Daily Dose of Assembly

[Jakor]

I understand your use of the c calling procedure as you are a c programmer and us MicroSofts Visual C RunTime library. However, using anything besides stdcall makes people think a bit too much with your fancy mov dword ptr [esp] lines. The stack is tough enough to get an understanding of when starting out (well my experience anyways). Also when writing these, you are targeting those who have just started assembly, and can't take for granted they will understand everything going on.

However if what I am thinking you are trying to do is use ecx as a stack base pointer in which case you push ecx to store the value, then mov ecx, esp to store the address do what you want, then restore the address mov esp, ecx then restore ecx pop ecx.

[Toymaker]

This is actually not for beginners and i've just been using either Diablo or quick DevC++ console apps. MOV ECX,DWORD PTR SS:[ESP] is used because the return address is of DWORD proportions, naturally. I also used it, instead of just pushing back the return address because, I was unsure of how much more damage GetKeyState would do. I was playing it safe, see...

[CombatArmsHakker]

nice tutorial thanks

[Toymaker]

DaY 7

In this session I will show you how to, from a hooks angle, load a .dll file into an active
application. The credit for this method goes to Jetamay, mind you. I will it up to you to
decide to use this, or write your own entire program to do it, as I know there is debate
on both sides, fairly.

I again decided to find a retn operand to replace with my own function. This way, I could sneak in
a function, and execute my cave memory, without calling it or using up as much memory space, a little
quick method I developed...

Code:

004785C6     C3                                            RETN

...I naturally need to save and restore this current RETurN address, while also using the two simple
lines of assembly mnenomics to load the DLL...

Code:

PUSH ESP
PUSH addyOfDLLPathString
CALL LoadLibraryA
POP ESP
RETN

...This is the simply mixed method of sneaking an extra function in, and making it one that loads another
.dll into the applications memory. In exact example it came out as:

Code:

004785C6     54             PUSH ESP
004785C7     68 D3854700    PUSH 004785D3                     ;  ASCII "dll.dll"
004785CC     E8 A697387C    CALL kernel32.LoadLibraryA
004785D1     5C             POP ESP
004785D2     C3             RETN
004785D3     64:6C          INS BYTE PTR ES:[EDI],DX                 ;  I/O command
004785D5     6C             INS BYTE PTR ES:[EDI],DX                 ;  I/O command
004785D6     2E:            PREFIX CS:                               ;  Superfluous prefix
004785D7     64:6C          INS BYTE PTR ES:[EDI],DX                 ;  I/O command
004785D9     6C             INS BYTE PTR ES:[EDI],DX                 ;  I/O command

...004785D3 through 004785D9 is the hexadecimal for the ascii 'dll.dll' and the path would
naturally be the default folder in which your application loads from. You now loaded your own
.dll into your game with out even having to write an injector...I decided not to load a screen
shot of the new .dll loaded into the executable 'module' list because, you can just find out for
yourself...

...There is a problem, each time the function executes in memory, your target application
will infinately reload the DLL into memory. This could cause numerous problems. The method I
quickly deisgned and recommend to solve it is to use a checksum and a tracker cave...

Code:

push ecx
mov ecx,addyOfCounter(1or0)
cmp ecx,0
je addyToLoad
else
doNotLoad
...
pop ecx
...
retn

... I am leaving out some parts and simply trying to show you how to write 1 to a cave, after the .dll
has been loaded once, and compare before your function, so you make sure you only ever load the .dll
one time total. Enjoy. Your hack can now inject hacks.

[GoW]

hahaa... i loled at the tread's name.... very creative it is.... btw Toymaker what is your qualification?

[Toymaker]

hahaa... i loled at the tread's name.... very creative it is.... btw Toymaker what is your qualification?

I suppose replying to now is of little use but, it is a good game. And, thanks. But now, qualifications? I'm not sure what sort of reply your question is constituting but I guess I'll just say I have college, years of experience, and a great mentor. I'm obviously still learning, as any one...

...I'm trying to think up my next days (eight's) article, hrm. I want to announce I am officially up for suggestions. Maybe this way, I'll even learn some thing..

[Toymaker]

DaY 8

In today's session of The Daily Dose of Assembly, I will continue with more examples of improving your memory handling...

...In the last chapter, we learned how to create a hack that forces the target application to load a .DLL into it's own memory...

