#include "StdAfx.h"
void __declspec(naked) MyStuff() {
__asm {
PUSH EBP
MOV EBP, ESP
MOV EAX, DWORD PTR SS : [EBP + 0x8]
MOV EAX, DWORD PTR DS : [EAX]
XOR EAX, ENCPACKET
MOV DWORD PTR SS : [EBP + 0x8], EAX
MOV AX, WORD PTR SS : [EBP + 0xA]
POP EBP
RETN 0x4
}
}
void SetStuff(){
SetJmp((LPVOID)0x00424B1C, MyStuff);
}
What are you trying to achieve with this?
Hmm I'm not sure if I'm understanding the question correctly. Change a value at a memory offset? For a task like that you won't need ASM unless you work with some reversed ASM that needs to run or be called from somewhere (usually done on reversed code). I couldn't help you much with that but if you know certain memory is always located at 0x00424B1C (virtual ram offsets are usually different at each execution) you can access it by making it a pointer of the type you need.
If it's a function you can cast a function pointer out of it and call it through that with the params it takes. I don't think you can tell the compiler at which memory location to compile a function to, specially not at runtime. I'm not a pro on this though so I might be wrong. But you can redirect around or build code caves.
setjmp does contain enough so that your call to longjmp function can return execution to the correct block, but you're dependent on the number of registers available to the system you're developing on. Don't forget that since setjmp "estimates" how much calling context jmp_buf can store, your expression evaluation may not contain everything that you require. Besides you don't get the state of status flags etc.
I highly recommend finding an alternative solution to this issue.
Perhaps elaborating on what your "real" intentions and goals are here.
What application are you examining (IE the .exe file name, where is it from)? Why are you attempting to access these memory addresses? What do you intend to modify? What type of data is being evaluated?
Just a few, of dozens of questions.
Hi, I have a couple of questions to know if I can help or not:
You are saying that the function enters in the address 0x00424B1C, but in the next one it changes to a random address, in which line of the code happen that (if you got debbuger better)? or when it reaches the random address it jumps to the next one?
What does SetJmp returns?
Which OS are you using?
PD: If you don't know anything about ASM you should be reading this:
You must be registered to see links
00424B1C jmp 005DB4E0
005DB4E0 /> \55 PUSH EBP
005DB4E1 |. 8BEC MOV EBP,ESP
005DB4E3 |. 56 PUSH ESI
005DB4E4 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
005DB4E7 |. B9 403E0801 MOV ECX,01083E40
005DB4EC |. E8 38CCE3FF CALL 00418129
005DB4F1 |. 8BF0 MOV ESI,EAX
005DB4F3 |. 85F6 TEST ESI,ESI
005DB4F5 |. 74 1E JE SHORT 005DB515
005DB4F7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB4FA |. 8BCE MOV ECX,ESI
005DB4FC |. E8 D799E4FF CALL 00424ED8
005DB501 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
005DB504 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
005DB507 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB509 |. 8BCE MOV ECX,ESI
005DB50B |. E8 EEA5E4FF CALL 00425AFE
005DB510 |. 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
005DB513 |. 8901 MOV DWORD PTR DS:[ECX],EAX
005DB515 |> 5E POP ESI
005DB516 |. 5D POP EBP
005DB517 \. C2 1000 RETN 10
#include "StdAfx.h"
void __declspec(naked) MyStuff() {
__asm {
005DB4E0-> PUSH EBP
005DB4E1-> MOV EBP, ESP
005DB4E3 -> MOV EAX, DWORD PTR SS : [EBP + 0x8]
005DB4E7-> MOV EAX, DWORD PTR DS : [EAX]
005DB4EC-> XOR EAX, ENCPACKET
005DB4F1-> MOV DWORD PTR SS : [EBP + 0x8], EAX
005DB4F3-> MOV AX, WORD PTR SS : [EBP + 0xA]
005DB4F5-> POP EBP
005DB4F7-> RETN 0x4
}
}
void SetStuff(){
SetJmp((LPVOID)0x00424B1C, MyStuff);
}
yes it was change to the address randomly. I want to run the asm in the specific address where the same asm from the I see in ollydbg.
my example
I want to run the asm on the same offset. like this.
