What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » creating an asm opcode

Pages: (2): « First [ 1 ] 2 » Last »
creating an asm opcode
Author: Message:
effection
Full Member
***

Destroy The Runner

Posts: 135
Reputation: 4
– / Male / Flag
Joined: Sep 2006
O.P. Huh?  creating an asm opcode
Im injecting some code into a msn, but i need to be able to create a "call" and a "jmp" op code to the address that its located at as it is all dynamically allocated work and im not sure how to do this in x86 im a MIPS guy :(

This post was edited on 06-26-2007 at 10:07 AM by effection.
06-25-2007 12:25 PM
Profile E-Mail PM Find Quote Report
Verte
Full Member
***

Avatar

Posts: 272
Reputation: 7
Joined: Apr 2007
RE: creating an asm opcode
Take a look at how the call naturally happens. Even if the function is dynamically allocated, you should see a heap of steps for working out the location of the function and loading that into the registers for the call.

Wait, what exactly are you doing?

AFAIK, function calls are somewhat language specific as well as architecture, so you might need to consult instructions for the language the program was originally written in.

PS

Googling turns up resources like this.

This post was edited on 06-25-2007 at 03:52 PM by Verte.
was put impeccably into words at DebianDay for me last Saturday, by Knut Yrvin of Trolltech - adults try something once, fail, and then are like "ffs this doesn't work". Children try, fail, and then try again, and succeed - maybe on the second, or even fifth retry. But the thing is that they keep at it and overcome the problems in the end.

-andrewdodd13
06-25-2007 03:26 PM
Profile E-Mail PM Find Quote Report
effection
Full Member
***

Destroy The Runner

Posts: 135
Reputation: 4
– / Male / Flag
Joined: Sep 2006
O.P. RE: creating an asm opcode
i said x86 as in Intel x86 used by 90% of the worlds PCs...I have my code already written and i am able to inject it by dynamically allocating memory and get the pointer (which will always change), therefore i must be able to create a "jmp" instruction for this address pointing to the function
06-25-2007 08:03 PM
Profile E-Mail PM Find Quote Report
TheSteve
Full Member
***

Avatar
The Man from Japan

Posts: 179
Reputation: 23
40 / Male / Flag
Joined: Aug 2005
RE: creating an asm opcode
The easiest solution is to use a program such as ollydbg and find a random spot to construct some temporary asm.  The actual bytes for the command will be next to the character representation for the command.

If my memory serves me correctly, a standard 5 byte offset JMP command is 0xE9 followed by the 4 byte little endian offset to the function from the end of the current command.  (jmp address - current address - length of command)
so

33333333   jmp 0x12345678
would turn out (0x12345678 - 0x33333333 - 5)

E9 DF012340
0xE9 0x40 0x23 0x01 0xDF
06-26-2007 12:21 AM
Profile PM Web Find Quote Report
Verte
Full Member
***

Avatar

Posts: 272
Reputation: 7
Joined: Apr 2007
RE: RE: creating an asm opcode
quote:
Originally posted by effection
i said x86 as in Intel x86 used by 90% of the worlds PCs...I have my code already written and i am able to inject it by dynamically allocating memory and get the pointer (which will always change), therefore i must be able to create a "jmp" instruction for this address pointing to the function


call is not always a simple jmp, depending on the original language it may be the caller or the callee that sets up the new stack, saves the register state, etc.

Pick a compiler and compile C code only to ASM, and have it call your function. In the resulting ASM, it should have something like "call <function@whatever>", with the @ meaning it's linked somewhere to be determined at runtime. I'm not entirely sure how it works.

I know what you mean by x86 and MIPS, but it's not a processor specific feature that finds the pointer to your function- it's one of calling convention, which is language specific. You could make up any crazy call functionality you like, for example, passing input or output values in registers, just as easily on either architecture [well, not quite true, MIPS having more registers IIRC], but what you want is the ASM calling convention of the function you've written, which should be obvious from the ASM you're reading now. or if not, ASM you can easily generate by compiling an example.

Having never used Ollydbg myself, I can only agree with TheSteve's comment, as you're less likely to get yourself into trouble using a program that's designed specifically for what you're trying to do. But I think it might be good for you, effection, to work out the calling convention used by your function.
was put impeccably into words at DebianDay for me last Saturday, by Knut Yrvin of Trolltech - adults try something once, fail, and then are like "ffs this doesn't work". Children try, fail, and then try again, and succeed - maybe on the second, or even fifth retry. But the thing is that they keep at it and overcome the problems in the end.

-andrewdodd13
06-26-2007 09:17 AM
Profile E-Mail PM Find Quote Report
effection
Full Member
***

Destroy The Runner

Posts: 135
Reputation: 4
– / Male / Flag
Joined: Sep 2006
O.P. RE: creating an asm opcode
well thing is im overwriting an op code with an opcode that is bigger so its overwriting the following line which is a "call whereever" so at the end of my code it must be placed so the function is called.

