Caller spoofing.

[Jason]

Well, I'm bored so I decided to lay down a little challenge to anyone that's interested.

The challenge: Spoof a caller address to a function, and make sure the program continues executing afterwards.

Dafuq?
Okay basically whenever you call a function, the address where the program needs to return to is stored on the stack (so it knows how to get back to your code after it calls the function). Typically the address is stored at the top of the stack (so [esp] holds the return address at the start of the function). In assembly, a CALL instruction does this automatically and it's not overtly apparent that it happens (i.e there's no "push" before the call that puts the return address on the stack, but the address ends up there nevertheless.

Now, some functions that do not wish to be called from people's hacks might decide to check where the return address is (i.e, where was the function called from), to make sure the call didn't originate from some unknown address range (i.e, your DLL). To get around this, you can put your own "return address" on the stack, which is within a "valid" address range and the function will never know that the actual call originated from your hack. However, this introduces a new problem: once the function finishes, the code jumps back to the return address (which should be the first instruction after the function call).

Consider this:

Code:

...
0x1000 push param1
0x1005 push param2
0x100A call SomeFunction
0x100F add esp, 8
...

When the "call SomeFunction" instruction is executed, the return address is put on the top of the stack. In this case, the return address is 0x100F, which is the first instruction after the call. When the function finishes, the code will resume executing at 0x100F. In our case though, we've put a fake address as the return address in order to fool the function, now when the function jumps back into execution, it will be in the middle of nowhere and most likely cause the whole process to crash.

You mission, should you choose to accept it, is to implement this "caller-spoofing" and ensure that the programs execution resumes where you would expect it to (i.e right after your call).

Hint #1
To fake the caller address, don't use the "CALL" instruction to call the function. Use a push and a jmp.

Hint #2
To get the execution back where you expect it, you'll need to put an assembly stub at wherever you defined the "fake" return address. At most this stub should be about 10 bytes. Ideally, less.

Hint #3
You'll need to know the EIP value to accurately return.

Now, what function you "spoof" the caller to is really up to you. You can do any function you want to really.

I'm not expecting many entries, but maybe someone will give it a crack :3. I'm not expecting a generic solution (i.e your provided code can work for only 1 specific function)

Have at it.

[Departure]

simple.. just patch the called function and calculate the offset of the function you want the call to return to by subtracting or adding to esp..

[Jason]

simple.. just patch the called function and calculate the offset of the function you want the call to return to by subtracting or adding to esp..

I should have clarified, no changes to the callee are permitted.

[Departure]

then you need to change the caller address to your own function once in your own function preserve the registers including pushad...popad.... then once jumping back to original caller function the next execution would be to call the called as per normal by reducing esp by x amount it will call it self twice but inbeteen you have already replace the original call by its original arddress

for example...

caller function:
balhh blahhh
call callee <--- replace callee with your address to custom function..

Custom function:
pushad
replace "call callee" with original adrress
do some shit
popad
minus esp amount of byte which return you back to "call callee" address but this time it now holds original address
ret

[Jason]

then you need to change the caller address to your own function once in your own function preserve the registers including pushad...popad.... then once jumping back to original caller function the next execution would be to call the called as per normal by reducing esp by x amount it will call it self twice but inbeteen you have already replace the original call by its original arddress

for example...

caller function:
balhh blahhh
call callee <--- replace callee with your address to custom function..

Custom function:
pushad
replace "call callee" with original adrress
do some shit
popad
minus esp amount of byte which return you back to "call callee" address but this time it now holds original address
ret

I know how to do it , I was more putting the challenge out to other people to have a go at it. I'd be even more impressed with a semi-generic solution.

[Departure]

I am not saying you don't know how... I am just giving ideas to for solution to your challenge, you could also spoof the import table with your own dll

[Jason]

I am not saying you don't know how... I am just giving ideas to for solution to your challenge, you could also spoof the import table with your own dll

Except for most cases the functions aren't actually publicly exported, so reversing the PE isn't viable, plus that just becomes IAT hooking :3.
I have a generic method in mind, but it involves some asshattery because the stack frame for the function is already set prior to the spoof, which is a pain in the ass. Unfortunately I have an exam tomorrow so I can't put it down into code