Please Help run asm on specific address on c++

kolipri · Feb 12, 2017

Anyone can help me to solve my problem I have no knowledge about asm. I wat to run an asm to a specific address or offset.

example I want to run the block of asm in the address I specified 0x00424B1C?

Code:

#include "StdAfx.h"

void __declspec(naked) MyStuff() {
	__asm {
		PUSH EBP
			MOV EBP, ESP
			MOV EAX, DWORD PTR SS : [EBP + 0x8]
			MOV EAX, DWORD PTR DS : [EAX]
			XOR EAX, ENCPACKET
			MOV DWORD PTR SS : [EBP + 0x8], EAX
			MOV AX, WORD PTR SS : [EBP + 0xA]
			POP EBP
			RETN 0x4
	}
}

void SetStuff(){
	SetJmp((LPVOID)0x00424B1C,  MyStuff);
}

any idea? thanks in advance!!

Negata · Feb 12, 2017

What are you trying to achieve with this?

kolipri · Feb 12, 2017

Negata said:
What are you trying to achieve with this?

Thanks you for the response! I want to change some value in the specific offset and this is the beginning of offset 0x00424B1C.

Future · Feb 12, 2017

Hmm I'm not sure if I'm understanding the question correctly. Change a value at a memory offset? For a task like that you won't need ASM unless you work with some reversed ASM that needs to run or be called from somewhere (usually done on reversed code). I couldn't help you much with that but if you know certain memory is always located at 0x00424B1C (virtual ram offsets are usually different at each execution) you can access it by making it a pointer of the type you need.

If it's a function you can cast a function pointer out of it and call it through that with the params it takes. I don't think you can tell the compiler at which memory location to compile a function to, specially not at runtime. I'm not a pro on this though so I might be wrong. But you can redirect around or build code caves.

kolipri · Feb 12, 2017

Future said:
Hmm I'm not sure if I'm understanding the question correctly. Change a value at a memory offset? For a task like that you won't need ASM unless you work with some reversed ASM that needs to run or be called from somewhere (usually done on reversed code). I couldn't help you much with that but if you know certain memory is always located at 0x00424B1C (virtual ram offsets are usually different at each execution) you can access it by making it a pointer of the type you need.

If it's a function you can cast a function pointer out of it and call it through that with the params it takes. I don't think you can tell the compiler at which memory location to compile a function to, specially not at runtime. I'm not a pro on this though so I might be wrong. But you can redirect around or build code caves.

thanks!
I try this SetJmp((LPVOID)0x00424B1C, MyStuff); but after that address it will jump to another offset 0x00166BB0 why They cant run continues of the next offset like this 0x00424B1C, 0x00424B1D, 0x00424B1E, 0x00424B1F? why it jump to offset 0x00166BB0? thanks!

may I ask if asm is working with packed exe?

DNC · Feb 12, 2017

setjmp does contain enough so that your call to longjmp function can return execution to the correct block, but you're dependent on the number of registers available to the system you're developing on. Don't forget that since setjmp "estimates" how much calling context jmp_buf can store, your expression evaluation may not contain everything that you require. Besides you don't get the state of status flags etc.
I highly recommend finding an alternative solution to this issue.

Perhaps elaborating on what your "real" intentions and goals are here.
What application are you examining (IE the .exe file name, where is it from)? Why are you attempting to access these memory addresses? What do you intend to modify? What type of data is being evaluated?
Just a few, of dozens of questions.

kolipri · Feb 12, 2017

DNC said:
setjmp does contain enough so that your call to longjmp function can return execution to the correct block, but you're dependent on the number of registers available to the system you're developing on. Don't forget that since setjmp "estimates" how much calling context jmp_buf can store, your expression evaluation may not contain everything that you require. Besides you don't get the state of status flags etc.
I highly recommend finding an alternative solution to this issue.

Perhaps elaborating on what your "real" intentions and goals are here.
What application are you examining (IE the .exe file name, where is it from)? Why are you attempting to access these memory addresses? What do you intend to modify? What type of data is being evaluated?
Just a few, of dozens of questions.

thanks! I have cabal private server, I want to hide in dll the important information to avoid any cheats or hacking attempt. But I dont have an idea how the asm works. can you help me if you dont mind? I am using codex anticheat. And I add some function to codex dll to hide the important information to cabal exe. but dont have an idea about asm. hope you can help me! thanks in advance!!

DNC · Feb 12, 2017

Apologies, it would take quite a bit of preparation and explanation to go into this.
Currently just don't have the time to get involved at this level.

Perhaps someone else can give you the type of information you're searching for.

Just try to find an alternative solution to .asm

singlejail · Feb 13, 2017

is thaat a pre packed offst?