Code:#include "StdAfx.h" void __declspec(naked) MyStuff() { __asm { 005DB4E0-> PUSH EBP 005DB4E1-> MOV EBP, ESP 005DB4E3 -> MOV EAX, DWORD PTR SS : [EBP + 0x8] 005DB4E7-> MOV EAX, DWORD PTR DS : [EAX] 005DB4EC-> XOR EAX, ENCPACKET 005DB4F1-> MOV DWORD PTR SS : [EBP + 0x8], EAX 005DB4F3-> MOV AX, WORD PTR SS : [EBP + 0xA] 005DB4F5-> POP EBP 005DB4F7-> RETN 0x4 } } void SetStuff(){ SetJmp((LPVOID)0x00424B1C, MyStuff); }
MOV DWORD PTR SS : [EBP + 0x8], EAX
MOV AX, WORD PTR SS : [EBP + 0xA]
I understand that your purpose is to access this location 0x00424B1C and keep saving information with an 8-bit offset so the pointer will be increasing every time the loop executes?
When you use SetJmp the function is expecting a jmp_buf variable, which librarie are you using for SetJmp?
You must be registered to see links
What does SetJmp returns?
In this part
First you are assigning an 32-bit pointer and then you are using a 16-bit.Code:MOV DWORD PTR SS : [EBP + 0x8], EAX MOV AX, WORD PTR SS : [EBP + 0xA]
#define REPLACE_MEMORY 0x004A8316
Naked(ReplaceMemory)
{
_asm
{
MOV EAX, DWORD PTR DS : [ECX + 0x04]
MOVZX EAX, BYTE PTR DS : [EAX + 0x02]
XOR EAX, 0x35
MOV DWORD PTR DS : [ECX + 0x0C], 0x03
jmp REPLACE_MEMORY
}
}
Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9);
SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);
I understand that you want to HIDE an address ? You can do this during runtime, but it will still be visible with a debugger...
Let`s say you want to replace address: 0x004A8316
Code:#define REPLACE_MEMORY 0x004A8316 Naked(ReplaceMemory) { _asm { MOV EAX, DWORD PTR DS : [ECX + 0x04] MOVZX EAX, BYTE PTR DS : [EAX + 0x02] XOR EAX, 0x35 MOV DWORD PTR DS : [ECX + 0x0C], 0x03 jmp REPLACE_MEMORY } }
In order for the replace to work you need 0x004A8305 and 0x004A830A ( this you need to set according to your .exe )
Code:Set_Hook(reinterpret_cast<LPVOID>(0x004A8305), reinterpret_cast<LPVOID>(ReplaceMemory), 0xE9); SetMultiByte(reinterpret_cast<PVOID>(0x004A830A), 12, 0x90);
Enjoy!
#define HOOK_SIZE 5
void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type)
{
BYTE TypeMemory[5] = { 0 };
DWORD dwMemPacthed = 0;
SIZE_T MemorySize = 0;
DWORD dwOldProtect = 0;
SIZE_T VirtualSize = 0;
dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE;
TypeMemory[0] = Type;
MemorySize = sizeof(dwMemPacthed);
memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize);
VirtualSize = sizeof(TypeMemory);
if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
{
memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize);
}
}
void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue)
{
BYTE * lpBuf = 0;
DWORD dwOldProtect = 0;
lpBuf = new BYTE[wCount];
memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount));
if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0)
{
memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount));
}
}
Code:#define HOOK_SIZE 5 void Set_Hook(LPVOID lpOffset, LPVOID lpFunction, BYTE Type) { BYTE TypeMemory[5] = { 0 }; DWORD dwMemPacthed = 0; SIZE_T MemorySize = 0; DWORD dwOldProtect = 0; SIZE_T VirtualSize = 0; dwMemPacthed = reinterpret_cast<DWORD&>(lpFunction)-reinterpret_cast<DWORD&>(lpOffset)-HOOK_SIZE; TypeMemory[0] = Type; MemorySize = sizeof(dwMemPacthed); memcpy(reinterpret_cast<LPVOID>(&TypeMemory[1]), reinterpret_cast<LPVOID>(&dwMemPacthed), MemorySize); VirtualSize = sizeof(TypeMemory); if (VirtualProtect(lpOffset, VirtualSize, PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0) { memcpy(reinterpret_cast<void*>(lpOffset), reinterpret_cast<const void*>(TypeMemory), VirtualSize); } } void SetMultiByte(LPVOID dwAddress, USHORT wCount, BYTE btValue) { BYTE * lpBuf = 0; DWORD dwOldProtect = 0; lpBuf = new BYTE[wCount]; memset(reinterpret_cast<void*>(lpBuf), reinterpret_cast<int&>(btValue), reinterpret_cast<SIZE_T&>(wCount)); if (VirtualProtect(dwAddress, reinterpret_cast<SIZE_T&>(wCount), PAGE_EXECUTE_READWRITE, &dwOldProtect) != 0) { memcpy(reinterpret_cast<void*>(dwAddress), reinterpret_cast<LPVOID>(lpBuf), reinterpret_cast<SIZE_T&>(wCount)); } }
I repeat, this will not help you much
thank you so much,