By ro0ted | April 23, 2015 - 13:38 | Posted in /b/ | 3 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting Part 5

This is part 5 of ASM Injections. – https://twitter.com/ro0ted/

I will be using Notepad++ for this example, A real program.

Load target in Olly:

Untitled

In most tutorials involving codecaves I’ve showed you when looking for a codecave just go to the bottom of the code and you will find them.
For example:

Untitled

This time we use a script that will automatically find the codecaves aka free memory for us. Right click and go to scripts:

Untitled

Untitled

After it loads it will tell us how we can find any potential empty  caves. Click OK then cancel the script as it will keep running:

Untitled

Now hit cancel as the script will keep running:

Untitled

Now right click> Search for User Defined Comment:

Untitled

We get this screen now:

Untitled

Right click> Search for> All Intermodular Calls:

Untitled

This screen will popup:

Untitled

find the MessageBoxA function.
If you type on your keyboard with no dialog search box needed, Olly will sort the call functions for you:

Untitled

When we double-click on the MessageBoxA line in the intermodular calls window, we are taken to where that function is called in our program:

Untitled

In order to call this function ourself from our code cave, we need to get this address. The way to do that is to click on the “CALL DWORD PTR DS:[<&USER32. MessageBoxA>]” and hit the space bar. This will bring up the assembly window (as well as the true address):

Untitled

So we can see that the address we want to call is 14176C8.
Go back to our codecave using the same method:

Untitled

Now we will start coding our codecave..
You should remember our format
If not here:

PUSH 0                 ; BUTTONS = <OK ONLY>
PUSH 1008751      ; CAPTION  = Our address of the binary we edited.
PUSH 1008751      ; MESSAGE  = Same like above.
PUSH 0                 ; ICON        = <NO ICON>
CALL MessageBoxA; Run MessageBoxA with the Params above.

So highlight some lines:

Untitled

Right click> Edit Binary:

Untitled

Now this will pop up:

Untitled

Enter any given text:

Untitled

Click okay> Now you will see this:

Untitled

Right Click> Analysis> Analyze Code:

Untitled

Now it will look like this:

Untitled

Now below click the line, right click> Assemble, follow the format:

Untitled

Enter PUSH and the address of the binary we edited, yours will be different ofc:

Untitled

Enter the samething twice:

Untitled

Now right click Search For> All Intermodular Calls.
Remember the call to the message box?
You are going to want to paste that whole line here.
Untitled

If you don’t remember…
Double click that line:

Untitled

Make sure that lines clicked, only once though or else it will follow the call to the next operation. Now press space bar:

Untitled

ctrl + x to cut it> Now go back to the codecave, place the pasted text in the next line:

Untitled

Now this will not run because the OEP is not listed.
OEP = Original Entry Point.
So right click go to>origin
Copy the address and go back to the codecave, JMP to that address or you can even edit the OEP to our offset.
This is our offset:

Untitled

Now press play:

Untitled

That’s about it. Easy.

ro0ted

 


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5 +

 

 

 

(Visited 348 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.