Scax · Feb 13, 2017

Hi, I have a couple of questions to know if I can help or not:
You are saying that the function enters in the address 0x00424B1C, but in the next one it changes to a random address, in which line of the code happen that (if you got debbuger better)? or when it reaches the random address it jumps to the next one?
What does SetJmp returns?
Which OS are you using?

PD: If you don't know anything about ASM you should be reading this:

You must be registered to see links

kolipri · Feb 13, 2017

Scax said:
Hi, I have a couple of questions to know if I can help or not:
You are saying that the function enters in the address 0x00424B1C, but in the next one it changes to a random address, in which line of the code happen that (if you got debbuger better)? or when it reaches the random address it jumps to the next one?
What does SetJmp returns?
Which OS are you using?

PD: If you don't know anything about ASM you should be reading this:

You must be registered to see links

yes it was change to the address randomly. I want to run the asm in the specific address where the same asm from the I see in ollydbg.

my example

00424B1C jmp 005DB4E0

005DB4E0 /> \55 PUSH EBP
005DB4E1 |. 8BEC MOV EBP,ESP
005DB4E3 |. 56 PUSH ESI
005DB4E4 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
005DB4E7 |. B9 403E0801 MOV ECX,01083E40
005DB4EC |. E8 38CCE3FF CALL 00418129
005DB4F1 |. 8BF0 MOV ESI,EAX
005DB4F3 |. 85F6 TEST ESI,ESI
005DB4F5 |. 74 1E JE SHORT 005DB515
005DB4F7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB4FA |. 8BCE MOV ECX,ESI
005DB4FC |. E8 D799E4FF CALL 00424ED8
005DB501 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
005DB504 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB507 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB509 |. 8BCE MOV ECX,ESI
005DB50B |. E8 EEA5E4FF CALL 00425AFE
005DB510 |. 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
005DB513 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB515 |> 5E POP ESI
005DB516 |. 5D POP EBP
005DB517 \. C2 1000 RETN 10

I want to run the asm on the same offset. like this.

Code:

#include "StdAfx.h"

void __declspec(naked) MyStuff() {
	__asm {
005DB4E0->		PUSH EBP
005DB4E1->			MOV EBP, ESP
005DB4E3 ->			MOV EAX, DWORD PTR SS : [EBP + 0x8]
005DB4E7->			MOV EAX, DWORD PTR DS : [EAX]
005DB4EC->			XOR EAX, ENCPACKET
005DB4F1->			MOV DWORD PTR SS : [EBP + 0x8], EAX
005DB4F3->			MOV AX, WORD PTR SS : [EBP + 0xA]
005DB4F5->			POP EBP
005DB4F7->			RETN 0x4
	}
}

void SetStuff(){
	SetJmp((LPVOID)0x00424B1C,  MyStuff);
}

Scax · Feb 13, 2017

kolipri said:
yes it was change to the address randomly. I want to run the asm in the specific address where the same asm from the I see in ollydbg.

my example

I want to run the asm on the same offset. like this.

Code:

#include "StdAfx.h" void __declspec(naked) MyStuff() { __asm { 005DB4E0-> PUSH EBP 005DB4E1-> MOV EBP, ESP 005DB4E3 -> MOV EAX, DWORD PTR SS : [EBP + 0x8] 005DB4E7-> MOV EAX, DWORD PTR DS : [EAX] 005DB4EC-> XOR EAX, ENCPACKET 005DB4F1-> MOV DWORD PTR SS : [EBP + 0x8], EAX 005DB4F3-> MOV AX, WORD PTR SS : [EBP + 0xA] 005DB4F5-> POP EBP 005DB4F7-> RETN 0x4 } } void SetStuff(){ SetJmp((LPVOID)0x00424B1C, MyStuff); }

I understand that your purpose is to access this location 0x00424B1C and keep saving information with an 8-bit offset so the pointer will be increasing every time the loop executes?

When you use SetJmp the function is expecting a jmp_buf variable, which librarie are you using for SetJmp?

You must be registered to see links

What does SetJmp returns?

In this part

Code:

MOV DWORD PTR SS : [EBP + 0x8], EAX
MOV AX, WORD PTR SS : [EBP + 0xA]

First you are assigning an 32-bit pointer and then you are using a 16-bit.

lastfun · Feb 13, 2017

addres 005DB4E0 in dll ?
function that you want to hide
what she does? (it is used by bots, i.e. inject)?
if so, then just break the function of "jmp" or/and "jmp short"

find space near the function and to transfer the important variables

kolipri · Feb 15, 2017

Scax said:
I understand that your purpose is to access this location 0x00424B1C and keep saving information with an 8-bit offset so the pointer will be increasing every time the loop executes?