Is there any way of doing this from a DLL in C(++) im pretty familiar with it but not with creating DLLs, i need to be able to hook the process so i can write memory to it or is there any better methods of doing this? I can then call this from wlmplus

This post was edited on 06-26-2007 at 10:07 AM by effection.
06-26-2007 10:04 AM
Profile E-Mail PM Find Quote Report
Verte
Full Member
***

Avatar

Posts: 272
Reputation: 7
Joined: Apr 2007
RE: RE: creating an asm opcode
quote:
Originally posted by effection
well thing is im overwriting an op code with an opcode that is bigger so its overwriting the following line which is a "call whereever" so at the end of my code it must be placed so the function is called.

Is there any way of doing this from a DLL in C(++) im pretty familiar with it but not with creating DLLs, i need to be able to hook the process so i can write memory to it or is there any better methods of doing this? I can then call this from wlmplus


The way I would think to do it is replace the last two operations you were doing with an operation to save the instruction pointer and an unconditional jump into free space. At the free space, do the two instructions you replaced before calling the function, which you can do now that you're not disturbing the regular instruction sequence.
was put impeccably into words at DebianDay for me last Saturday, by Knut Yrvin of Trolltech - adults try something once, fail, and then are like "ffs this doesn't work". Children try, fail, and then try again, and succeed - maybe on the second, or even fifth retry. But the thing is that they keep at it and overcome the problems in the end.

-andrewdodd13
06-26-2007 10:24 AM
Profile E-Mail PM Find Quote Report
effection
Full Member
***

Destroy The Runner

Posts: 135
Reputation: 4
– / Male / Flag
Joined: Sep 2006
O.P. RE: creating an asm opcode
well im pushing and poping the registers im using anyway so i dont think it will affect it, but i am however having trouble creating these instructions in javascript i think i can create one of the needed jumps okay but the other 2 are very very incorrect

Sorry for a double post but i need an answer

I can't work out how to write this JMP to allocated memory in C ive got this but im unsure if its correct ( i dont think it is)

code:
unsigned char *__w64 temp = (&fnc_memory-Hook_Address-5) | 0xE900000000;
*i found out that this method wont work since its 64 aligned
06-27-2007 03:45 PM
Profile E-Mail PM Find Quote Report
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: creating an asm opcode
I'm not sure if this is what Verte means (if so slap me), but can't you overwrite the original opcode (the one you overwrite now anyways) with an unconditional jump to your instructions and at the end of your instructions unconditionally jump back to the opcode after the one you've overwritten? In that way you only need to replace 1 opcode and don't need to call anything else...

If I read it correctly you want to do:
original opcode 1
original opcode 2
original opcode 3
original opcode 4         \ replaced with other opcode and jmp to your code:
original call wherever   /             line1: blahblah
original opcode 6                       line 2: blahblah
original opcode 7                       line 3: original call wherever

But can't you do:
original opcode 1
original opcode 2
original opcode 3
original opcode 4        -- replaced with only a jmp to your code:
original call wherever                   line1: blahblah
original opcode 6                         line 2: blahblah
original opcode 7                         line 3: jmp back to 'original call' line

If I'm talking gibberish, than it maybe is, so ignore it in that case :p

PS: all this can be done from within Plus! scripting itself though, you don't need any DLL for this, only your compiled ASM code (as a byte string) which you're injecting and the CallWindowProc API.

All this makes me also very curious to what you're brewing :p

This post was edited on 06-27-2007 at 11:52 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
06-27-2007 11:48 PM
Profile PM Find Quote Report
Verte
Full Member
***

Avatar

Posts: 272
Reputation: 7
Joined: Apr 2007
RE: creating an asm opcode
I almost drew that exact diagram myself, although I thought you may need an extra operation to resolve the address of the function [but I think maybe I'm being pedantic].

Why should 64 bit alignment be a problem? I think it should be nice and simple like

asm (jmp $0xE900000000)

make sure you can get back to the original code to!

edit: I mean, you can maybe align it with nops or instructions that don't get touched anyway? create as much breathing room as you need.

This post was edited on 06-28-2007 at 01:50 AM by Verte.
was put impeccably into words at DebianDay for me last Saturday, by Knut Yrvin of Trolltech - adults try something once, fail, and then are like "ffs this doesn't work". Children try, fail, and then try again, and succeed - maybe on the second, or even fifth retry. But the thing is that they keep at it and overcome the problems in the end.

-andrewdodd13
06-28-2007 01:39 AM
Profile E-Mail PM Find Quote Report
Pages: (2): « First [ 1 ] 2 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On