Code:

PUSH ESP
PUSH AddyOfDLLPATH
CALL LoadLibraryA
POP ESP
RETN

...But now, what if you want to test if the .DLL loading was successful or not? There is one simple method of checking standard call errors...

Code:

TEST AL,AL
JZ ;FAIL

...After returning, common APIs use AL (by placing a 0 or 1 in it) to flag success or fail...

...There are more ways to test, and handle, functional quality. In example would be to add a simple tracker at the ;FAIL address...

Code:

MOV BYTE PTR [00686550], 1

...The reason I use 00686550 is because, in the application i'm reversing, this is an address that permits both reading AND writing, so you can use it all the same...

...Trouble shooting is also a useful concept. First of all, if the file is not a valid .DLL, Windows will already give you the default error: "Not a valid windows image." So, you can play off such things yourself! You could manipulate a squence of Creating a File as so...

Code:

PUSH AddyOfFileName
Call WriteFileA
TEST AL,AL
...

...You can use such a quick test to see if the file you're handling even exists or not, with another windows error message you will get if not...


...Another useful way to view memory, or even to trace some thing, is to create your own varaible dumper...

Code:

PUSH ESP
MOV ECX,DWORD PTR SS:[ESP+4]
MOV DWORD PTR DS:[686550],ECX
POP ESP
JMP [ESP]

...You could call this code, you can write to some caves, and at any point in time change a CALL to go here instead, and it will go here first and store the value of [ESP+4] into 686550 BUT THEN still go to the function originally planned on by the application, you simply add a step for tracing and do not ruin the game's own call, see...

...I use JMP [ESP] because remember the return address is still important beings after this altered call returns, it will still make it's planned call. The use of RETN naturally modifies ESP after RETurNing after all...

To wrap this up. I have created an example hack shell in which you could use, it has the following features

• Tests It's Own Success
• Tries a couple times
• Trouble shoots itself
• Tells You Information
• Toggled for hotkeying

Code:

PUSH 1B
Call GetKeyState
JZ ;EXIT
PUSH ESP
PUSH ECX
MOV BYTE PTR [ECX],2
CMP BYTE PTR [00686550], 1
JZ exit
;Start
PUSH AddyOfDLLPATH
CAlL LoadLibraryA
TEST AL,AL
JZ tryAgain
;Success
MOV BYTE PTR [00686550], 1
XOR EAX,EAX
;tryAgain
DEC ECX 
CMP BYTE PTR [ECX],0
JNZ Start
;TroubleShoot
Push AddyOfDoesNotExistFileName
Call WRiteFileA
POP ECX
;exit
POP ESP
RETN

This exact copy has a few errors, but you get the idea...

[hbk]

your doing good stuff.... keep it up

[Momentum]

[...]
I will continue with more examples of improving your memory handling...

This isn't really about memory handling, more so about the usage of LoadLibrary.

[...]
...There are more ways to test, and handle, functional quality. In example would be to add a simple tracker at the ;FAIL address...

One shouldn't just test for success or failure, but log the thread's last error code returned by GetLastError to retrieve more detailed information.

[...]

Code:

Push AddyOfDoesNotExistFileName
Call WRiteFileA
[...]

This exact copy has a few errors, but you get the idea...

Uh, WriteFile takes more than one argument.
Not trying to offend you, but what's the point of posting such a rubbish example?

Greetings,
Momentum

[Toymaker]

This isn't really about memory handling, more so about the usage of LoadLibrary.

I don't see the point in debating the use of a word. Any thing you 'handle' falls under 'handling,' call me or crazy but also, sure, the primary goal is LoadLibraryA. I'd rather say that then listen to a boring, and fruitless, technical reply about it.

One shouldn't just test for success or failure, but log the thread's last error code returned by GetLastError to retrieve more detailed information.

I was avoiding GetLastError for a few reasons, I meant to state. Oopse. But any way, my method is simpler and quicker and you can't be afraid to innovate!

Uh, WriteFile takes more than one argument. Not trying to offend you, but what's the point of posting such a rubbish example?

I know how many arguments pass to WriteFile and maybe I'll use a working example in my next lesson for some file use, perhaps configuration or error logging. I might not have made my misuse of things clear enough but at any rate, you seem to have the wrong focus here. Meh...I'll be going back through, and fixing up, all of my article issues eventually.

your doing good stuff.... keep it up

Thank you, why don't you start learning to hack big guy? All those Jewish bank security systems are waiting for you, Lol.

