|
You last visited: Today at 23:42
Advertisement
CodeCave jump address
Discussion on CodeCave jump address within the AutoIt forum part of the Coders Den category.
04/05/2017, 16:18
|
#1
|
elite*gold: 37 
Join Date: May 2014
Posts: 1,835
Received Thanks: 9,833
|
CodeCave jump address
Closed
|
|
|
|
04/05/2017, 18:17
|
#2
|
elite*gold: 77
Join Date: May 2008
Posts: 5,430
Received Thanks: 5,878
|
Quote:
Originally Posted by HaMaDa..
Hi,
After allocating memory into an process and writing memory how can i jump to the address at the end of the injection ?
using ret didn't help
I just wanted to know how to calculate the address and the allocating memory page address
Thanks.
|
Have a look at: 
Especially at function "_InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)":
PHP Code:
;==================================================================================
; Function: _InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)
; Description: Injects an Code-Cave with specified Opcodes at an specified address.
; The Opcodes which was at $des_address are restored and will be executed
; even with active Code-Cave.
; Parameter(s): $memopen - A handle returned by _MemoryOpen (Nomad.au3)
; or _MemoryManipulationOpen (CCInject.au3)
; $des_address - Address where Opcode should be injected.
; $size - Size of bytes used at $des_address (min. 5 bytes) to get complete command.
; $opcodes - The Opcode which should be injected into process.
; Requirement(s):
; Return Value(s): On Success - Returns array of information:
; 0 - Code-Cave's baseaddress
; 1 - Old Opcode at Code-Cave's address (should be 0000...)
; 2 - Opcode which was injected
; 3 - Opcode which was at $des_address
; 4 - New Opcode which is now at $des_address
; On Failure - Returns -1
; @Error - 0 = No error.
; 1 = $size is less than 5.
; Author(s): Shadow992
; Note(s):
;==================================================================================
Func _InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)
$opcodes = StringReplace($opcodes, " ", "")
$opcodes = StringReplace($opcodes, "0x", "")
If $size < 5 Then
SetError(1)
Return -1
EndIf
Local $old_opcode[5], $temp, $code_cave_address = 0
Local $code_cave_address_bytes, $bytes_for_code_cave
Local $nops = ""
For $i = 5 To $size - 1
$nops &= "90"
Next
$len = StringLen($opcodes) / 2 + 5 + $size
$code_cave_address = _AllocateMemory($memopen, $len + 1)
$temp = $code_cave_address - $des_address - 5
$code_cave_address_bytes = _ConvertHexToBytes(Hex($temp), 8)
$old_opcode[3] = _MemoryBytesWrite($memopen, $des_address, "E9" & $code_cave_address_bytes & $nops)
$old_opcode[1] = _MemoryBytesWrite($memopen, $code_cave_address, $old_opcode[3] & $opcodes & "E9" & _ConvertHexToBytes(Hex(($des_address + $size) - ($code_cave_address + StringLen($opcodes) / 2 + 5 + StringLen($old_opcode[3]) / 2)), 8))
$old_opcode[2] = $old_opcode[3] & $opcodes & "E9" & _ConvertHexToBytes(Hex(($des_address + $size) - ($code_cave_address + StringLen($opcodes) / 2 + 5 + StringLen($old_opcode[3]) / 2)), 8)
$old_opcode[4] = "E9 " & $code_cave_address_bytes & $nops
$old_opcode[0] = Hex($code_cave_address)
Return $old_opcode
EndFunc ;==>_InjectOpcodeAtAddress
|
|
|
|
|
04/05/2017, 23:11
|
#3
|
elite*gold: 39
Join Date: Jun 2016
Posts: 269
Received Thanks: 805
|
Quote:
Originally Posted by HaMaDa..
Thanks shadow i solved the problem ...
So for everyone is having the same problem as me , the solution is :
[..]
|
That's no solution, that's complete bullshit. Just stop trying to do your copypasta everywhere. I'm not even sure if you even knew yourself what you were trying to do.
Quote:
Originally Posted by HaMaDa..
using ret didn't help
|
using a return for a jmp gg wp.
you should at least know what a return does from general coding and how it isnt related to jumping, instead it is to calls.
|
|
|
|
|
04/06/2017, 01:10
|
#4
|
elite*gold: 37
Join Date: May 2014
Posts: 1,835
Received Thanks: 9,833
|
Quote:
Originally Posted by Zyntex
That's no solution, that's complete bullshit. Just stop trying to do your copypasta everywhere. I'm not even sure if you even knew yourself what you were trying to do.
using a return for a jmp gg wp.
you should at least know what a return does from general coding and how it isnt related to jumping, instead it is to calls.
|
Quote:
Originally Posted by Zyntex
Just stop trying to do your copypasta everywhere
|
I asked for an help with something iam trying to do and i was having this problem so where's the copypaste and i know what iam doing
and actually i didn't use return for the jmp ofc, yes i know i wrote that ret didn't help but i didn't even explain.
even asking for an help is leeching for you?
You never faced any problem ? thanks anyway
|
|
|
|
|
04/06/2017, 02:54
|
#5
|
elite*gold: 0
Join Date: Aug 2016
Posts: 23
Received Thanks: 16
|
You need to know like subtract size. They are simple things the Google
use calculator programmer.
