jmp to user address from system address

six_L · July 11, 2006, 11:56:53 AM

Hello,all

edi=7c802442
;===================================
   mov   byte ptr[edi],0E9h
   mov   eax,offset new_addr
   sub   eax,edi
   sub   eax,5
   inc   edi
   stosb
...
new_addr:
...
;====================================
the above code can't calc the right new_addr.

7c802442: jmp 690b79b4 ;it should be " jmp 004010bb"

P1 · July 11, 2006, 03:15:41 PM

I got a number of hits on this edi value.
But I would like you to explain, what this code is doing.

Regards, P1 :8)

Wistrik · July 11, 2006, 03:26:09 PM

Looks like it's setting up a jump to return to a point further in the code.

Two things I spot right away:

1. SUB EAX,5 should be SBB EAX,5 (just in case the previous subtraction resulted in a borrow and set the carry flag)
2. STOSB should be STOS because I think you mean to write a dword value from EAX, not a byte from AL.

Is the new address higher in memory than 7C802442? If not, you're subtracting the wrong way and should be subtracting EAX from EDI.

six_L · July 11, 2006, 04:10:22 PM

hey,Wistrik
that's all
Thank you very much.

another question:

edi=7c802442
;===================================
mov byte ptr[edi],0E9h
mov eax,offset new_addr
sub eax,edi
sbb eax,5
inc edi
stosd
...
call 7c802442
here:
push 0
call ExitProcess
...
new_addr:
ret 04h

...
;====================================
when "ret 04h" was finished, why eip!= offset here?

Wistrik · July 11, 2006, 04:24:21 PM

Since this is a near jump you're creating, there's no need to do a RET 04h. A simple RET would be sufficient. It is currently throwing away the EIP for "here" and returning to the routine that called your function in the first place.

At least that's what it seems to be doing. I'm not at home so I can't type this in to test it.

six_L · July 11, 2006, 04:33:00 PM

Hey,Wistrik
Thanks you.

"ret" can't work rightly.

Wistrik · July 11, 2006, 06:23:53 PM

Oops, I meant RETN (for return near).

P1 · July 11, 2006, 07:11:53 PM

Quote from: P1 on July 11, 2006, 03:15:41 PMBut I would like you to explain, what this code is doing.

So maybe I asked the wrong question. :naughty: But no smart answers this time. I'll sleep on whether to lock this topic or not.

What is the goal or purpose of this code?

Regards, P1 :8)

six_L · July 12, 2006, 12:01:47 AM

Hey,Wistrik
Thanks you.

"retn" can't work rightly.
the following code can't work rightly.

Code Select


...
   call 7c802442
here:   
   push 0
   call ExitProcess
...
new_addr:
  jmp here

six_L · July 12, 2006, 12:58:40 AM

Hey,P1
first all, i'm very glad to get any response either friendly, or rancour.

QuoteSo maybe I asked the wrong question. But no smart answers this time. I'll sleep on whether to lock this topic or not.
What is the goal or purpose of this code?

"Code it... That'all...", is it enough to answer your question?

i passed by Vancouver several months ago, "there isn't any good guy inside a policeman's eyes" a beautiful girl told us, i did not believe those. but now, i have to take into account.

i never ask the God "why could we eat?", however, the God is never tiring to tell us " to eat is for living, but to live isn't for eating"

Mark Jones · July 12, 2006, 05:17:21 AM

...Where is it all going?

zooba · July 12, 2006, 05:40:38 AM

The subject was enough to tell me where it's going. :naughty:

Unless the original poster works for Microsoft, the only reason for coding anything in the system space is for redirecting API calls.

P1 should be waking up soon...

six_L · July 12, 2006, 07:13:40 AM

<< Edit by P1 >>

P1 · July 12, 2006, 01:32:34 PM

Re-directing the Kernel Sleep function without a proper explaination is enough to lock the thread.

PM a moderator, if you can come up a useful reason for doing this.

Quote from: zooba on July 12, 2006, 05:40:38 AMP1 should be waking up soon...

Just looking a open and honest answer without the cloak and dagger coding.

Regards, P1 :8)

News:

jmp to user address from system address

Wistrik

Wistrik

Wistrik