DaY 8
In today's session of The Daily Dose of Assembly, I will continue with more examples of improving your memory handling...
...In the last chapter, we learned how to create a hack that forces the target application to load a .DLL into it's own memory...
Code:
PUSH ESP
PUSH AddyOfDLLPATH
CALL LoadLibraryA
POP ESP
RETN
...But now, what if you want to test if the .DLL loading was successful or not? There is one simple method of checking standard call errors...
Code:
TEST AL,AL
JZ ;FAIL
...After returning, common APIs use AL (by placing a 0 or 1 in it) to flag success or fail...
...There are more ways to test, and handle, functional quality. In example would be to add a simple tracker at the ;FAIL address...
Code:
MOV BYTE PTR [00686550], 1
...The reason I use 00686550 is because, in the application i'm reversing, this is an address that permits both reading AND writing, so you can use it all the same...
...Trouble shooting is also a useful concept. First of all, if the file is not a valid .DLL, Windows will already give you the default error: "Not a valid windows image." So, you can play off such things yourself! You could manipulate a squence of Creating a File as so...
Code:
PUSH AddyOfFileName
Call WriteFileA
TEST AL,AL
...
...You can use such a quick test to see if the file you're handling even exists or not, with another windows error message you will get if not...
...Another useful way to view memory, or even to trace some thing, is to create your own varaible dumper...
Code:
PUSH ESP
MOV ECX,DWORD PTR SS:[ESP+4]
MOV DWORD PTR DS:[686550],ECX
POP ESP
JMP [ESP]
...You could call this code, you can write to some caves, and at any point in time change a CALL to go here instead, and it will go here first and store the value of [ESP+4] into 686550 BUT THEN still go to the function originally planned on by the application, you simply add a step for tracing and do not ruin the game's own call, see...
...I use JMP [ESP] because remember the return address is still important beings after this altered call returns, it will still make it's planned call. The use of RETN naturally modifies ESP after RETurNing after all...
To wrap this up. I have created an example hack shell in which you could use, it has the following features
- Tests It's Own Success
- Tries a couple times
- Trouble shoots itself
- Tells You Information
- Toggled for hotkeying
Code:
PUSH 1B
Call GetKeyState
JZ ;EXIT
PUSH ESP
PUSH ECX
MOV BYTE PTR [ECX],2
CMP BYTE PTR [00686550], 1
JZ exit
;Start
PUSH AddyOfDLLPATH
CAlL LoadLibraryA
TEST AL,AL
JZ tryAgain
;Success
MOV BYTE PTR [00686550], 1
XOR EAX,EAX
;tryAgain
DEC ECX
CMP BYTE PTR [ECX],0
JNZ Start
;TroubleShoot
Push AddyOfDoesNotExistFileName
Call WRiteFileA
POP ECX
;exit
POP ESP
RETN
This exact copy has a few errors, but you get the idea...