[Momentum]

I don't see the point in debating the use of a word. Any thing you 'handle' falls under 'handling,' call me or crazy but also, sure, the primary goal is LoadLibraryA. I'd rather say that then listen to a boring, and fruitless, technical reply about it.

It's just that your readers might get a wrong idea of what memory handling actually is ;p

I was avoiding GetLastError for a few reasons, I meant to state. Oopse. But any way, my method is simpler and quicker and you can't be afraid to innovate!

I think you misinterpreted my post there. Checking the return value (stored in EAX) is always a necessity, unless the return type is void.

GetLastError can return system error codes other than ERROR_SUCCESS even if a function didn't fail, so you can't use it to check whether a function succeeded as it is, it's useful for debugging purposes nevertheless.

At the end of the day I think you'r still a cool guy and I'm happy to see that you'r keeping it up with those Daily Dose of Assembly articles.

Greetings,
Momentum

[radnomguywfq3]

I will assume we are now talking using code caves to create permanent changes to an application (no need for a dll/loader makes it easy to use).

The PE Header contains a few deprecated pieces, but overall is based off arrays with pointers. Finding space in here is not a good idea (unless you are removing the dos stub which isn't always a good idea either). You never know what data will be looked at and needs to still be zero. This is why writing to the .code section (which shouldn't need to be read under normal circumstances) is the "right" way (without adding sections).


It's easier to add a section than do all the checks to make sure you are not overstepping the bounds in a PE header.


That's what I said he should do a tutorial on at some point.


I don't see how it would be irrelevant. I do it all the time and only use "assembly".


this defeats the purpose, unless you are using an external exe to allocate the memory. But then why not make it easy on your self and write a loader (less updating for one thing). A code cave to a VirtualAlloc would still need to copy the code in to execute at some point.

Code:

blah
blah
jmp codecave
leftoff:
blah
blah
..
codecave:
overwritten blah
virtualalloc,NULL,commit/reserve/page read-write-exe
push eax
copymem from????????, to-eax,lengthof from?????????
pop eax
call eax
jmp leftoff

this extra code is useless unless you are adding in a larger amount of code and want to write all the filemapping for a bin(non-pe) module file into an allocated memory area and call that.... however for something that big, again... why not a dll...

First, let me start by saying the PE Header contains offsets used to load an application, infact, most applications completely wipe\corrupt the PE Header as a security messure after loading due to this very fact.

I'd be damned if we managed to overwrite a whole page(and write "out of bounds'' of the page) with a code cave. You shouldn't even be writing the much data to the target anyway.

I'm not saying you shouldn't use a dll, or an executable, I do mean in this, there is no right or wrong way, using a DLL versus using an executable(in this context, I.e writing memory to the target).

[why06]

Hey.... Just occurred to me I finally have a use for all these.

[[sheep]]

while i do admire people who give time to advice others in their hacking endevours, this has to be one of the strangest tutorial threads ive seen, If your tutorials are wrong in any way shape or form then you are doing the reader as much HARM as you are GOOD.. (especially as you are NOT!! pointing out the bits that are eroneous) saying OH YEAH!! when others point out your mistakes is all well and good, but to someone that doesnt have a clue they take what you write as gospel.. your currently not in a position of learning that you have enough experiece to educate anyone on these things.. i suggest you get your own tutorials 100% before moving onto anything else.. people find it hard enough to learn this stuff in the first place without having a tainted source to learn from, having said all that Toymaker, your heart seems in the right place.. and your nick is damn cool so cant fault u too much

sheep.

[Hell_Demon]

while i do admire people who give time to advice others in their hacking endevours, this has to be one of the strangest tutorial threads ive seen, If your tutorials are wrong in any way shape or form then you are doing the reader as much HARM as you are GOOD.. (especially as you are NOT!! pointing out the bits that are eroneous) saying OH YEAH!! when others point out your mistakes is all well and good, but to someone that doesnt have a clue they take what you write as gospel.. your currently not in a position of learning that you have enough experiece to educate anyone on these things.. i suggest you get your own tutorials 100% before moving onto anything else.. people find it hard enough to learn this stuff in the first place without having a tainted source to learn from, having said all that Toymaker, your heart seems in the right place.. and your nick is damn cool so cant fault u too much

sheep.

A new version of "I'm a noob, help me copy+paste" o__O
You don't learn by copy pasting, so him adding mistakes in his code(on purpose or not) is a good thing, that way it will force you to learn something new(or use google)