Need correction from Guru))

[ivasik]

I try to emulate targeting on AutoIt. I've found the function, which make a target:

HTML Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00451E2F      90            NOP
00451E30  /$  8B5424 04     MOV EDX,DWORD PTR SS:[ARG.1]             ; elementclient.00451E30(guessed Arg1)
00451E34  |.  8B42 10       MOV EAX,DWORD PTR DS:[EDX+10]
00451E37  |.  83F8 34       CMP EAX,34
00451E3A  |.  75 34         JNE SHORT 00451E70
00451E3C  |.  8B42 0C       MOV EAX,DWORD PTR DS:[EDX+0C]
00451E3F  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
00451E41  |.  C781 F40A0000 MOV DWORD PTR DS:[ECX+0AF4],0
00451E4B  |.  8BC2          MOV EAX,EDX
00451E4D  |.  8991 F00A0000 MOV DWORD PTR DS:[ECX+0AF0],EDX
00451E53  |.  8B0D EC3E9B00 MOV ECX,DWORD PTR DS:[9B3EEC]
00451E59  |.  50            PUSH EAX                                           ;<-- here is mob's WID
00451E5A  |.  68 9C469500   PUSH 0095469C                            ; UNICODE "Select %x"
00451E5F  |.  68 00FFFFFF   PUSH -100
00451E64  |.  51            PUSH ECX
00451E65  |.  E8 B6E7FDFF   CALL 00430620
00451E6A  |.  83C4 10       ADD ESP,10
00451E6D  |.  C2 0400       RETN 4
00451E70  |>  83F8 27       CMP EAX,27
00451E73  |.  75 0A         JNE SHORT 00451E7F
00451E75  |.  C781 F00A0000 MOV DWORD PTR DS:[ECX+0AF0],0
00451E7F  \>  C2 0400       RETN 4
00451E82      90            NOP

I modified AutoIt function like this:

HTML Code:

Func SelectTarID($id)
	Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
	; --- save the position of the allocated memory ---
	$pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $PROCESS_INFORMATION[1], 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
	ConsoleWrite('mempos:' & $pRemoteMem[0] & @LF)

	; --- build up the asm code ---
	$OPcode &= '60'				;09210000  pushad  
	$OPcode &= 'BA'&_hex($id)		;09210001  mov         edx,80103C95h  
	$OPcode &= '8BC2'			;09210006  mov         eax,edx  
	$OPcode &= '8B0DEC3E9B00'		;09210008  mov         ecx,dword ptr ds:[9B3EECh]  
	$OPcode &= '50'				;0921000E  push        eax  
	$OPcode &= '689C469500'			;0921000F  push        95469Ch  
	$OPcode &= '6800FFFFFF'			;09210014  push        0FFFFFF00h  
	$OPcode &= '51'				;09210019  push        ecx  
	$OPcode &= 'BA20064300'			;0921001A  mov         edx,430620h  
	$OPcode &= 'FFD2'			;0921001F  call        edx  
	$OPcode &= '61'				;09210021  popad  
	$OPcode &= '61'				;09210022  popad  
	$OPcode &= '61'				;09210023  popad  
	$OPcode &= '61'				;09210024  popad  
	$OPcode &= 'C3'				;09210025  ret  

	; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next
	; --- now letz write the code from our dllstruct ---
	DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $PROCESS_INFORMATION[1], 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
	; --- now we run the asm code we've just written ---
	$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $PROCESS_INFORMATION[1], 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
	; --- wait till the thread did his job ---
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258
	Sleep(250)
	; --- close everything we've opened ---
	DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
	DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $PROCESS_INFORMATION[1], 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
	Return True
EndFunc		;==>

The code make crash, but I can't understand what's wrong. Help, please))