Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

Self modifying code

Coder-centric area for programming advice and questions.

Self modifying code

Postby WarrantyVoider » 02 May 2013, 08:29

I always wanted to do something like this^^ if anyone needs an explanation, post here

#include "stdafx.h"

BYTE * PointerToVMT;
DWORD * PointerToFunc;
DWORD * PointerToOPcode;

void TestFunc(void)
{
int n = 10;
for(int i=0; i<n; i++)
printf(".");
printf("Count : %i\n", n);
}

void Init(void)
{
PointerToVMT =(BYTE *) &TestFunc;
PointerToVMT++; //jmp the jmp
DWORD Offset = *((DWORD *)PointerToVMT);
Offset += 4; //size of jmp arg
PointerToFunc = (DWORD *)(PointerToVMT + Offset);
Offset += 0x21; //offset of OPcode arg
PointerToOPcode = (DWORD *)(PointerToVMT + Offset);
printf("Initializing done.\n");
}

void ModefySelf(void)
{
DWORD dwProtect;
VirtualProtect(PointerToOPcode, 4, PAGE_EXECUTE_READWRITE, &dwProtect);
*PointerToOPcode = 0x10;
}

int _tmain(int argc, _TCHAR* argv[])
{
Init();
TestFunc();
TestFunc();
ModefySelf();
TestFunc();
TestFunc();
printf("Pointer to VMT : 0x%p\nPointer to Func : 0x%p\nPointer to OPcode : 0x%p\n",PointerToVMT, PointerToFunc, PointerToOPcode);
return 0;
}


Output:
Initializing done.
..........Count : 10
..........Count : 10
................Count : 16
................Count : 16
Pointer to VMT : 0x01011083
Pointer to Func : 0x010113D0
Pointer to OPcode : 0x010113F1


greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Self modefying code

Postby Eudaimonium » 22 May 2013, 20:00

Oh look, a program that can modify itself. Yeah that'll never bite us in the ass. :D

I'd very much like an explanation, if possible...
One of few surviving members of species that actually loved Mass Effect endings.
User avatar
Eudaimonium
Emeritus
 
Posts: 299
Joined: 23 Aug 2012, 23:22
Has thanked: 17 time
Have thanks: 33 time

Re: Self modefying code

Postby WarrantyVoider » 23 May 2013, 04:45

well about the init function:
1) get a bytewise pointer to the function ((BYTE *) &TestFunc)
2) increase it by one, because at that adress you find 0xE9 (opcode for jmp) and then the startadress of the functions opcodes, so we get only the adress
3) read the offset, as its relative, add 4 bytes, because you just read that much... welcome to the assembler start of the function
4) with ollydbg I found out that 0x21 bytes after the start is where you will find the opcode that I want to modefy: the assembler line looks like this:
013C13F5   C745 F8 0A000000 MOV DWORD PTR SS:[EBP-8],0A

-MOV DWORD PTR "A", "B" means copy 4 bytes (int32) from "B" to "A"
-SS:[EBP-8] means that a local variable from the stack is the target (int n)
-0x0A = 10 decimal, later I write 0x10 = 16
5)well I make a pointer to that position where the 0x0A is and save it (it wont change at runtimer ever again)

ok now to the modefy function:
1)you have to give yourself rights, to access specific memory regions (write/read/exec and mix of them), we want the region where the 0x0A is stored, 4 bytes and save the old flags
2)as the pointer we made previous already points to the 0x0A and we declared it an dword* (int32) pointer, all we need to do is to "assign" a value, aka write 0x10 00 00 00 over 0x0A 00 00 00

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Self modefying code

Postby Eudaimonium » 23 May 2013, 12:06

So basically, even though the program has it's N=10 declared, after the declaration, you sneak in the memory and change it manually into something else?
One of few surviving members of species that actually loved Mass Effect endings.
User avatar
Eudaimonium
Emeritus
 
Posts: 299
Joined: 23 Aug 2012, 23:22
Has thanked: 17 time
Have thanks: 33 time

Re: Self modefying code

Postby WarrantyVoider » 23 May 2013, 13:02

yup
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Self modefying code

Postby ByteMe » 27 Jul 2013, 05:34

Came across the thread, late and pointless but here we are....

I actually have done this once to a program I was working on once (because it was so difficult to accomplish (for me anyway) in assembly and required the use of a calculator...alot! oww headache!). So even though what I'm about to say is proly completely irrelevant I'll say how I did it.

