (virtual ram offsets are usually different at each execution) you can access it by making it a pointer of the type you need.

If it's a function you can cast a function pointer out of it and call it through that with the params it takes. I don't think you can tell the compiler at which memory location to compile a function to, specially not at runtime. I'm not a pro on this though so I might be wrong. But you can redirect around or build code caves.

thanks!
I try this SetJmp((LPVOID)0x00424B1C, MyStuff); but after that address it will jump to another offset 0x00166BB0 why They cant run continues of the next offset like this 0x00424B1C, 0x00424B1D, 0x00424B1E, 0x00424B1F? why it jump to offset 0x00166BB0? thanks!



may I ask if asm is working with packed exe?
 
Joined
Oct 28, 2011
Messages
2,465
Reaction score
1,258
setjmp does contain enough so that your call to longjmp function can return execution to the correct block, but you're dependent on the number of registers available to the system you're developing on. Don't forget that since setjmp "estimates" how much calling context jmp_buf can store, your expression evaluation may not contain everything that you require. Besides you don't get the state of status flags etc.
I highly recommend finding an alternative solution to this issue.



Perhaps elaborating on what your "real" intentions and goals are here.
What application are you examining (IE the .exe file name, where is it from)? Why are you attempting to access these memory addresses? What do you intend to modify? What type of data is being evaluated?
Just a few, of dozens of questions.
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
setjmp does contain enough so that your call to longjmp function can return execution to the correct block, but you're dependent on the number of registers available to the system you're developing on. Don't forget that since setjmp "estimates" how much calling context jmp_buf can store, your expression evaluation may not contain everything that you require. Besides you don't get the state of status flags etc.
I highly recommend finding an alternative solution to this issue.



Perhaps elaborating on what your "real" intentions and goals are here.
What application are you examining (IE the .exe file name, where is it from)? Why are you attempting to access these memory addresses? What do you intend to modify? What type of data is being evaluated?
Just a few, of dozens of questions.

thanks! I have cabal private server, I want to hide in dll the important information to avoid any cheats or hacking attempt. But I dont have an idea how the asm works. can you help me if you dont mind? I am using codex anticheat. And I add some function to codex dll to hide the important information to cabal exe. but dont have an idea about asm. hope you can help me! thanks in advance!!
 
Joined
Oct 28, 2011
Messages
2,465
Reaction score
1,258
Apologies, it would take quite a bit of preparation and explanation to go into this.
Currently just don't have the time to get involved at this level.

Perhaps someone else can give you the type of information you're searching for.

Just try to find an alternative solution to .asm
 
Newbie Spellweaver
Joined
May 24, 2009
Messages
93
Reaction score
5
Hi, I have a couple of questions to know if I can help or not:
You are saying that the function enters in the address 0x00424B1C, but in the next one it changes to a random address, in which line of the code happen that (if you got debbuger better)? or when it reaches the random address it jumps to the next one?
What does SetJmp returns?
Which OS are you using?

PD: If you don't know anything about ASM you should be reading this:
 
Last edited:
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
Hi, I have a couple of questions to know if I can help or not:
You are saying that the function enters in the address 0x00424B1C, but in the next one it changes to a random address, in which line of the code happen that (if you got debbuger better)? or when it reaches the random address it jumps to the next one?
What does SetJmp returns?
Which OS are you using?

PD: If you don't know anything about ASM you should be reading this:

yes it was change to the address randomly. I want to run the asm in the specific address where the same asm from the I see in ollydbg.

my example


00424B1C jmp 005DB4E0


005DB4E0 /> \55 PUSH EBP
005DB4E1 |. 8BEC MOV EBP,ESP
005DB4E3 |. 56 PUSH ESI
005DB4E4 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
005DB4E7 |. B9 403E0801 MOV ECX,01083E40
005DB4EC |. E8 38CCE3FF CALL 00418129
005DB4F1 |. 8BF0 MOV ESI,EAX
005DB4F3 |. 85F6 TEST ESI,ESI
005DB4F5 |. 74 1E JE SHORT 005DB515
005DB4F7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB4FA |. 8BCE MOV ECX,ESI
005DB4FC |. E8 D799E4FF CALL 00424ED8
005DB501 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
005DB504 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB507 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB509 |. 8BCE MOV ECX,ESI
005DB50B |. E8 EEA5E4FF CALL 00425AFE
005DB510 |. 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
005DB513 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB515 |> 5E POP ESI
005DB516 |. 5D POP EBP
005DB517 \. C2 1000 RETN 10

I want to run the asm on the same offset. like this.
Code:
#include "StdAfx.h"

void __declspec(naked) MyStuff() {
	__asm {
005DB4E0->		PUSH EBP
005DB4E1->			MOV EBP, ESP
005DB4E3 ->			MOV EAX, DWORD PTR SS : [EBP + 0x8]
005DB4E7->			MOV EAX, DWORD PTR DS : [EAX]
005DB4EC->			XOR EAX, ENCPACKET
005DB4F1->			MOV DWORD PTR SS : [EBP + 0x8], EAX
005DB4F3->			MOV AX, WORD PTR SS : [EBP + 0xA]
005DB4F5->			POP EBP
005DB4F7->			RETN 0x4
	}
}

void SetStuff(){
	SetJmp((LPVOID)0x00424B1C,  MyStuff);
}
 
Newbie Spellweaver
Joined
May 24, 2009
Messages
93
Reaction score
5
yes it was change to the address randomly. I want to run the asm in the specific address where the same asm from the I see in ollydbg.

my example




I want to run the asm on the same offset. like this.
Code:
#include "StdAfx.h"

void __declspec(naked) MyStuff() {
	__asm {
005DB4E0->		PUSH EBP
005DB4E1->			MOV EBP, ESP
005DB4E3 ->			MOV EAX, DWORD PTR SS : [EBP + 0x8]
005DB4E7->			MOV EAX, DWORD PTR DS : [EAX]
005DB4EC->			XOR EAX, ENCPACKET
005DB4F1->			MOV DWORD PTR SS : [EBP + 0x8], EAX
005DB4F3->			MOV AX, WORD PTR SS : [EBP + 0xA]
005DB4F5->			POP EBP
005DB4F7->			RETN 0x4
	}
}

void SetStuff(){
	SetJmp((LPVOID)0x00424B1C,  MyStuff);
}

I understand that your purpose is to access this location 0x00424B1C and keep saving information with an 8-bit offset so the pointer will be increasing every time the loop executes?