When you use SetJmp the function is expecting a jmp_buf variable, which librarie are you using for SetJmp?

You must be registered to see links

What does SetJmp returns?

In this part

Code:

MOV DWORD PTR SS : [EBP + 0x8], EAX MOV AX, WORD PTR SS : [EBP + 0xA]

First you are assigning an 32-bit pointer and then you are using a 16-bit.

it was jmp to other address in memory but not in 005DB4E0. I want to jump the PUSH EBP in to 005DB4E0, MOV EBP, ESP into 005DB4E1, and so on!

kolipri · Feb 16, 2017

please give me a sample about pointer and how do I apply this.

lastfun · Feb 16, 2017

upload client something (link for pm me), and tell me what you want to hide, and give me work bot for this version client)))
i try help u (patch binary)

Mecanik · Feb 16, 2017

I understand that you want to HIDE an address ? You can do this during runtime, but it will still be visible with a debugger...

Let`s say you want to replace address: 0x004A8316

Code:

#define REPLACE_MEMORY 0x004A8316

Naked(ReplaceMemory)
{
	_asm
	{
		MOV EAX, DWORD PTR DS : [ECX + 0x04]

		MOVZX EAX, BYTE PTR DS : [EAX + 0x02]

		XOR EAX, 0x35

		MOV DWORD PTR DS : [ECX + 0x0C], 0x03

		jmp REPLACE_MEMORY
	}
}

In order for the replace to work you need 0x004A8305 and 0x004A830A ( this you need to set according to your .exe )

Code:

Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9);
SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);

Enjoy!

kolipri · Feb 17, 2017

Mecanik said:
I understand that you want to HIDE an address ? You can do this during runtime, but it will still be visible with a debugger...

Let`s say you want to replace address: 0x004A8316

Code:

#define REPLACE_MEMORY 0x004A8316 Naked(ReplaceMemory) { _asm { MOV EAX, DWORD PTR DS : [ECX + 0x04] MOVZX EAX, BYTE PTR DS : [EAX + 0x02] XOR EAX, 0x35 MOV DWORD PTR DS : [ECX + 0x0C], 0x03 jmp REPLACE_MEMORY } }

In order for the replace to work you need 0x004A8305 and 0x004A830A ( this you need to set according to your .exe )

Code:

Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9); SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);

Enjoy!

thank you so much I will try it!
cant find the function of Set_Hook and SetMultiByte.

Mecanik · Feb 17, 2017

Code:

#define HOOK_SIZE 5

void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type)
{
	BYTE TypeMemory[5] = { 0 };

	DWORD dwMemPacthed = 0;

	SIZE_T MemorySize = 0;

	DWORD dwOldProtect = 0;

	SIZE_T VirtualSize = 0;

	dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE;

	TypeMemory[0] = Type;

	MemorySize = sizeof(dwMemPacthed);

	memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize);

	VirtualSize = sizeof(TypeMemory);

	if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize);
	}
}

void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue)
{
	BYTE * lpBuf = 0;

	DWORD dwOldProtect = 0;

	lpBuf = new BYTE[wCount];

	memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount));

	if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount));
	}
}

I repeat, this will not help you much

kolipri · Feb 17, 2017

Mecanik said:

Code:

#define HOOK_SIZE 5

void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type)
{
	BYTE TypeMemory[5] = { 0 };

	DWORD dwMemPacthed = 0;

	SIZE_T MemorySize = 0;

	DWORD dwOldProtect = 0;

	SIZE_T VirtualSize = 0;

	dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE;

	TypeMemory[0] = Type;

	MemorySize = sizeof(dwMemPacthed);

	memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize);

	VirtualSize = sizeof(TypeMemory);

	if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize);
	}
}

void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue)
{
	BYTE * lpBuf = 0;

	DWORD dwOldProtect = 0;

	lpBuf = new BYTE[wCount];

	memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount));

	if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
	{
		memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount));
	}
}

I repeat, this will not help you much

thank you so much,

kolipri said:
thank you so much,

it was jump to far away address JMP 0F2F6BC0 and error when I packed the exe using themida.

Please Help run asm on specific address on c++

Skilled Illusionist

Watching from above

Skilled Illusionist

[emoji848]

Skilled Illusionist

Developer

Skilled Illusionist

Developer

Junior Spellweaver

Newbie Spellweaver

Skilled Illusionist

Newbie Spellweaver

Elite Diviner

Skilled Illusionist

Skilled Illusionist

Elite Diviner

Skilled Illusionist

Skilled Illusionist

Skilled Illusionist

Skilled Illusionist