#ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting Part 5
This is part 5 of ASM Injections. – https://twitter.com/ro0ted/
I will be using Notepad++ for this example, A real program.
Load target in Olly:
In most tutorials involving codecaves I’ve showed you when looking for a codecave just go to the bottom of the code and you will find them.
This time we use a script that will automatically find the codecaves aka free memory for us. Right click and go to scripts:
After it loads it will tell us how we can find any potential empty caves. Click OK then cancel the script as it will keep running:
Now hit cancel as the script will keep running:
Now right click> Search for User Defined Comment:
We get this screen now:
Right click> Search for> All Intermodular Calls:
This screen will popup:
find the MessageBoxA function.
If you type on your keyboard with no dialog search box needed, Olly will sort the call functions for you:
When we double-click on the MessageBoxA line in the intermodular calls window, we are taken to where that function is called in our program:
In order to call this function ourself from our code cave, we need to get this address. The way to do that is to click on the “CALL DWORD PTR DS:[<&USER32. MessageBoxA>]” and hit the space bar. This will bring up the assembly window (as well as the true address):
So we can see that the address we want to call is 14176C8.
Go back to our codecave using the same method:
Now we will start coding our codecave..
You should remember our format
If not here:
PUSH 0 ; BUTTONS = <OK ONLY>
PUSH 1008751 ; CAPTION = Our address of the binary we edited.
PUSH 1008751 ; MESSAGE = Same like above.
PUSH 0 ; ICON = <NO ICON>
CALL MessageBoxA; Run MessageBoxA with the Params above.
So highlight some lines:
Right click> Edit Binary:
Now this will pop up:
Enter any given text:
Click okay> Now you will see this:
Right Click> Analysis> Analyze Code:
Now it will look like this:
Now below click the line, right click> Assemble, follow the format:
Enter PUSH and the address of the binary we edited, yours will be different ofc:
Enter the samething twice:
Now right click Search For> All Intermodular Calls.
Remember the call to the message box?
You are going to want to paste that whole line here.
If you don’t remember…
Double click that line:
Make sure that lines clicked, only once though or else it will follow the call to the next operation. Now press space bar:
ctrl + x to cut it> Now go back to the codecave, place the pasted text in the next line:
Now this will not run because the OEP is not listed.
OEP = Original Entry Point.
So right click go to>origin
Copy the address and go back to the codecave, JMP to that address or you can even edit the OEP to our offset.
This is our offset:
Now press play:
That’s about it. Easy.
ASM Injecting Part 5 +
(Visited 348 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.