[Guide]Codecave

MeGaMaX · 02/04/2013, 08:02

Hello !

long time didn't post topic or something into conquer sections but i hope this time its useful.

What is code cave:

A code-whoah ? Unless you have spent some time working in the area of reverse engineering, chances are you have not heard of the term codecave before.
A codecave can best be defined as a redirection of program execution to another location and then returning back to the area where program execution had previously left." In a sense, a codecave is no different in concept than a function call, except for a few minor differences. If a codecave and a function call are so similar, why do we need codecaves at all then ? The reason we need codecaves is because source code is rarely available to modify any given program. As a result, we have to physically (or virtually) modify the executable at an assembly level to make changes.

What you want is:

1: Assembly programming knowledge.
2: Ollydebug.
3: Logic.
4: Brain.

Lets start:

I will choose msgserver.exe for example but you can do that with any program that you want to modify.

I will target the BFK function into the msgserver for example

I will see if the selected block is used by any other functions or no

Seems its not used so that's ok and if it use by others address you will have to change the original address to your new memory address

I will take copy of the selected block by binary copy

Now i will go at the end of the msgserver.exe and i will choose some free memory address and past the copied binary there

Its will looks like that

If you found the call address changed like that at the pictures you have to re back them to the original address

call 005990E0 > call 004BB4C0

But for example i don't want the BFK to be the same static memory address

mov eax, 0x4EDF2C , i will go to 0x4EDF2C

Now i found that

Code:

004EDF2C 44 inc esp 004EDF2D 52 push edx 004EDF2E 36:35 34647433 xor eax, 0x33746434 004EDF34 34 74 xor al, 0x74 004EDF36 72 67 jb short 004EDF9F 004EDF38 34 55 xor al, 0x55 004EDF3A 49 dec ecx 004EDF3B 36:0000 add byte ptr ss:[eax], al

That's equal

Now i will go to my new memory address and write any 16 letter or numbers,
I will let some memory address and select some address then right click > binary > edit and write my 16 number or letters and at the end i will put 00 in hex then press ok.

Now i will edit call 004BB4C0 to JMP into my new memory address like

To

JMP 00581814

It will be like that and i fill the other 2 address with 00 because i don't need them anymore

And this is my new memory address

Now with at my new address i will edit

0058181C B8 2CDF4E00 mov eax, 004EDF2C

004EDF2C to my new BFK address the highlighted one

Now at the end of my code i will JMP back to the next address after the address that i filled with 00 i will jump here the highlighted address

So now my codecave looks like

Now i will search if there is any other address use the old BFK and i found one

If you want to codecave that one too make the above steps if you just want to use the new BFK address then edit it to the new BFK address so it will be like mov eax, 00581828

Now i will go back to the BFK old address and fill it with 00 and the address is 0x4EDF2C

It will looks like.

Now i just codecave new BFK address and i fill the old with 00 because no use for them.

Notice: You can do that with for example new weapon type for conquer character and the client doesn't support the type of it so you will look at the function at the new conquer.exe and make jump from the function that responsible about reading weapons type and then jump back to the rest of the code so its will looks like you made the client read the code you add and make it continue execution for sure you will do that at the old conquer client

Thanks for reading hope i helped.

Because nTL3fTy mad : Draw graphic goes to

Greetings: Andrew.