When you use SetJmp the function is expecting a jmp_buf variable, which librarie are you using for SetJmp?


What does SetJmp returns?

In this part
Code:
MOV DWORD PTR SS : [EBP + 0x8], EAX
MOV AX, WORD PTR SS : [EBP + 0xA]
First you are assigning an 32-bit pointer and then you are using a 16-bit.
 
Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
addres 005DB4E0 in dll ?
function that you want to hide
what she does? (it is used by bots, i.e. inject)?
if so, then just break the function of "jmp" or/and "jmp short"

find space near the function and to transfer the important variables
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
I understand that your purpose is to access this location 0x00424B1C and keep saving information with an 8-bit offset so the pointer will be increasing every time the loop executes?

When you use SetJmp the function is expecting a jmp_buf variable, which librarie are you using for SetJmp?


What does SetJmp returns?

In this part
Code:
MOV DWORD PTR SS : [EBP + 0x8], EAX
MOV AX, WORD PTR SS : [EBP + 0xA]
First you are assigning an 32-bit pointer and then you are using a 16-bit.

it was jmp to other address in memory but not in 005DB4E0. I want to jump the PUSH EBP in to 005DB4E0, MOV EBP, ESP into 005DB4E1, and so on!
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
please give me a sample about pointer and how do I apply this.
 
Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
upload client something (link for pm me), and tell me what you want to hide, and give me work bot for this version client)))
i try help u (patch binary)
 
Skilled Illusionist
Joined
Jan 8, 2012
Messages
332
Reaction score
149
I understand that you want to HIDE an address ? You can do this during runtime, but it will still be visible with a debugger...

Let`s say you want to replace address: 0x004A8316

Code:
#define REPLACE_MEMORY 0x004A8316

Naked(ReplaceMemory)
{
	_asm
	{
		MOV EAX, DWORD PTR DS : [ECX + 0x04]

		MOVZX EAX, BYTE PTR DS : [EAX + 0x02]

		XOR EAX, 0x35

		MOV DWORD PTR DS : [ECX + 0x0C], 0x03

		jmp REPLACE_MEMORY
	}
}

In order for the replace to work you need 0x004A8305 and 0x004A830A ( this you need to set according to your .exe )

Code:
Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9);
SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);

Enjoy!
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
I understand that you want to HIDE an address ? You can do this during runtime, but it will still be visible with a debugger...

Let`s say you want to replace address: 0x004A8316

Code:
#define REPLACE_MEMORY 0x004A8316

Naked(ReplaceMemory)
{
	_asm
	{
		MOV EAX, DWORD PTR DS : [ECX + 0x04]

		MOVZX EAX, BYTE PTR DS : [EAX + 0x02]

		XOR EAX, 0x35

		MOV DWORD PTR DS : [ECX + 0x0C], 0x03

		jmp REPLACE_MEMORY
	}
}

In order for the replace to work you need 0x004A8305 and 0x004A830A ( this you need to set according to your .exe )

Code:
Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9);
SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);

Enjoy!

thank you so much I will try it!
cant find the function of Set_Hook and SetMultiByte.
 
Skilled Illusionist
Joined
Jan 8, 2012
Messages
332
Reaction score
149
Code:
#define HOOK_SIZE 5

void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type)
{
	BYTE TypeMemory[5] = { 0 };

	DWORD dwMemPacthed = 0;

	SIZE_T MemorySize = 0;

	DWORD dwOldProtect = 0;

	SIZE_T VirtualSize = 0;

	dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE;

	TypeMemory[0] = Type;

	MemorySize = sizeof(dwMemPacthed);

	memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize);

	VirtualSize = sizeof(TypeMemory);

	if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize);
	}
}

void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue)
{
	BYTE * lpBuf = 0;

	DWORD dwOldProtect = 0;

	lpBuf = new BYTE[wCount];

	memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount));

	if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount));
	}
}

I repeat, this will not help you much :)
 
Skilled Illusionist
Joined
Apr 17, 2010
Messages
323
Reaction score
23
Code:
#define HOOK_SIZE 5

void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type)
{
	BYTE TypeMemory[5] = { 0 };

	DWORD dwMemPacthed = 0;

	SIZE_T MemorySize = 0;

	DWORD dwOldProtect = 0;

	SIZE_T VirtualSize = 0;

	dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE;

	TypeMemory[0] = Type;

	MemorySize = sizeof(dwMemPacthed);

	memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize);

	VirtualSize = sizeof(TypeMemory);

	if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize);
	}
}

void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue)
{
	BYTE * lpBuf = 0;

	DWORD dwOldProtect = 0;

	lpBuf = new BYTE[wCount];

	memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount));

	if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount));
	}
}

I repeat, this will not help you much :)

thank you so much,



thank you so much,

it was jump to far away address JMP 0F2F6BC0 and error when I packed the exe using themida.
 
Back
Top