Value = HEX - HEX = size
JMP_Opcode = $hAddress - $hAddress_Alloc - Value
PHP Code:
$JMP_Opcode = Byte_Reverse(Calc(Dec($hAddress_Alloc)-$Value, $hAddress,1)) ;JUMP hAddress
Global $shellcode = "0xE9" & $JMP_Opcode
FUNC Byte_Reverse($SBYTES)
LOCAL $SREVERSED = ""
FOR $I = STRINGLEN($SBYTES) - 1 TO 1 STEP -2
$SREVERSED &= STRINGMID($SBYTES, $I, 2)
NEXT
RETURN $SREVERSED
ENDFUNC
Func Calc($dwCall, $dwAddress, $i = 0)
If Not IsInt($dwCall) Then $dwCall = Dec(StringReplace($dwCall, "0x", ""))
If Not IsInt($dwAddress) Then $dwAddress = Dec(StringReplace($dwAddress, "0x", ""))
If $i = 1 Then
Local $tmp = $dwCall
$dwCall = $dwAddress
$dwAddress = $tmp
EndIf
EndFunc
PHP Code:
$Handle = OpenProcess(0x1F0FFF,False,ProcessExists($Process))
DETOUR($Handle,$hAddress,$hAddress_Alloc,0x5)
CloseHandle($Handle)
Func DETOUR($hProcess,$lpSource, $lpDestination, $iSize)
Local Const $NOP = 0x90
Local Const $JMP = 0xE9
if $iSize < 5 then ;Size must be bigger than 5
SetError(1) ;atleast 5 Bytes are needed for a JMP
Return -1
EndIf
for $i = 0 to $iSize - 1
WriteProcessMemory($hProcess,$lpSource + $i, $NOP, 'byte') ;NOP all bytes
Next
;Write the detour
WriteProcessMemory($hProcess,$lpSource, $JMP, 'byte') ;JUMP
$lpStruc = DllStructCreate("DWORD Offset") ;For Overflow reasons
DllStructSetData($lpStruc,"Offset",$lpDestination-$lpSource-5)
WriteProcessMemory($hProcess,$lpSource + 1,DllStructGetData($lpStruc,"Offset"),'dword')
Return 0
EndFunc
Func WriteProcessMemory($hProcess, $lpBaseAddress, $Value, $Type = 'dword')
$dsBuffer = DllStructCreate($Type)
DllStructSetData($dsBuffer, 1, $Value)
DllCall('kernel32.dll', 'bool', 'WriteProcessMemory', 'handle', $hProcess, 'ptr', $lpBaseAddress, 'ptr', DllStructGetPtr($dsBuffer), 'int', DllStructGetSize($dsBuffer), 'int', 0)
EndFunc ;==>WriteProcessMemory
Func OpenProcess($dwAccess, $bInheritHandle, $dwProcessId)
$ret = DllCall('kernel32.dll', 'dword', 'OpenProcess', 'dword', $dwAccess, 'bool', $bInheritHandle, 'dword', $dwProcessId)
Return $ret[0]
EndFunc ;==>OpenProcess
Func CloseHandle($hObject)
$ret = DllCall('kernel32.dll', 'bool', 'CloseHandle', 'handle', $hObject)
Return $ret[0]
EndFunc ;==>CloseHandle
|
|
|
|
|
04/06/2017, 03:29
|
#6
|
elite*gold: 39
Join Date: Jun 2016
Posts: 269
Received Thanks: 805
|
Quote:
Originally Posted by HaMaDa..
I asked for an help with something iam trying to do and i was having this problem so where's the copypaste and i know what iam doing
|
why do you then need to copy shadows "_ConvertHexToBytes" function, instead of doing your own one? can you even explain what the code does? and I dont mean just saying "it converts hex vars to bytes"
Quote:
Originally Posted by HaMaDa..
and actually i didn't use return for the jmp ofc, yes i know i wrote that ret didn't help but i didn't even explain.
|
why do you write it in your post then? sounds to me like you were just trying out random stuff without even knowing what it's for.
Quote:
Originally Posted by HaMaDa..
even asking for an help is leeching for you?
You never faced any problem ? thanks anyway
|
Looking at your stuff: Your code is awful. Instead of "focusing" on memory right now, please just try to do decent code/scripting. Dont just do the stuff, instead try to understand. In my opinion, it would really help you out. I know you for a while now, even longer than you think and even longer than this account exists.
|
|
|
|
 |
Similar Threads
|
Making Jump To Codecave for X6 bit process, How to make It Work correct.
05/15/2014 - .NET Languages - 10 Replies
Hi i have been trying to get my little cheat code working correct for some times now. What i am having problems with is that i do not manage to figure out how to make my code work and jump to my codecave which i use VirtualalloEx to create, i get it to work just fine on a 32 bit process but when i try it on a 64 bit process the address which i need to jump to the allocated space i create first, it gets all screwed up and it does not work correct.
If anyone can help here id be more than...
|
best codecave video tsearch tutorial
07/29/2013 - Coding Tutorials - 14 Replies
just upping it here because the old website where I've got it is down.
|
[Guide]Codecave
02/04/2013 - CO2 Programming - 7 Replies
Hello !
long time didn't post topic or something into conquer sections but i hope this time its useful.
What is code cave:
A code-whoah ? Unless you have spent some time working in the area of reverse engineering, chances are you have not heard of the term codecave before.
A codecave can best be defined as a redirection of program execution to another location and then returning back to the area where program execution had previously left." In a sense, a codecave is no different in...
|
jump Animation address
07/21/2012 - CO2 Programming - 0 Replies
Hello epvp community ,
I am asking if anyone can give me a hint how to get the jump function address by cheat engine or what is called jump animation , I just want make some modifications but can't reach the exact address .. if anyone can help I will appreciate it hopefully some one answer me :) .
Thanks.
someone answer me please :)
I want to remove jump animation as IAmHawtness did in his topic but i wanna it for client 5095 so i need to get the right address and i will continue so no...
|
Need tutorial link on "how to find address for unlimited jump using ce"
03/07/2008 - Perfect World - 1 Replies
as title states
|
All times are GMT +1. The time now is 23:42.
|
|
