PDA

View Full Version : Altering Code Issue


tachyon
October 2nd, 2009, 20:33
Maybe someone can help me.... I'd like to alter some code on the fly
in a program, but anything I try kicks me to ntdll. For instance, executing
51403 instantly kicks me to ntdll.... why ???

00514DFD CALL app.00514E02
00514E02 POP EAX
00514E03 MOV BYTE PTR DS:[EAX+10],90
00514E07 NOP

I always get kicked out to 7C90EAF0 inside ntdll here:

7C90EAF0 MOV EBX,DWORD PTR SS:[ESP]
7C90EAF3 PUSH ECX
7C90EAF4 PUSH EBX
7C90EAF5 CALL ntdll.7C9377C1
7C90EAFA OR AL,AL
7C90EAFC JE SHORT ntdll.7C90EB0A
7C90EAFE POP EBX
7C90EAFF POP ECX
7C90EB00 PUSH 0
7C90EB02 PUSH ECX
7C90EB03 CALL ntdll.ZwContinue
7C90EB08 JMP SHORT ntdll.7C90EB15
7C90EB0A POP EBX
7C90EB0B POP ECX
7C90EB0C PUSH 0
7C90EB0E PUSH ECX
7C90EB0F PUSH EBX
7C90EB10 CALL ntdll.ZwRaiseException



Thanks !

tachyon
October 2nd, 2009, 21:27
In OllyDbg, if I set access to read/write for that memory section then it works.
But how would I do that in the program itself ?

GamingMasteR
October 3rd, 2009, 07:41
Hi,

The page of memory you want to modify must own write access, use VirtualProtectEx function to set the write access .

evlncrn8
October 4th, 2009, 06:27
also you've identified the target in the code snippet.. and you really don't seem to know what you're doing... i suspect this thread will be closed soon, or jmi will have a 'word' with you

aionescu
December 13th, 2009, 22:10
Might help if you had symbols ... 7C90EAF0 looks like the NtDll exception dispatcher (FYI).

Also, you should edit your post and remove the application name.

JMI
December 14th, 2009, 00:29
And I'll start with: "MAKE SURE YOU HAVE ACTUALLY READ THE FAQ" highlighted in the big red letters on your way into the forums.

(Does look like to took the hint and removed the name of your target. That's a good start!)



Regards,