- Joined
- Jun 10, 2009
- Messages
- 659
- Reaction score
- 141
In this tutorial we will be injecting assembly code to pop a dialog box while the executable starts
Requirements:
1. OllyDbg with Multiasm plugin installed.
2. 32bit executable.
3. Basics of OllyDbg.
Step 1: Open the executable in OllyDbg
Step 2: Finding space to inject your code (CodeCave)
If you scroll to the end of the executable in the CPU view you will find "DB 00" written in the disassembly region. This is the place where you can insert your assembly code safely without corrupting the executable.
Step 3: Inserting ASCII strings in order to show in your dialog box
Select multiple lines in the CodeCave section as shown above and press right click->Binary->Edit (Ctrl+E). You will see on more dialog box. Type the required string in the textbox adjacent to the ASCII label and press OK. This can be your dialog box title. Presss Ctrl + A in order to re-analyse the executable.
On complete of re-analysis you will see a single/multiple lines containing your custom string. Note down the starting address of it. In the above picture it is 009D776B. Repeat step 3 in order to insert custom message for your dialog box.
Step 4: Inserting ASM code to pop dialog box
The following is the code to pop dialog box
Edit line 2 and 3 with your addresses in the above code.
Then right click in the CodeCave section (with at least 7/8 free addresses) and select 'Multiline Ultimate Assembler' (Ctrl+Shift+M). Inside the resulting sub-window paste the above code and press 'Assemble'. If everything went fine you should see your assembly code injected. Note down the address of the line contain "PUSH 0" for future use.
Step 5: Finding executable origin and making you code to get executed
Right click on the disassembly column in CPU view and select Go To -> Origin. This will take you to the starting point of the executable assembly code. For your safety copy the first 5 to 6 lines of assembly from origin address into a text editor by selecting the lines and pressing Ctrl+C. Double click on the origin address and type "JMP 009D774B" ( Replace 009D774B with the address you noted down in step 4) and click assemble while making sure 'Fill with NOPs' is ticked. Check the next line, note down its address and compare it with the saved assembly code in your text editor you will find some lines of assembly code have been replaced. Add those assembly lines after your pop dialog box code i.e. soon after 'CALL MessageBoxA'. Next add a jump statement back to the address you noted down in this step.
Step 6: Save the executable and test run it
To save the executable right click on the disassembly column of the CPU view and select Copy to executable->all modifications. Select 'Copy all' option in the confirm box and you will see a new sub-window which will have your edited code highlighted. Right click and select 'Save file'. Your executable will be reassembled and saved in the given location. Run the executable and if everything went fine you should see a dialog box with custom title and message. Pressing either close or Ok will make the executable run normally!
Have fun
Reference: "How to inject code into a exe file" article by Iman Karim
Requirements:
1. OllyDbg with Multiasm plugin installed.
2. 32bit executable.
3. Basics of OllyDbg.
Step 1: Open the executable in OllyDbg
Step 2: Finding space to inject your code (CodeCave)
If you scroll to the end of the executable in the CPU view you will find "DB 00" written in the disassembly region. This is the place where you can insert your assembly code safely without corrupting the executable.
Step 3: Inserting ASCII strings in order to show in your dialog box
Select multiple lines in the CodeCave section as shown above and press right click->Binary->Edit (Ctrl+E). You will see on more dialog box. Type the required string in the textbox adjacent to the ASCII label and press OK. This can be your dialog box title. Presss Ctrl + A in order to re-analyse the executable.
On complete of re-analysis you will see a single/multiple lines containing your custom string. Note down the starting address of it. In the above picture it is 009D776B. Repeat step 3 in order to insert custom message for your dialog box.
Step 4: Inserting ASM code to pop dialog box
The following is the code to pop dialog box
Code:
PUSH 0 ; BUTTONS = <OK ONLY>
PUSH 009D776B ; TITLE = address of the custom title
PUSH 009D776B ; MESSAGE = address of the custom message
PUSH 0 ; ICON = <NO ICON>
CALL MessageBoxA ; Run MessageBoxA with the Params above.Then right click in the CodeCave section (with at least 7/8 free addresses) and select 'Multiline Ultimate Assembler' (Ctrl+Shift+M). Inside the resulting sub-window paste the above code and press 'Assemble'. If everything went fine you should see your assembly code injected. Note down the address of the line contain "PUSH 0" for future use.
Step 5: Finding executable origin and making you code to get executed
Right click on the disassembly column in CPU view and select Go To -> Origin. This will take you to the starting point of the executable assembly code. For your safety copy the first 5 to 6 lines of assembly from origin address into a text editor by selecting the lines and pressing Ctrl+C. Double click on the origin address and type "JMP 009D774B" ( Replace 009D774B with the address you noted down in step 4) and click assemble while making sure 'Fill with NOPs' is ticked. Check the next line, note down its address and compare it with the saved assembly code in your text editor you will find some lines of assembly code have been replaced. Add those assembly lines after your pop dialog box code i.e. soon after 'CALL MessageBoxA'. Next add a jump statement back to the address you noted down in this step.
Step 6: Save the executable and test run it
To save the executable right click on the disassembly column of the CPU view and select Copy to executable->all modifications. Select 'Copy all' option in the confirm box and you will see a new sub-window which will have your edited code highlighted. Right click and select 'Save file'. Your executable will be reassembled and saved in the given location. Run the executable and if everything went fine you should see a dialog box with custom title and message. Pressing either close or Ok will make the executable run normally!
Have fun
Reference: "How to inject code into a exe file" article by Iman Karim
