Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: Jump code Cave

  1. #1
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84

    Jump code Cave

    i was making an attempt to inject code into a notepad exe file to display a MessageBox
    I opened notepad.exe in OllyDbg. These are the first few lines of the code:

    0100739D > $ 6A 70 PUSH 70
    0100739F > 68 98180001 PUSH notepad.01001898
    010073A4 . E8 BF010000 CALL notepad.01007568
    010073A9 . 33DB XOR EBX,EBX
    010073AB . 53 PUSH EBX ; /pModule => NULL
    ---------------------------------
    Then an unconditional JMP to an address in code cave is executed.
    JMP 01008780
    --------------------------------
    1-0100739D > /E9 DE130000 JMP notepad.01008780
    2-010073A2 - |0001 ADD BYTE PTR DS:[ECX],AL
    3-010073A4 . |E8 BF010000 CALL notepad.01007568

    010073A9 . |33DB XOR EBX,EBX
    010073AB . |53 PUSH EBX ; /pModule => NULL
    -------------------------------
    1-The first line shows that a jump is made to 01008780.
    2-The 2nd line of code has changed .
    3-This line and the rest continue unaffected .

    what is this 2nd line 010073A2 |0001 ADD BYTE PTR DS:[ECX], AL means ?
    could i get an explanation to the change from the previous to this new appearance ?

    Thank you.

  2. #2
    Come on... Just type "Inject code + Notepad" in Google, and you'll hit the first tutorial explaining all the details...
    The only reason for time is so that everything doesn't happen at once. [A. Einstein]

  3. #3
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    i was really not asking how to inject code into an exe. i was trying to understand the changes that took place when a LONG JMP is executed.

    Thank you for your help.

  4. #4
    When you assemble the jmp instruction make sure you check the "Fill with nops" checkbox
    the jmp instruction takes up more bytes that is the you see ADD BYTE PTR DS:[ECX] after it
    instead if you do a "push 40" you wont see it
    Found in the OpenGL header file for Visual C++ 6: 'typedef GLint int '. AAAARRRRGGGHHHH!!! [Don't get it? You're not a C programmer.]

    A hacker does for love what others would not do for money.

    Being married to a programmer is like having a cat. You talk to it but you're never really sure if it hears you, much less comprehends what you say.

  5. #5
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Well..GEEK !!

    You explained it ...

    Thank you..

  6. #6
    Funny, this is covered in the tutorial that was offered on the second post, at least if one actually reads past the title
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  7. #7
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    The 2nd post directed me to this link http://home.inf.fh-rhein-sieg.de/~ikarim2s/how2injectcode/code_inject.html
    i see the following lines in the tutorial :

    " Because we're going to inject some code we've to have some space to inject it. In an EXE file are a lot of CodeCaves were nothing is done (DB 00). So lets scroll the CPU window a little bit down until you find a CodeCaves(look below)."

    This ( Me..as a newbie understand ) refers to the requirement for space at the point where the code is going to be injected .

    But what is happening at the point of origin of the jump ?
    Why one line of code here is overwritten by another line ?
    This is what i needed to understand .
    and....
    GEEK has given an explanation ..

    More details associated to my query may be available in that tutorial …Somehow I missed it then.
    i thank you for being helpful .

    Regards.

  8. #8
    Quote Originally Posted by xenakis View Post
    Funny, this is covered in the tutorial that was offered on the second post, at least if one actually reads past the title
    To be fair, the tutorial only says "Press on Assemble and you will the the again the red marked(patched) code." Which is broken English and not a very in-depth explanation of what jackall was asking.

    I know we encourage people to learn for themselves around here, but there are times when a little explanation helps, rather than hurts the learning process.

    Personmans

  9. #9
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    .......You live and learn.......
    Last edited by jackall; April 15th, 2008 at 00:29.

  10. #10
    This is not an excuse! What I mentioned in my first post, is just a hint for you so that in your future research will appreciate much more the Art of "Searching". I'm not taking your question about the subject as something bad to ask about... And I'm 100% if you do a a complete search you'll find a very informative explanation about that subject... And that's why the admins here keep emphasizing the importance of "Searching as a New Culture"... Do you know that there are good links at the home page...
    Last edited by tHE mUTABLE; April 15th, 2008 at 01:16.
    The only reason for time is so that everything doesn't happen at once. [A. Einstein]

  11. #11
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Dear tHE mUTABLE …
    I appreciate your reply...your hint to improve the art of searching . I will of course try to do that more in future . Probably these kinds of interactions make learning much lively and life more worthwhile.

    Personmans was correctly guiding the proceeding in the right direction.

    Regarding the title, ‘Jmp Code Cave ‘, I must admit that it was a bit extraneous to the query at the moment. Probably that title caused few redirections to Google.com.

    Reflecting on the issue i make out a few reasons to include the word codecave.
    i was not sure if there is any difference exists in a JMP to codecave from a JMP to other parts in the code. Additionally i had few more doubts that needed clarification when the jump reaches codecave.

    Well ! if ever it reaches there …
    Meanwhile....
    It is a pleasure to learn in the company of people like Personmans and I truly appreciate your contribution in the context.