The program I was dealing with used a protected dll which I could not un-protect (and still end up being usable) and had different memory addresses upon each load thanks to ASLR on non-XP systems. My changes started with a jump to a code cave (formerly blank eg 0000) inside the primary exe *after* the dll was loaded. Thanks to the program loading the dll and filling out the proper information/addresses upon each load inside the exe, I was able to add code that would grab the information of the 'existing' (in memory) location to a call inside the dll and preform a basic math function such as add or sub X from the value. (as even though the starting address was random the offset to the start was always the same!) This gave me the information I would need to find and make any actual changes in memory. More math & grabs were needed to get the addresses of the API's I needed to make the memory address ranges writable and then release them later... =( After I made those changes I reverted the jump change to the original code and jumped back to it allowing it to run as normal after the first time. This basically made the programs exe a self-loader. Of course it also ruined the digital signature so I cleared the flag that as well as a bad sig is often auto flagged by the more lame AV vendors as a virus even if it doesn't contain any supporting code/signature matches...

I think it ended up taking me about 2 days to make all the changes I needed. (Yes I am THAT bad; had lots of crashes lol)

From what (little) I can decipher of the uber programming code it is similar in method and result.
I'd also like to note that I never released that particular program to the public along with 99% of my other puzzles. (although a previous version is prevalent but not released by me and used an RSA replace & keygen instead of inline memory patch) I strongly advocate that developers be payed for programs people use. I have a few exceptions to this rule (eg charged per year for a program that is updated once every 2 years if that.....) one of which is where the protection ruins the use of a program. I think ME3 qualifies there as the DLC overwrites many core files and thus the DLC check must be bypassed in order to allow proper modding. While this can potentially be disastrous for MP(cheating), let's face the fact that the MP gathering is much much lower than the SP mass and will happen regardless. Never done ME3 MP - never will. I learned my lesson with WoW and avoid any type of MP or MMO where possible. (Still get suckered in to some for short times to play with family but it never lasts.) All of this is of course a lot of bla blah blah for a thread not particularly related to ME3! :P

Decided to pull up an old txt file I had where I stored my notes and throw in a small code section of my 2 days of changes...in this particular revision it didn't replace the originating code before jumping back. This wasn't the final revision nor was it fully functional but it shows the gist of the changes. P.S. I HATE math and am easily confused. I'm not a super genius like the programmers around here. /stare @ WV & SIG or the GETH! cough Fob

Code: Select all
jmp down at CENSORED (Followed code stepping in till I saw a 'real' value in edx register to use as a base point

                                 PushAD        {save registers}
                                 sub edx,1BD4CB {edx holds pointer to CENSORED in DLL}
                                 mov esi,dword ptr ds:[edx]
                                 mov edi,dword ptr ds:[esi]
                                 add edi,1168D3              { EDI Holds pointer to VirtualProt inside dll}
                                 mov esi,dword ptr ds:[edi]
                                 mov ecx,edx    {copy for work to globalalloc pointer}
                                 add ecx,0519D2 {ecx now holds pointer to GlobalAlloc}
                                 mov ebx,dword ptr ds:[ecx] {eBx holds globalalloc value after here}
                                 push 4
                                 push 0
                                 call near dword ptr ds:[ebx] {Calls GlobalAlloc}
                                 sub ebx,1247 {sub from GlobalAlloc pointer to new changeable code}
                                 push eax
             push 40
                                 push 100
                                 push ebx {holds pointer to top of my code}
                                 call near dword ptr ds:[esi] {call virtualprotect}
                                 mov edi,ebx       {Copy current pointer GlobalAlloc to edi}
                                 sub edi,1A5E72    {Points EDI to new code we need for dll info}
                                 add ebx,2
                                 mov dword ptr ds:[ebx],edi {Moves pointer to original patch} WORKS!!!
                                 popad
                                 push 6
                                 push 4
                                 lea eax,dword ptr ss:[esp+40]
                                 jmp CENSORED
Its not a bug, its a feature.
User avatar
ByteMe
User
 
Posts: 31
Joined: 03 Jul 2013, 13:42
Location: Over there!
Has thanked: 13 time
Have thanks: 14 time


Return to Coders' Help

Who is online

Users browsing this forum: No registered users and 1 guest

suspicion-preferred