Hello,all
edi=7c802442
;===================================
mov byte ptr[edi],0E9h
mov eax,offset new_addr
sub eax,edi
sub eax,5
inc edi
stosb
...
new_addr:
...
;====================================
the above code can't calc the right new_addr.
7c802442: jmp 690b79b4 ;it should be " jmp 004010bb"
I got a number of hits on this edi value.
But I would like you to explain, what this code is doing.
Regards, P1 :8)
Looks like it's setting up a jump to return to a point further in the code.
Two things I spot right away:
1. SUB EAX,5 should be SBB EAX,5 (just in case the previous subtraction resulted in a borrow and set the carry flag)
2. STOSB should be STOS because I think you mean to write a dword value from EAX, not a byte from AL.
Is the new address higher in memory than 7C802442? If not, you're subtracting the wrong way and should be subtracting EAX from EDI.
hey,Wistrik
that's all
Thank you very much.
another question:
edi=7c802442
;===================================
mov byte ptr[edi],0E9h
mov eax,offset new_addr
sub eax,edi
sbb eax,5
inc edi
stosd
...
call 7c802442
here:
push 0
call ExitProcess
...
new_addr:
ret 04h
...
;====================================
when "ret 04h" was finished, why eip!= offset here?
Since this is a near jump you're creating, there's no need to do a RET 04h. A simple RET would be sufficient. It is currently throwing away the EIP for "here" and returning to the routine that called your function in the first place.
At least that's what it seems to be doing. I'm not at home so I can't type this in to test it.
Hey,Wistrik
Thanks you.
"ret" can't work rightly.
Oops, I meant RETN (for return near).
Quote from: P1 on July 11, 2006, 03:15:41 PMBut I would like you to explain, what this code is doing.
So maybe I asked the wrong question. :naughty: But no smart answers this time. I'll
sleep on whether to lock this topic or not.
What is the goal or purpose of this code?
Regards, P1 :8)
Hey,Wistrik
Thanks you.
"retn" can't work rightly.
the following code can't work rightly.
...
call 7c802442
here:
push 0
call ExitProcess
...
new_addr:
jmp here
Hey,P1
first all, i'm very glad to get any response either friendly, or rancour.
QuoteSo maybe I asked the wrong question. But no smart answers this time. I'll sleep on whether to lock this topic or not.
What is the goal or purpose of this code?
"Code it... That'all...", is it enough to answer your question?
i passed by Vancouver several months ago, "there isn't any good guy inside a policeman's eyes" a beautiful girl told us, i did not believe those. but now, i have to take into account.
i never ask the God "why could we eat?", however, the God is never tiring to tell us " to eat is for living, but to live isn't for eating"
...Where is it all going?
The subject was enough to tell me where it's going. :naughty:
Unless the original poster works for Microsoft, the only reason for coding anything in the system space is for redirecting API calls.
P1 should be waking up soon...
<< Edit by P1 >>
Re-directing the Kernel Sleep function without a proper explaination is enough to lock the thread.
PM a moderator, if you can come up a useful reason for doing this.
Quote from: zooba on July 12, 2006, 05:40:38 AMP1 should be waking up soon...
Just looking a open and honest answer without the cloak and dagger coding.
Regards, P1 :8)