    Regards..
    Last edited by jackall; April 15th, 2008 at 05:54.

  12. #12
    The part of the tutorial I was referring to was:
    You will see that there are a few lines overwritten! But this lines are needed to run the programm without errors. Identify the lines which get overwritten.
    As I am sure you have learned by now, the act of jumping to a code cave does not magically change the code following the code. Your issue involves keeping track of bytes (and the number of bytes) overwritten when patching, that a jmp is involved is irrelevant. Perhaps had you looked at the machine code before and after your patch you would have figured it out yourself:
    before
    0100739D > $ 6A 70 PUSH 70
    0100739F > 68 98180001PUSH notepad.01001898
    010073A4 . E8 BF010000 CALL notepad.01007568
    after
    0100739D > /E9 DE130000 JMP notepad.01008780
    010073A2 - |0001 ADD BYTE PTR DS:[ECX],AL
    010073A4 . |E8 BF010000 CALL notepad.01007568

    You can't put 5 bytes into 2 so your jmp spills over to the next instruction. When you code your cave, you would normally recode the overwritten code, so technically the "fill with nops" option is not really necessary (just cosmetic) since you would probably jmp back to 010073A4, placing the first two overwritten instructions to your code cave.
    I have nothing to say and I am saying it and that is poetry as I need it.
    -John Cage

  13. #13
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Thank you….xenakis

    Basics are getting understandable …
    Your explanation adds further clarity ….
    and…
    “Beauty is as beauty does! “

  14. #14
    Jakor
    Guest
    ORIGINAL:
    0100739D > $ 6A 70 PUSH 70
    0100739F . 68 98180001 PUSH NOTEPAD.01001898
    010073A4 . E8 BF010000 CALL NOTEPAD.01007568
    010073A9 . 33DB XOR EBX,EBX
    010073AB . 53 PUSH EBX ; /pModule => NULL
    010073AC . 8B3D CC100001 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetModu>; |kernel32.GetModuleHandleA
    010073B2 . FFD7 CALL EDI ; \GetModuleHandleA
    010073B4 . 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
    010073B9 . 75 1F JNZ SHORT NOTEPAD.010073DA
    010073BB . 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
    YOUR'S (WITH NOP added in):
    0100739D > $ 6A 70 PUSH 70
    0100739F . 68 98180001 PUSH NOTEPAD.01001898
    010073A4 . E8 BF010000 CALL NOTEPAD.01007568
    010073A9 . 33DB XOR EBX,EBX
    010073AB . 53 PUSH EBX ; /pModule => NULL
    010073AC E9 CF130000 JMP NOTEPAD.01008780
    010073B1 90 NOP
    010073B2 . FFD7 CALL EDI ; \GetModuleHandleA
    010073B4 . 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
    010073B9 . 75 1F JNZ SHORT NOTEPAD.010073DA
    010073BB . 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
    As you can see:
    010073AC 8B3D CC100001 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetModu>; kernel32.GetModuleHandleA

    has 6 bytes for the instruction. and a far jump always uses 5 bytes. This isn't really important as with a jump you will not automatically return to the instruction after the jump, so technically you don't have to make it a nop (though with a call also 5 bytes you would need to nop it).

    The issue is you probably arn't keeping track of the stack during all of this. aka: you are making the jump inside of a set of instructions for a call.

    instead place your jump at the beginning aka:

    [quote]010073AB . 53 PUSH EBX ; /pModule => NULL
    010073AC 8B3D CC100001 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetModu>; kernel32.GetModuleHandleA
    010073B2 . FFD7 CALL EDI ; \GetModuleHandleA[/quote
    should be:
    010073AB E8 D0130000 CALL NOTEPAD.01008780
    010073B0 90 NOP
    010073B1 90 NOP
    010073B2 90 NOP
    010073B3 90 NOP
    and at 01008780 you should:

    ;Save Registers as needed (not eax)
    ;Do the stuff you want (aka)
    push 0 ;MB_OK
    push 0 ;TITLE = "Error"
    push addr szText ; set this to an actual value for some text
    push 0 ;Owner = Noone
    call JMP.&user32.MessageBoxA
    ;Now return to notepad
    ;do overwritten code first
    push 0
    call JMP.&kernel32.GetModuleHandleA
    ;restore all saved registers
    ret
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Yes jakor you are helpful ..

    Right now I don’t have enough depth to grasp all you mentioned at a go. But I will …..learn... Line by line in time.

    Meanwhile allow me to welcome your enthusiasm to share understanding with less privileged one's like me.

    Thank you .
    Regards

Similar Threads

  1. Jump tables
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: January 31st, 2008, 11:30
  2. Jump to address
    By monu in forum OllyDbg Support Forums
    Replies: 0
    Last Post: August 29th, 2006, 14:37
  3. Jump to <&MSVBVM60.#100> ??
    By 99bobster99 in forum OllyDbg Support Forums
    Replies: 19
    Last Post: September 6th, 2003, 06:58
  4. Armadillo Jump Fixer
    By eSn-mIn in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: March 28th, 2003, 16:08
  5. Jump analysis
    By peterg70 in forum Plugins (General)
    Replies: 7
    Last Post: February 13th, 2003, 22:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •