Results 1 to 7 of 7
  1. #1
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,297
    My Mood
    Mellow

    Caller spoofing.

    Well, I'm bored so I decided to lay down a little challenge to anyone that's interested.

    The challenge: Spoof a caller address to a function, and make sure the program continues executing afterwards.

    Dafuq?
    Okay basically whenever you call a function, the address where the program needs to return to is stored on the stack (so it knows how to get back to your code after it calls the function). Typically the address is stored at the top of the stack (so [esp] holds the return address at the start of the function). In assembly, a CALL instruction does this automatically and it's not overtly apparent that it happens (i.e there's no "push" before the call that puts the return address on the stack, but the address ends up there nevertheless.

    Now, some functions that do not wish to be called from people's hacks might decide to check where the return address is (i.e, where was the function called from), to make sure the call didn't originate from some unknown address range (i.e, your DLL). To get around this, you can put your own "return address" on the stack, which is within a "valid" address range and the function will never know that the actual call originated from your hack. However, this introduces a new problem: once the function finishes, the code jumps back to the return address (which should be the first instruction after the function call).

    Consider this:
    Code:
    ...
    0x1000 push param1
    0x1005 push param2
    0x100A call SomeFunction
    0x100F add esp, 8
    ...
    When the "call SomeFunction" instruction is executed, the return address is put on the top of the stack. In this case, the return address is 0x100F, which is the first instruction after the call. When the function finishes, the code will resume executing at 0x100F. In our case though, we've put a fake address as the return address in order to fool the function, now when the function jumps back into execution, it will be in the middle of nowhere and most likely cause the whole process to crash.

    You mission, should you choose to accept it, is to implement this "caller-spoofing" and ensure that the programs execution resumes where you would expect it to (i.e right after your call).

    Hint #1
    To fake the caller address, don't use the "CALL" instruction to call the function. Use a push and a jmp.

    Hint #2
    To get the execution back where you expect it, you'll need to put an assembly stub at wherever you defined the "fake" return address. At most this stub should be about 10 bytes. Ideally, less.

    Hint #3
    You'll need to know the EIP value to accurately return.

    Now, what function you "spoof" the caller to is really up to you. You can do any function you want to really.

    I'm not expecting many entries, but maybe someone will give it a crack :3. I'm not expecting a generic solution (i.e your provided code can work for only 1 specific function)

    Have at it.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I donít think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  2. The Following User Says Thank You to Jason For This Useful Post:

    pDevice (06-06-2012)

  3. #2
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    simple.. just patch the called function and calculate the offset of the function you want the call to return to by subtracting or adding to esp..

  4. #3
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,297
    My Mood
    Mellow
    Quote Originally Posted by Departure View Post
    simple.. just patch the called function and calculate the offset of the function you want the call to return to by subtracting or adding to esp..
    I should have clarified, no changes to the callee are permitted.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I donít think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  5. #4
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    then you need to change the caller address to your own function once in your own function preserve the registers including pushad...popad.... then once jumping back to original caller function the next execution would be to call the called as per normal by reducing esp by x amount it will call it self twice but inbeteen you have already replace the original call by its original arddress

    for example...

    caller function:
    balhh blahhh
    call callee <--- replace callee with your address to custom function..

    Custom function:
    pushad
    replace "call callee" with original adrress
    do some shit
    popad
    minus esp amount of byte which return you back to "call callee" address but this time it now holds original address
    ret

  6. #5
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,297
    My Mood
    Mellow
    Quote Originally Posted by Departure View Post
    then you need to change the caller address to your own function once in your own function preserve the registers including pushad...popad.... then once jumping back to original caller function the next execution would be to call the called as per normal by reducing esp by x amount it will call it self twice but inbeteen you have already replace the original call by its original arddress

    for example...

    caller function:
    balhh blahhh
    call callee <--- replace callee with your address to custom function..

    Custom function:
    pushad
    replace "call callee" with original adrress
    do some shit
    popad
    minus esp amount of byte which return you back to "call callee" address but this time it now holds original address
    ret
    I know how to do it , I was more putting the challenge out to other people to have a go at it. I'd be even more impressed with a semi-generic solution.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I donít think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  7. #6
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    I am not saying you don't know how... I am just giving ideas to for solution to your challenge, you could also spoof the import table with your own dll

  8. #7
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,297
    My Mood
    Mellow
    Quote Originally Posted by Departure View Post
    I am not saying you don't know how... I am just giving ideas to for solution to your challenge, you could also spoof the import table with your own dll
    Except for most cases the functions aren't actually publicly exported, so reversing the PE isn't viable, plus that just becomes IAT hooking :3.
    I have a generic method in mind, but it involves some asshattery because the stack frame for the function is already set prior to the spoof, which is a pain in the ass. Unfortunately I have an exam tomorrow so I can't put it down into code

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I donít think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

Similar Threads

  1. IP Spoof TuTorial!!!!?@!@
    By andrew1k in forum General Game Hacking
    Replies: 3
    Last Post: 12-22-2007, 12:59 AM
  2. "Spoofed Email"
    By Dave84311 in forum WarRock - International Hacks
    Replies: 5
    Last Post: 07-21-2007, 02:56 AM
  3. [Request]PB Hardware Spoof
    By lieutenent in forum WarRock - International Hacks
    Replies: 3
    Last Post: 04-20-2007, 06:15 AM
  4. Tradeing Good trainer makeing site and addresses site for punkbuster spoof
    By lieutenent in forum WarRock - International Hacks
    Replies: 0
    Last Post: 04-17-2007, 05:19 AM
  5. Funny StarWars Spoof Video!
    By RebornAce in forum General
    Replies: 1
    Last Post: 01-02-2006, 04:56 AM