| · ·-------=+=---· · ÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ| Û²²²²²²²²²²²Û±± Û²²²²²²²²²²²Û±± Û²²²²²²²²²²²²²²Û±± ÛÛÛÛÛÛÛ±± Û²²²ÛÛÛÛÛ²²²Û±±°° Û²²ÛÛÛÛÛÛÛ²²Û±±°° ßßßßßßßÛ²²²²²²Û±±°° ±±±±±±±±±°° Û²²²²²²²²²²²Û±±°° Û²²²²²²²²²²²Û±±°° Û²²²²²²Û±±°° °°°°°°°°°°° ÛßßßßßßßßßßßßÛ±±°° ÛßßßßßßßÛßßßß±±°° Û²²²²²²Û±±°° ÜÜÜÜÜÜÜ Û²²²²²²²²²²²²Û±±°° Û²²²²²²²²Û±±°° Û²²²²²²Û±±°° Û²²²²²Û±± Û²²²ÛÛÛÛÛÛ²²²Û±±°° Û²²²Û²²²²²Û±±°° Û²²²²²²Û±±°° Û²²²²²Û±±°° Û²²²ßßßßßß²²²Û±±°° Û²²²ÛÛÛ²²²²Û±±°° Û²²²²²²ßßßßßßÛ±± Û²²²²²Û±±°° Û²²²²²²²²²²²²Û±±°° Û²²²ÛÛÛÛ²²²²Û±±°° Û²²²²²²²²²²²²²Û±±°° Û²²²²²Û±±°° ßßßßßßßßßßßßßß±±°° ßßßßßßßßßßßßß±±°° ßßßßßßßßßßßßßßßß±±°° ßßßßßßß±±°° ±±±±±±±±±±±±±±±±°° ±±±±±±±±±±±±±±±°° ±±±±±±±±±±±±±±±±±±°° ±±±±±±±±±°° °°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°° °°°°°°°°°°° Tutorial on Code Injection - Part 2 by brzi* ******************************************** brzi@devious.tsongkie.com* ************************** RELEASED UNDER DEViOUS (http://devious.tsongkie.com)* ***************************************************** Well after a week or two or maybe more of doing nothing just standing in front of my PC, looking at the screen and drinking i have decided to write another tutorial on code injection. I hope you liked my first one :). But in that i have told you how to do the standard code injection method which is boring. In this tutorial i'm going to show you how to inject API functions. Well as my first tutorial of this kind i'm going to show you how to inject a Message Box. In my next tutorials i'll show you some more stuff (if i have time to write more tutorials because the school year has just began. So lets start our little tutorial. Well use Tsongkie's Code Cave Tool for searching a code cave and we will inject our Message Box in it, i mean we will inject the messagebox into Tsongkie's Code Cave Tool. Wait u'll see :) TOOLS NEEDED ************ Windows Disassembler - W32Dsm89 - www.gamehacking.com Tsongkie's Code Cave Tool - www.tsongkie.com TSearch v1.6 - www.gamehacking.com API Reference Pen and a Piece of Paper LESSON START ************ Explanation of the MessageBox API taken from the API reference: The MessageBox function creates, displays, and operates a message box. The message box contains an application-defined message and title, plus any combination of predefined icons and push buttons. int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); Parameters hWnd Identifies the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window. lpText Points to a null-terminated string containing the message to be displayed. lpCaption Points to a null-terminated string used for the dialog box title. If this parameter is NULL, the default title Error is used. uType Specifies the contents and behavior of the dialog box. *NOTE: Unlike other programming languages in ASM parameters are pushed into the stack backwards. In ASM you have to push the caption first, then the main text, followed by the window handle, and then the call the MessageBoxA. Ok now open W32Dsm89 and disassemble Tsongkie's Code Cave Tool. After the Disassembly is done click on the StrnRef button on the toolbar. Now double click on the string in the list that says "Tsongkie's Code Cave Tool v1.0". I have this code: * Possible StringData Ref from Data Obj ->"About Tsongkie's Code Cave Tool" | :00401089 6849304000 push 00403049 <- pushes the location of the caption * Possible StringData Ref from Data Obj ->"Tsongkie's Code Cave Tool v1.0" | :0040108E 6869604000 push 00403069 <- pushes the location of the main text :00401093 FF3558324000 push dword ptr [00403258] <- push the WndHandle (hWnd) * Reference To: USER32.MessageBoxA, Ord:01BBh | :00401099 E85E010000 Call 004011FC <- Calls MessageBoxA :0040109E EB1A jmp 004010BA | ........... | ........... | | * Reference to: USER32.MessageBoxA, Ord:01BBh |________ | | :004011FC FF2524204000 Jmp dword ptr [00402024] <- Now we know everything that we need. Lets do some testing :) Open TSearch and click on EasyWrite. // Begin TSearch script offset 00401089 //jmp to our code cave jmp 0040DC17 offset 0040DC17 //Recreate all the stuff //push the caption of the msgbox push 00403049 //push the main text of the msgbox push 00403069 //push the window handle push dword ptr [00403258] //call the MessageBoxA API call 004011FC //jmp back after the call or the program will crash jmp 0040109E // End TSearch script Now if you run Tsongkie's Code Cave Tool and enable the script and then press the about button, it will display you the standard Message "Tsongkie's Code Cave Tool ....". It means that the injection is succesfull and everything is fine. Now the other part - our strings (the caption, main text). I have marked the new parts with |NEW| . // Begin TSearch script //First we will write our strings //|NEW| Our caption offset 0040DCA7 asc "brzi's CI tut2" hex 00 //hex 00 is a null terminator needed for all strings //|NEW| Our Text //I couldn't think of anything good for the text so let it be "Hello" offset 0040DCBB asc "Hello !" hex 00 offset 00401089 //jmp to our code cave jmp 0040DC17 offset 0040DC17 //Recreate all the stuff //|NEW| Change the original caption "About Tsongkie's Code .." to our "brzi's CI tut2" push 0040DCA7 //|NEW| Chande the original text "Tsongkie's Code Cave..." to our simple "Hello !" push 0040DCBB //push the window handle push dword ptr [00403258] //call the MessageBoxA API call 004011FC //jmp back after the call or the program will crash. jmp 0040109E //End TSearch script Now if you press the about button a message saying "Hello !" will be displayed. Congratulations ! You have injected your first Message Box! Well that's it for now, i hope you understood how this thing works so you may try to do something by your self. Until next time CYA. GREETS: ******* Stoner,Tsongkie,Omega,Micral,EEDOK,InvadeR,Bie,VBTrainer and everybody else that i know :)