C++ Assembly Question [Archive]

Click to See Complete Forum and Search --> : C++ Assembly Question

kolkoo

September 22nd, 2006, 08:17 AM

Ok i have a dll that is injected into a process and overwrites a memory code at a point and jumps onto my (naked) function which does the following

char *ho;
_asm
{
PUSHFD;
PUSHAD;
mov EAX,DWORD PTR DS:[ESI+8];
mov ho,EAX;
POPFD;
POPAD;
MOV AL,BYTE PTR DS:[EBX+0x11C];

}
MessageBox(::GetForegroundWindow(),ho,"MMOO",MB_OK);

_asm RETN;

So what i am trying to achieve is copy a variable from the caller function and display it in this one but it is always empty. When looking at the mem with OllyDbg this is how this looks like

015E1020 9C PUSHFD
015E1021 60 PUSHAD
015E1022 3E:8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
015E1026 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
015E1029 9D POPFD
015E102A 61 POPAD
015E102B 3E:8A83 1C010000 MOV AL,BYTE PTR DS:[EBX+11C]
015E1032 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
015E1035 6A 00 PUSH 0
015E1037 68 28215E01 PUSH my.015E2128 ; ASCII "MMOO"
015E103C 50 PUSH EAX
015E103D FF15 C8205E01 CALL DWORD PTR DS:[<&USER32.GetForegroun>; USER32.GetForegroundWindow
015E1043 50 PUSH EAX
015E1044 FF15 C4205E01 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA
015E104A C3 RETN

I am not sure what this 3E: thing is.
So any help would be appreciated.

Krishnaa

September 22nd, 2006, 08:46 AM

3E is part opcode of multibyte MOV instruction.

Are you sure the variable you want to copy is in DS:[ESI+8] ? Can you post some example of the funciton whoz variable you are trying to copy ?

kumaresh_ana

September 22nd, 2006, 10:03 AM

There is a potential risk in this peice of code

char *ho;

Change it into this

char ho[4];

Also MessageBox api's second arg is a string. What does the location [esi + 8] holds? If it were a number then you need to convert the number into a string before sending it to MessageBox API.

kolkoo

September 22nd, 2006, 11:57 AM

ESI+8 Should be a buffer. A packet to be exact before it gets encrypted.

MOV AL,BYTE PTR DS:[EBX+0x11C]; -> this is the code i am overwriting with

This is in the original function MOV AL,BYTE PTR DS:[EBX+11C] and it is 6 Bytes so i use my call code it is 5 bytes and nop the other ones. And in the end of my function i want to call this but i get a memory could not be read and i do not know why since it is the same piece of code i am overwriting. So even if i got the DWORd PTR esi+8 offset wrong it doesnt matter i just want to fix the memory could not be read. And is there a way to get rid of 3E:? I dont want it there.10x

kolkoo

September 23rd, 2006, 05:33 AM

Ok my last question is. my MOV instructions go down in memory as
3E:8B 46 08 for example and i want them to look
only
8B 46 08 how do I achieve that using the _asm command?

kumaresh_ana

September 24th, 2006, 04:54 AM

ESI+8 Should be a buffer. A packet to be exact before it gets encrypted.If so, then you cannot use it in the MessageBox API
but i get a memory could not be readThis suggests me that DS is not consistent across function calls. Watch the register in a debugger

Edit

Ok my last question is. my MOV instructions go down in memory as
3E:8B 46 08 for example and i want them to look
only
8B 46 08 how do I achieve that using the _asm command?
To get rid of 3e you can hard code the opcode into your program

byte 0x8b, 0x46, 0x08

instead of using

mov al, byte ptr ds:[ebx+0x11c]

but some compilers may complain. Check the compiler documentation for further info.