Im injecting some code into a msn, but i need to be able to create a "call" and a "jmp" op code to the address that its located at as it is all dynamically allocated work and im not sure how to do this in x86 im a MIPS guy

Take a look at how the call naturally happens. Even if the function is dynamically allocated, you should see a heap of steps for working out the location of the function and loading that into the registers for the call.

Wait, what exactly are you doing?

AFAIK, function calls are somewhat language specific as well as architecture, so you might need to consult instructions for the language the program was originally written in.

PS

Googling turns up resources like this.

i said x86 as in Intel x86 used by 90% of the worlds PCs...I have my code already written and i am able to inject it by dynamically allocating memory and get the pointer (which will always change), therefore i must be able to create a "jmp" instruction for this address pointing to the function

The easiest solution is to use a program such as ollydbg and find a random spot to construct some temporary asm.  The actual bytes for the command will be next to the character representation for the command.

If my memory serves me correctly, a standard 5 byte offset JMP command is 0xE9 followed by the 4 byte little endian offset to the function from the end of the current command.  (jmp address - current address - length of command)
so

33333333   jmp 0x12345678
would turn out (0x12345678 - 0x33333333 - 5)

E9 DF012340
0xE9 0x40 0x23 0x01 0xDF

quote:

---

Originally posted by effection
i said x86 as in Intel x86 used by 90% of the worlds PCs...I have my code already written and i am able to inject it by dynamically allocating memory and get the pointer (which will always change), therefore i must be able to create a "jmp" instruction for this address pointing to the function

---

well thing is im overwriting an op code with an opcode that is bigger so its overwriting the following line which is a "call whereever" so at the end of my code it must be placed so the function is called.

Is there any way of doing this from a DLL in C(++) im pretty familiar with it but not with creating DLLs, i need to be able to hook the process so i can write memory to it or is there any better methods of doing this? I can then call this from wlmplus

quote:

---

Originally posted by effection
well thing is im overwriting an op code with an opcode that is bigger so its overwriting the following line which is a "call whereever" so at the end of my code it must be placed so the function is called.

Is there any way of doing this from a DLL in C(++) im pretty familiar with it but not with creating DLLs, i need to be able to hook the process so i can write memory to it or is there any better methods of doing this? I can then call this from wlmplus

---

well im pushing and poping the registers im using anyway so i dont think it will affect it, but i am however having trouble creating these instructions in javascript i think i can create one of the needed jumps okay but the other 2 are very very incorrect

Sorry for a double post but i need an answer

I can't work out how to write this JMP to allocated memory in C ive got this but im unsure if its correct ( i dont think it is)

code:

---

unsigned char *__w64 temp = (&fnc_memory-Hook_Address-5) | 0xE900000000;

---

I'm not sure if this is what Verte means (if so slap me), but can't you overwrite the original opcode (the one you overwrite now anyways) with an unconditional jump to your instructions and at the end of your instructions unconditionally jump back to the opcode after the one you've overwritten? In that way you only need to replace 1 opcode and don't need to call anything else...

If I read it correctly you want to do:
original opcode 1
original opcode 2
original opcode 3
original opcode 4         \ replaced with other opcode and jmp to your code:
original call wherever   /             line1: blahblah
original opcode 6                       line 2: blahblah
original opcode 7                       line 3: original call wherever

But can't you do:
original opcode 1
original opcode 2
original opcode 3
original opcode 4        -- replaced with only a jmp to your code:
original call wherever                   line1: blahblah
original opcode 6                         line 2: blahblah
original opcode 7                         line 3: jmp back to 'original call' line

If I'm talking gibberish, than it maybe is, so ignore it in that case

PS: all this can be done from within Plus! scripting itself though, you don't need any DLL for this, only your compiled ASM code (as a byte string) which you're injecting and the CallWindowProc API.

All this makes me also very curious to what you're brewing

I almost drew that exact diagram myself, although I thought you may need an extra operation to resolve the address of the function [but I think maybe I'm being pedantic].

Why should 64 bit alignment be a problem? I think it should be nice and simple like

asm (jmp $0xE900000000)

make sure you can get back to the original code to!

edit: I mean, you can maybe align it with nops or instructions that don't get touched anyway? create as much breathing room as you need.

non of you understand this at all

in my first attempt in javascript...
ive allocated some memory for my function,.
Put each individual instruction into an array (in hex of course)
Used a for(i in Patch_Function) to help store each instruction into the allocated memory like so

code:

---

var BuffAddr = FunctionBuffer.DataPtr;
for(var i = 0; i < Patch_Function.length; i++){
        Patch(BuffAddr, Patch_Function[i]);
        BuffAddr += Patch_Function[i].length;
    }

---

code:

---

Hook_JMP = Interop.Allocate;
    var tmp = Interop.Allocate;
    tmp.WriteDWORD(1, FunctionBuffer.DataPtr-Hook_Address-5);
   
    var tmpbyte = tmp.GetAt(0);
    Hook_JMP.SetAt(5,tmpbyte);
   
    tmpbyte = tmp.GetAt(1);
    Hook_JMP.SetAt(4,tmpbyte);
   
    tmpbyte = tmp.GetAt(2);
    Hook_JMP.SetAt(3,tmpbyte);
   
    tmpbyte = tmp.GetAt(3);
    Hook_JMP.SetAt(2,tmpbyte);
   
    tmpbyte = tmp.GetAt(4);
    Hook_JMP.SetAt(0,tmpbyte);
   
    Hook_JMP.SetAt(0,0xE9);

---

Oh no, I understood what you meant. I just thought you said you had the function there. If the location of the function is variable, then you will need to jump to the first instruction to be executed, for example, asm(jmp pointer_to_my_function).

Now, the thing that I am NOT understanding is how you're executing this. I was assuming that you've got a compiled program and you want to call your function from it at some point. This would mean you need to replace some instructions in the original program. How are you editing the program in Javascript? Have you got it also in a data array?

Because, in that case, this is what you could do, which is what I was saying. At some point, your function will be allocated into memory. And at that point, you can get it's location. The method will be different for different methods of allocation. It seems that you've got this function in memory from javascript, and you've got access to that data from +. Is this right so far?

Okay  I can access the location of the allocated function ( using interop.alloc) i have viewed it will Ollydbg and it is definitely copied there correctly. The way i am calling it is as you say replacing a current opp with a JMP to the allocated function. The problem comes in creating the JMP code. If you could possibly give me some help in creating this as my attempts so far have failed, even if its C or C++ code i dont mind as i can easily implement this into a dll that i can call with the interop object

I'm not quite sure if using the Interop.Allocate function is safe enough for this though. Maybe you're better of using the memory allocation APIs from windows directly. In that way you know exactly where you're doing what. And you can perfectly control the scope and lifetime of the allocated memory.


EDIT:

quote:

---

Originally posted by effection
non of you understand this at all

---

Dynamic linking is not something I've done by hand before, but I don't think it will be much fun. Still, there's bound to be a dll interface definition on the internet somewhere.

ive got it all sorted thanks to some help from deAd

Nice! What did you end up doing?

I just did what i was always doing but there was something originally wrong with my Call creation code which i never could work out but it fixed itself eventually