By ro0ted | April 23, 2015 - 13:38 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting Part 5
#ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting Part 5

This is part 5 of ASM Injections. –

I will be using Notepad++ for this example, A real program.

Load target in Olly:


In most tutorials involving codecaves I’ve showed you when looking for a codecave just go to the bottom of the code and you will find them.
For example:


This time we use a script that will automatically find the codecaves aka free memory for us. Right click and go to scripts:



After it loads it will tell us how we can find any potential empty  caves. Click OK then cancel the script as it will keep running:


Now hit cancel as the script will keep running:


Now right click> Search for User Defined Comment:


We get this screen now:


Right click> Search for> All Intermodular Calls:


This screen will popup:


find the MessageBoxA function.
If you type on your keyboard with no dialog search box needed, Olly will sort the call functions for you:


When we double-click on the MessageBoxA line in the intermodular calls window, we are taken to where that function is called in our program:


In order to call this function ourself from our code cave, we need to get this address. The way to do that is to click on the “CALL DWORD PTR DS:[<&USER32. MessageBoxA>]” and hit the space bar. This will bring up the assembly window (as well as the true address):


So we can see that the address we want to call is 14176C8.
Go back to our codecave using the same method:


Now we will start coding our codecave..
You should remember our format
If not here:

PUSH 0                 ; BUTTONS = <OK ONLY>
PUSH 1008751      ; CAPTION  = Our address of the binary we edited.
PUSH 1008751      ; MESSAGE  = Same like above.
PUSH 0                 ; ICON        = <NO ICON>
CALL MessageBoxA; Run MessageBoxA with the Params above.

So highlight some lines:


Right click> Edit Binary:


Now this will pop up:


Enter any given text:


Click okay> Now you will see this:


Right Click> Analysis> Analyze Code:


Now it will look like this:


Now below click the line, right click> Assemble, follow the format:


Enter PUSH and the address of the binary we edited, yours will be different ofc:


Enter the samething twice:


Now right click Search For> All Intermodular Calls.
Remember the call to the message box?
You are going to want to paste that whole line here.

If you don’t remember…
Double click that line:


Make sure that lines clicked, only once though or else it will follow the call to the next operation. Now press space bar:


ctrl + x to cut it> Now go back to the codecave, place the pasted text in the next line:


Now this will not run because the OEP is not listed.
OEP = Original Entry Point.
So right click go to>origin
Copy the address and go back to the codecave, JMP to that address or you can even edit the OEP to our offset.
This is our offset:


Now press play:


That’s about it. Easy.





(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file


Unpacking & Crypting there is a difference

Covert Debugging whitepaper from

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5 +




(Visited 350 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.