DaY 6:
In today's Daily Dose, by Toymaker, I will be again creating our own hot key in order to change a variable in an example C++ program...
The practical use is to understand how stack frames in memory allocate variables. Here's the C++ code...
Code:
#include <iostream>
#include <windows.h>
using namespace std;
int main() {
int x = 0;
if ( x == 0 ) {
cout<<"hello choobn";
}
system("pause");
if ( x == 1 ) {
cout<<"bye choobn";
}
system("pause");
}
...as you see, x is 0 so only the first string will print and the second will not. We are going to hack it, with our own hot key and variable modifier, so it prints both. In OllyDBG/ASM you'll see it...
Code:
00401390 /$ 55 PUSH EBP
00401391 |. 89E5 MOV EBP,ESP
00401393 |. 83EC 18 SUB ESP,18
00401396 |. 83E4 F0 AND ESP,FFFFFFF0
00401399 |. B8 00000000 MOV EAX,0
0040139E |. 83C0 0F ADD EAX,0F
004013A1 |. 83C0 0F ADD EAX,0F
004013A4 |. C1E8 04 SHR EAX,4
004013A7 |. C1E0 04 SHL EAX,4
004013AA |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004013AD |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004013B0 |. E8 FBBC0000 CALL Untitled.0040D0B0
004013B5 |. E8 36B90000 CALL Untitled.0040CCF0
004013BA |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
004013C1 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004013C5 75 14 JNZ SHORT Untitled.004013DB
004013C7 |. C74424 04 00004400 MOV DWORD PTR SS:[ESP+4],Untitled.00440000 ; ASCII "hello choob
"
004013CF |. C70424 C0334400 MOV DWORD PTR SS:[ESP],Untitled.004433C0
004013D6 |. E8 ADAC0300 CALL Untitled.0043C088
004013DB |> C70424 0D004400 MOV DWORD PTR SS:[ESP],Untitled.0044000D ; |ASCII "pause"
004013E2 |. E8 B9F20000 CALL <JMP.&msvcrt.system> ; system
004013E7 |. 837D FC 01 CMP DWORD PTR SS:[EBP-4],1
004013EB |. 75 14 JNZ SHORT Untitled.00401401
004013ED |. C74424 04 13004400 MOV DWORD PTR SS:[ESP+4],Untitled.00440013 ; ASCII "bye choob
"
004013F5 |. C70424 C0334400 MOV DWORD PTR SS:[ESP],Untitled.004433C0
004013FC |. E8 87AC0300 CALL Untitled.0043C088
00401401 |> C70424 0D004400 MOV DWORD PTR SS:[ESP],Untitled.0044000D ; |ASCII "pause"
00401408 |. E8 93F20000 CALL <JMP.&msvcrt.system> ; system
0040140D |. B8 00000000 MOV EAX,0
00401412 |. C9 LEAVE
00401413 . C3 RETN
...do you notice...
004013C1 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004013C5 75 14 JNZ SHORT Untitled.004013DB
...is before both optional string prints? It is because [EBP-4] is X in C++! Each varaible is accessed through [EBP] as such, -4 for the first varaible and -8 for the second and it continues. Any way, beings the first message is bound to print regardless, we can replace these two lines with a call to our caves where we will allow the user to hot key the second message to print or not...
Code:
004013C1 E8 02DC0300 CALL Untitled.0043EFC8
004013C6 90 NOP
...now we go to our caves and create our function, that if ESC is pressed, will set X to 1 so the second message, on your return, prints as well...
Code:
MOV DWORD PTR SS:[ESP],1B
CALL GetKeyState
SUB ESP,4
TEST AX,AX
JNZ 01
RETN
MOV DWORD PTR DS:[EBP-4],1
RETN
...if ESC was pressed, it will set [ebp-4]/x to 1, and thus the second message will also print. Our educational hack now allows both messages to print...