Write over part of code section

[Magnum]

I am looking for an example using SetFilePointer and WriteFile to
write to itself in it's code section.

For example:

Write over

mov eax, 5

with

mov edx,3

[qWord]

Are you trying to modify the exe at runtime? - this not possible. For doing so, you need an second process that do the job:

- start an second process (an other exe)
- close the current process
- load the executable and parse its PE header
- write your code to the corresponding position

[Magnum]

Thanks.

Could you help me with steps 3 and 4?

I guess making the code section writeable doesn't work.

[jj2007]

The code to patch:

Code Select Expand

include \masm32\MasmBasic\MasmBasic.inc
Init
mov eax, 5 ; 0B805h
Inkey Str$("Edx=%i", edx)
Exit
end start


The patcher:

Code Select Expand

include \masm32\MasmBasic\MasmBasic.inc
Init
Let esi=FileRead$("PatchMe.exe")
or ecx, -1
mov ebx, LastFileSize
.Repeat
inc ecx
mov ax, [esi+ecx]
.Until ecx>=ebx || ax==005B8h ; mov eax, 5
.if ax==005B8h
mov word ptr [esi+ecx], 003BAh ; mov edx, 3
Open "O", #1, "Patched.exe"
Print #1:ebx, esi
Close
MsgBox 0, "Patched", "Success:", MB_OK
.else
invoke MessageBox, 0, Chr$("Pattern not found"), Chr$("Bad luck:"), MB_OK
.endif
Exit
end start


[Magnum]

What about an executable that could write a new executable?

I am looking to make it more difficult for disassemblers.

If a debugger was detected, I would like for the program to be able to change it's code.

[Magnum]

I don't have SSE2.

[dedndave]

something that may help you is the PE/COFF file spec...
http://www.masm32.com/board/index.php?topic=13135.0

identify the MZ marker
a few bytes later (i forget the offset - 18h i think) is the offset of the PE marker
from there, you can identify the code and data sections

[jj2007]

I don't have SSE2.

No problem. Just use the corresponding Masm32 macros.

[qWord]

If a debugger was detected, I would like for the program to be able to change it's code.

That wont help you in any way. My suggestion is do use one of the vast number of packers available (e.g. UPX).

[mineiro]

Code Select Expand


.386
OPTION CASEMAP:NONE
include \masm32\include\masm32rt.inc

.CODE
start:
mov_eax_5:
mov eax, 5
mov_eax_5_size = $ - mov_eax_5
mov_edx_3:
mov edx,3
mov_edx_3_size = $ - mov_edx_3

mov edi,offset mov_eax_5
mov esi,offset mov_edx_3
mov ecx,mov_eax_5_size
cmp ecx,mov_edx_3_size
jne go_out
.while ecx != 0
lodsb
stosb
dec ecx
.endw
go_out:
invoke ExitProcess,0
END start
with writeable code Sr.

[Twister]

This is possible at runtime actually.

[hutch--]

Andy,

Do your self a favour and spend your time doing something more useful in terms of protection, this stuff is all old hack stuff that was done 15 years ago and it still does not work against anyone who knows what they are doing. Just open up your EXE file in IDA Pro and have a good play with its contents and you will see what I mean. Your best option is big, messy untidy techniques that make them do a lot of work to try and change the contents, learn a few things like partial CRC routines so that if any critical piece of code is changed, the app knows it and does not work properly.