Code Cave dll problem

elmarcia · 04/11/2013, 03:21

Hi all i made a crack me with c++ which loads a message from a dll , my aim is to reverse the messagebox with another dll which patch the exe code, everything is ok but a i have a problem the patched msg is shown twice -.-" all of this is just for learning the basic of code injection.

Why with a dll when i could patch it easily in ollydbg? because ollydbg is detected by a lot of programs but a simple dll can patch code inside the program without being noticed...

Here is my code:

Spoiler

Code:

#include <windows.h>
#include <fcntl.h>
#include <stdio.h>
#include <io.h>

//---------------------------------------------------------------------------

// Codecave function
VOID Codecave(DWORD destAddress, VOID (*func)(VOID), BYTE nopCount);

// Writes bytes in the current process using an ASM method
VOID WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes);








//-----------------------------------------------------------------------------
char body[] = "Reversed by elmarcia"; //messagebox body
char title[] = "DLL Patched"; //messagebox title
// This is our codecave function, we must  remember to make it a "__declspec(naked)" function
__declspec(naked) void ReverseMesage(void)
{

	__asm
	{

call Function

Function:
push MB_OK //the patched messagebox
push offset title
push offset body
push 0 
call dword ptr MessageBoxA
ret 
}


}




//-----------------------------------------------------------------------------

// Writes bytes in the current process using an ASM method
VOID WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes)
{
	// Store old protection of the memory page
	DWORD oldProtect = 0;

	// Store the source address
	DWORD srcAddress = PtrToUlong(patch);

	// Make sure page is writeable
	VirtualProtect((void*)(destAddress), numBytes, PAGE_EXECUTE_READWRITE, &oldProtect);

	// Do the patch (oldschool style to avoid memcpy)
	__asm
	{
		nop						// Filler
		nop						// Filler
		nop						// Filler

		mov esi, srcAddress		// Save the address
		mov edi, destAddress	// Save the destination address
		mov ecx, numBytes		// Save the size of the patch
Start:
		cmp ecx, 0				// Are we done yet?
		jz Exit					// If so, go to end of function

		mov al, [esi]			// Move the byte at the patch into AL
		mov [edi], al			// Move AL into the destination byte
		dec ecx					// 1 less byte to patch
		inc esi					// Next source byte
		inc edi					// Next destination byte
		jmp Start				// Repeat the process
Exit:
		nop						// Filler
		nop						// Filler
		nop						// Filler
	}

	// Restore old page protection
	VirtualProtect((void*)(destAddress), numBytes, oldProtect, &oldProtect);
}

//-----------------------------------------------------------------------------

// Codecave function
VOID Codecave(DWORD destAddress, VOID (*func)(VOID), BYTE nopCount)
{
	// Calculate the code cave for chat interception
	DWORD offset = (PtrToUlong(func) - destAddress) - 5;

	// Buffer of NOPs, static since we limit to 'UCHAR_MAX' NOPs
	BYTE nopPatch[0xFF] = {0};

	// Construct the patch to the function call
	BYTE patch[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
	memcpy(patch + 1, &offset, sizeof(DWORD));
	WriteBytesASM(destAddress, patch, 5);

	// We are done if we do not have NOPs
	if(nopCount == 0)
		return;

	// Fill it with nops
	memset(nopPatch, 0x90, nopCount);

	// Make the patch now
	WriteBytesASM(destAddress + 5, nopPatch, nopCount);
}

int main()
{
Codecave(0x004013F5, ReverseMesage,0); //they are too because could be y or Y
Codecave(0x004013E0,ReverseMesage,0);   //the address is a call to the default messagebox which is replaced with another call to my codecave

return 0;
}



void WINAPI MainThread( )
{
    
    main(); 
 

}

BOOL WINAPI DllMain ( HMODULE hModule, DWORD dwReason, LPVOID lpvReserved )
{
    switch ( dwReason ) {
        case DLL_PROCESS_ATTACH:

            DisableThreadLibraryCalls(hModule);

            if ( CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MainThread, NULL, 0, NULL) == NULL ) {
                return FALSE;
            }
            break;
            
        case DLL_PROCESS_DETACH:
            break;

        case DLL_THREAD_ATTACH:
            break;

        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

Some Images For Full Understanding:

If someone want to reverse by yourself could try here is the src

VT: WTF 8/46

I'm very noob in this stuff so sorry if i made a stupid comment

Omdi · 04/11/2013, 15:57

Code:

__declspec(naked) void ReverseMesage(void)
{

__asm
{

call Function

Function:
push MB_OK //the patched messagebox
push offset title
push offset body
push 0 
call dword ptr MessageBoxA
ret 
}


}

You are calling "Function", which executes this code

Code:

Function:
push MB_OK //the patched messagebox
push offset title
push offset body
push 0 
call dword ptr MessageBoxA
ret

So after the ret, the code is returning to the return address which is here :

Code:

call Function
[COLOR=Red][B]<--------------------- RETURN ADDRESS[/B][/COLOR]
Function:
push MB_OK //the patched messagebox
push offset title
push offset body
push 0 
call dword ptr MessageBoxA
ret 
}

And then it will execute the same code again - MessageBox is shown twice.

This code should work fine

Code:

__declspec(naked) void ReverseMesage(void)
{

__asm
{
push MB_OK //the patched messagebox
push offset title
push offset body
push 0 
call dword ptr MessageBoxA
ret 
}


}