All geek questions in one place

Directly challenge / jump in ASM without using relevance (x86)

I am introducing a C ++ DLL into a DLL, and I would like to connect a function to some of my own code. Since the DLL is mapped to a different location each time, it would be easier to have direct jumps and calls. Also, since this is a hook, I don't want to change the stack or registers when I return to the function.

I declare a char * to store Asm so that I have a pointer to it. (char * asm = "\ x00";) If you could provide hex, that would save me some time.

Ive tried to use FF and EA for challenges and jumps, but I think I just don't understand how they work. When I used them, I noticed that I now have a colon in the operation.

JMP FAR FWORD PTR DS:[00000000]

This did not work, and it still did not work after I tried to use the pointer to the transition location.

Here is the assembly that I used before I started trying different methods:

01270000    50              PUSH EAX
01270001    57              PUSH EDI
01270002    E8 E9CC1BFF     CALL fwound.0042CCF0
01270007    5F              POP EDI
01270008    58              POP EAX
01270009    50              PUSH EAX                      //replacements
0127000A    8D4C24 7C       LEA ECX,DWORD PTR SS:[ESP+7C] //
0127000E  - E9 36D11BFF     JMP fwound.0042D149

I made this block with Olly, so he knew the appropriate jumps / calls needed at that time.

After Asm is in memory, I have to write two operations (which are replaced) in the function in order to go to this location.

So, how can I fix the Asm block to use direct jumps and calls?

+3
source share
2 answers

You can encode it as follows (gcc-style / AT & T build syntax):

    jmp    *.Ltgtaddr
.Ltgtaddr:  .long absoluteAddrOfFunctionToCall

( 32- x86) - ff 25 jmp 32- , , , () .

: .

, C, . ( 32- x86, , 64-):

#include <sys/mman.h>
#include <stdio.h>

void oneWay(char *str, int arg)
{ printf("string is \"%s\", int is %d\n", str, arg); }

void otherWay(char *str, int arg)
{ printf(str, arg); printf("\n"); }

void *trampGen(void *tgtAddr)
{
    char *trampoline = mmap(NULL, 10, PROT_EXEC | PROT_WRITE | PROT_READ,
        MAP_PRIVATE | MAP_ANON, -1, 0);
    trampoline[0] = (char)0xff; trampoline[1] = (char)0x25;
    *(char**)(trampoline+2) = trampoline + 6;
    *(void**)(trampoline+6) = tgtAddr;
    return trampoline;
}

int main(int argc, char **argv)
{
    void * (*funcptr)(char*, int) = trampGen(oneWay);
    *funcptr("Test %d String", 12345);
    *(void **)(((char *)funcptr) + 6) = otherWay;
    *funcptr("Test %d String", 12345);
    munmap(funcptr, 10);
    return 0;
}

:

$ ./tt
string is "Test %d String", int is 12345
Test 12345 String

, , MMU, . , ...

+4

,
, ( ollydbg), , () () . , , , ss:ebp ( ), ollyDBG.

0

Source: https://habr.com/ru/post/1792152/

More articles:


All Articles