News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Write over part of code section

Started by Magnum, May 12, 2011, 10:13:17 PM

Previous topic - Next topic

Magnum

I am looking for an example using SetFilePointer and WriteFile to
write to itself in it's code section.

For example:

Write over

mov eax, 5

with

mov edx,3
Have a great day,
                         Andy

qWord

Are you trying to modify the exe at runtime? - this not possible. For doing so, you need an second process that do the job:

- start an second process (an other exe)
- close the current process
- load the executable and parse its PE header
- write your code to the corresponding position
FPU in a trice: SmplMath
It's that simple!

Magnum

Thanks.

Could you help me with steps 3 and 4?

I guess making the code section writeable doesn't work.

Have a great day,
                         Andy

jj2007

The code to patch:
include \masm32\MasmBasic\MasmBasic.inc
Init
mov eax, 5 ; 0B805h
Inkey Str$("Edx=%i", edx)
Exit
end start


The patcher:
include \masm32\MasmBasic\MasmBasic.inc
Init
Let esi=FileRead$("PatchMe.exe")
or ecx, -1
mov ebx, LastFileSize
.Repeat
inc ecx
mov ax, [esi+ecx]
.Until ecx>=ebx || ax==005B8h ; mov eax, 5
.if ax==005B8h
mov word ptr [esi+ecx], 003BAh ; mov edx, 3
Open "O", #1, "Patched.exe"
Print #1:ebx, esi
Close
MsgBox 0, "Patched", "Success:", MB_OK
.else
invoke MessageBox, 0, Chr$("Pattern not found"), Chr$("Bad luck:"), MB_OK
.endif
Exit
end start

Magnum

What about an executable that could write a new executable?

I am looking to make it more difficult for disassemblers.

If a debugger was detected, I would like for the program to be able to change it's code.





Have a great day,
                         Andy

Magnum

Have a great day,
                         Andy

dedndave

something that may help you is the PE/COFF file spec...
http://www.masm32.com/board/index.php?topic=13135.0

identify the MZ marker
a few bytes later (i forget the offset - 18h i think) is the offset of the PE marker
from there, you can identify the code and data sections


jj2007

Quote from: Magnum on May 12, 2011, 10:49:33 PM
I don't have SSE2.

No problem. Just use the corresponding Masm32 macros.

qWord

Quote from: Magnum on May 12, 2011, 10:47:58 PMIf a debugger was detected, I would like for the program to be able to change it's code.
That wont help you in any way. My suggestion is do use one of the vast number of packers available (e.g. UPX).
FPU in a trice: SmplMath
It's that simple!

mineiro


.386
OPTION CASEMAP:NONE
include \masm32\include\masm32rt.inc

.CODE
start:
mov_eax_5:
mov eax, 5
mov_eax_5_size = $ - mov_eax_5
mov_edx_3:
mov edx,3
mov_edx_3_size = $ - mov_edx_3

mov edi,offset mov_eax_5
mov esi,offset mov_edx_3
mov ecx,mov_eax_5_size
cmp ecx,mov_edx_3_size
jne go_out
.while ecx != 0
lodsb
stosb
dec ecx
.endw
go_out:
invoke ExitProcess,0
END start

with writeable code Sr.

Twister

This is possible at runtime actually.

hutch--

Andy,

Do your self a favour and spend your time doing something more useful in terms of protection, this stuff is all old hack stuff that was done 15 years ago and it still does not work against anyone who knows what they are doing. Just open up your EXE file in IDA Pro and have a good play with its contents and you will see what I mean. Your best option is big, messy untidy techniques that make them do a lot of work to try and change the contents, learn a few things like partial CRC routines so that if any critical piece of code is changed, the app knows it and does not work properly.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php