|
· ·-------=+=---· ·
ÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ|
Û²²²²²²²²²²²Û±± Û²²²²²²²²²²²Û±± Û²²²²²²²²²²²²²²Û±± ÛÛÛÛÛÛÛ±±
Û²²²ÛÛÛÛÛ²²²Û±±°° Û²²ÛÛÛÛÛÛÛ²²Û±±°° ßßßßßßßÛ²²²²²²Û±±°° ±±±±±±±±±°°
Û²²²²²²²²²²²Û±±°° Û²²²²²²²²²²²Û±±°° Û²²²²²²Û±±°° °°°°°°°°°°°
ÛßßßßßßßßßßßßÛ±±°° ÛßßßßßßßÛßßßß±±°° Û²²²²²²Û±±°° ÜÜÜÜÜÜÜ
Û²²²²²²²²²²²²Û±±°° Û²²²²²²²²Û±±°° Û²²²²²²Û±±°° Û²²²²²Û±±
Û²²²ÛÛÛÛÛÛ²²²Û±±°° Û²²²Û²²²²²Û±±°° Û²²²²²²Û±±°° Û²²²²²Û±±°°
Û²²²ßßßßßß²²²Û±±°° Û²²²ÛÛÛ²²²²Û±±°° Û²²²²²²ßßßßßßÛ±± Û²²²²²Û±±°°
Û²²²²²²²²²²²²Û±±°° Û²²²ÛÛÛÛ²²²²Û±±°° Û²²²²²²²²²²²²²Û±±°° Û²²²²²Û±±°°
ßßßßßßßßßßßßßß±±°° ßßßßßßßßßßßßß±±°° ßßßßßßßßßßßßßßßß±±°° ßßßßßßß±±°°
±±±±±±±±±±±±±±±±°° ±±±±±±±±±±±±±±±°° ±±±±±±±±±±±±±±±±±±°° ±±±±±±±±±°°
°°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°° °°°°°°°°°°°
Tutorial on Code Injection - Part 2 by brzi*
********************************************
brzi@devious.tsongkie.com*
**************************
RELEASED UNDER DEViOUS (http://devious.tsongkie.com)*
*****************************************************
Well after a week or two or maybe more of doing nothing just standing in front of my PC,
looking at the screen and drinking i have decided to write another tutorial on code injection.
I hope you liked my first one :). But in that i have told you how to do the standard code
injection method which is boring. In this tutorial i'm going to show you how to inject API
functions. Well as my first tutorial of this kind i'm going to show you how to inject a
Message Box. In my next tutorials i'll show you some more stuff (if i have time to write more
tutorials because the school year has just began. So lets start our little tutorial. Well use
Tsongkie's Code Cave Tool for searching a code cave and we will inject our Message Box in it, i
mean we will inject the messagebox into Tsongkie's Code Cave Tool. Wait u'll see :)
TOOLS NEEDED
************
Windows Disassembler - W32Dsm89 - www.gamehacking.com
Tsongkie's Code Cave Tool - www.tsongkie.com
TSearch v1.6 - www.gamehacking.com
API Reference
Pen and a Piece of Paper
LESSON START
************
Explanation of the MessageBox API taken from the API reference:
The MessageBox function creates, displays, and operates a message box. The message box contains
an application-defined message and title, plus any combination of predefined icons and push
buttons.
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
Parameters
hWnd
Identifies the owner window of the message box to be created. If this parameter is NULL,
the message box has no owner window.
lpText
Points to a null-terminated string containing the message to be displayed.
lpCaption
Points to a null-terminated string used for the dialog box title. If this parameter is NULL,
the default title Error is used.
uType
Specifies the contents and behavior of the dialog box.
*NOTE: Unlike other programming languages in ASM parameters are pushed into the stack backwards.
In ASM you have to push the caption first, then the main text, followed by the window handle,
and then the call the MessageBoxA.
Ok now open W32Dsm89 and disassemble Tsongkie's Code Cave Tool. After the Disassembly is done
click on the StrnRef button on the toolbar. Now double click on the string in the list that
says "Tsongkie's Code Cave Tool v1.0". I have this code:
* Possible StringData Ref from Data Obj ->"About Tsongkie's Code Cave Tool"
|
:00401089 6849304000 push 00403049 <- pushes the location of the caption
* Possible StringData Ref from Data Obj ->"Tsongkie's Code Cave Tool v1.0"
|
:0040108E 6869604000 push 00403069 <- pushes the location of the main text
:00401093 FF3558324000 push dword ptr [00403258] <- push the WndHandle (hWnd)
* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:00401099 E85E010000 Call 004011FC <- Calls MessageBoxA
:0040109E EB1A jmp 004010BA |
........... |
........... |
|
* Reference to: USER32.MessageBoxA, Ord:01BBh |________
| |
:004011FC FF2524204000 Jmp dword ptr [00402024] <-
Now we know everything that we need. Lets do some testing :)
Open TSearch and click on EasyWrite.
// Begin TSearch script
offset 00401089
//jmp to our code cave
jmp 0040DC17
offset 0040DC17
//Recreate all the stuff
//push the caption of the msgbox
push 00403049
//push the main text of the msgbox
push 00403069
//push the window handle
push dword ptr [00403258]
//call the MessageBoxA API
call 004011FC
//jmp back after the call or the program will crash
jmp 0040109E
// End TSearch script
Now if you run Tsongkie's Code Cave Tool and enable the script and then press the about button,
it will display you the standard Message "Tsongkie's Code Cave Tool ....". It means that the
injection is succesfull and everything is fine.
Now the other part - our strings (the caption, main text). I have marked the new parts with
|NEW| .
// Begin TSearch script
//First we will write our strings
//|NEW| Our caption
offset 0040DCA7
asc "brzi's CI tut2"
hex 00
//hex 00 is a null terminator needed for all strings
//|NEW| Our Text //I couldn't think of anything good for the text so let it be "Hello"
offset 0040DCBB
asc "Hello !"
hex 00
offset 00401089
//jmp to our code cave
jmp 0040DC17
offset 0040DC17
//Recreate all the stuff
//|NEW| Change the original caption "About Tsongkie's Code .." to our "brzi's CI tut2"
push 0040DCA7
//|NEW| Chande the original text "Tsongkie's Code Cave..." to our simple "Hello !"
push 0040DCBB
//push the window handle
push dword ptr [00403258]
//call the MessageBoxA API
call 004011FC
//jmp back after the call or the program will crash.
jmp 0040109E
//End TSearch script
Now if you press the about button a message saying "Hello !" will be displayed.
Congratulations ! You have injected your first Message Box!
Well that's it for now, i hope you understood how this thing works so you may try to do
something by your self. Until next time CYA.
GREETS:
*******
Stoner,Tsongkie,Omega,Micral,EEDOK,InvadeR,Bie,VBTrainer and everybody else that i know :)=
|
