Results 1 to 3 of 3

Thread: Extending subroutines with new instructions in IDA

  1. #1

    Extending subroutines with new instructions in IDA


    Take the following subroutine as an example.

    sub_B02770 proc near

    arg_0= dword ptr 4
    arg_4= dword ptr 8

    mov eax, [esp+arg_4]
    mov edx, [esp+arg_0]
    push 1
    push eax
    push edx
    call sub_B026B0
    retn 8
    sub_B02770 endp


    I'm able to modify existing instructions by changing opcodes within the IDA Hex View. However, I'm wondering how new instructions can be inserted into subroutines. Suppose I would like to add five "nop" instructions after "push edx" without overwriting existing opcodes. Do I need to use "Edit function" for this?

    Thanks in advance,


  2. #2

    As Above


    The PE structure is quite complex and you need to know how to add code. You can do it by:-

    1. Creating a new section
    2. Increasing the size of the current section
    3. Creating an external .dll and modifying a function in the local .exe to point to that .dll. Then return back when your job is done. Officially, it's called a 'Trampoline' function (search up for google. Microsoft has a good trampoline framework and also examples)

    There is no preferred way here, just what's the easiest.

    Also, try Razzia+'s tut on 'code caves' and 'modifying notepad' for a start.

    Alternatively, you could also read up on PHRACK, Issue 55, "Win32 Buffer Overflows" where Dark Spyrit rapes Seattle mail. Of course, you'll have to go way down in the essay. While he is here coding a remote shell, he does so in an existing memory in binary. Check out his method also.

    And let's hope you are not mixing up a 64-bit and 32-bit binaries as that will be, no doubt, further more complex.

    If it's a .NET you'll have to bypass the integrity check after patching. But there are ways already documented. Some, undocumented too, though.

    Finally, nope again. THAT's not what the IDA -> Edit function is used for.

    Hope this helps.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    example code:
    8B44E4 08     MOV EAX,DWORD PTR SS:[ESP+8]
    8B54E4 04     MOV EDX,DWORD PTR SS:[ESP+4]
    6A 01         PUSH 1
    50            PUSH EAX
    52            PUSH EDX
    E8 xxxxxxxx   CALL xxxxxxxx
    C2 0800       RETN 8
    58            POP EAX
    5A            POP EDX
    8704E4        XCHG DWORD PTR SS:[ESP],EAX
    6A 01         PUSH 1
    50            PUSH EAX
    52            PUSH EDX
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    E8 xxxxxxxx   CALL xxxxxxxx
    C3            RETN
    58            POP EAX 
    5A            POP EDX 
    59            POP ECX
    6A 01         PUSH 1
    51            PUSH ECX
    52            PUSH EDX
    50            PUSH EAX
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    90            NOP
    E9 xxxxxxxx   JMP xxxxxxxx

Similar Threads

  1. Replies: 0
    Last Post: April 15th, 2014, 03:18
  2. Hooking __thiscall subroutines
    By fywdm in forum The Newbie Forum
    Replies: 5
    Last Post: April 17th, 2012, 17:45
  3. Extending IDC and IDAPython
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: June 23rd, 2010, 11:18
  4. Extending Total Commander with some minor functionality
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 5
    Last Post: August 31st, 2009, 13:47
  5. Extending crossover games 7.0 trial
    By Jesus1 in forum The Newbie Forum
    Replies: 11
    Last Post: April 28th, 2008, 12:34

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts