C# client internal functions, problem

vitalka · 08/20/2011, 11:50

I have a problem to use Client internal function in C# for SRO, my source doesnt work at the moment and i dont know why. Here is my source:

Code:

            #region WriteChatText
            uint chatFunc = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, 26, 0x1000, 0x4);
            //uint message = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, 47, 0x1000, 0x4);
            byte[] Text = { 0x60, //Pushad
                            0x8B, 0x0D, //mov ecx, dword ptr ds:
                            0x01, 0x0D, 0x89, 0x8C, //0x010D898C
                            0x6A, 0x01, //Push 1
                            0x68, //Push
                            0xFF, 0x00, 0x00, 0x00, //Color
                            0x68, //Push
                            0x23, 0x55, 0x12, //Test Text
                            0x6A, 0x03, //Push 3
                            0xE8, //Call
                            0x76, 0xB2, 0x15, //Adress-5
                            0x61, //Popad
                            0xC3  //Retn
                          };
            WriteProcessMemory(SroProcessHandle, chatFunc, Text, 26, ByteArray);
            #endregion

And function in Olly

Code:

00533395  |> \8B0D 8C890D01 MOV ECX,DWORD PTR DS:[10D898C]
0053339B  |.  55            PUSH EBP
0053339C  |.  68 0000FFFF   PUSH FFFF0000
005333A1  |.  50            PUSH EAX
005333A2  |.  55            PUSH EBP
005333A3  |.  E8 787E2300   CALL sro_clie.0076B220

where is the problem?

bheaven · 08/20/2011, 12:47

your first address is given in bigEndian while it should be in littleEndian.

also your address supplied for the call does not exactly look right...

vitalka · 08/20/2011, 13:28

what exactly do you mean?

InvincibleNoOB · 08/21/2011, 01:16

1) write all addressed backwards. 010D898C --> 8C, 89, D, 1
2) CALL/JMP instruction address is calculated differently.

Code:

005333A3  |.  E8 787E2300   CALL sro_clie.0076B220

76B220 - 5333A8 = 237E78 --> 78, 7E, 23, 0

bootdisk · 08/21/2011, 07:25

Look at this part:

Code:

0x68, //Push
0x23, 0x55, 0x12, //Test Text

You're just pushing 3 bytes while it should be 4. You've to pass it a valid wchar_t* address.
To have it clear, 'wchar_t*' is a memory address that says where that text is. Each wchar_t value are 2 bytes long (wide chars).

So, you should 'inject' your text and pass the memory address of that text to that function, otherwise it would crash.

You can do that by directly push the string into the stack backwards or by allocating heap memory (that would demand to be done inside the process). Careful about pushing the values directly into the stack or you will run out of space.

Also, when you pass the length of your code you could use something like 'Text.length' if C# does have it. That would be the best, it will give you less headaches.

Hope it gives some insights... btw, how do you plan to run your function?

vitalka · 08/21/2011, 11:37

i think this is looking better, but C# cant handle the byte array with the adresses converted in bytes, why? I want to run it with CreateRemotheThread

#region WriteChatText
string haha = "haha";
uint chatFunc = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, 28, 0x1000, 0x4);
uint message = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, Convert.ToUInt32(haha.Length), 0x1000, 0x4);
byte[] messageSRO = { Convert.ToByte(haha) };
uint Chattext = 0x10D898C;
uint ChatCall = 0x076B220;
byte[] Text = { 0x60, //Pushad
0x8B, 0x0D, Convert.ToByte(Chattext), //mov ecx, dword ptr ds:10D898C
0x6A, 0x01, //Push 1
0x68, //Push
0xFF, 0xFF, 0xFF, //Color
0x68, Convert.ToByte(message),//Push
0x6A, 0x03, //Push 3
0xE8, Convert.ToByte(ChatCall-chatFunc-26),//Call
0x61, //Popad
0xC3 //Retn
};
WriteProcessMemory(SroProcessHandle, message, messageSRO, 1, ByteArray);
WriteProcessMemory(SroProcessHandle, chatFunc, Text, 28, ByteArray);
CreateRemoteThread(SroProcessHandle, 0, 0, chatFunc, 0, 0, 0);
#endregion

bootdisk · 08/21/2011, 20:30

Sure it looks much better now.
What errors does it gives?
Perhaps you can do arrays concatenation, like

Code:

byte[] mysmallprogram = { 0x60 };
mysmallprogram += Convert.ToByte(Chattext);

I'm not sure if you can do that, but there should be a way of doing that.

To debug it, I'd inject this shellcode at process startup, and check the address with OllyDbg to see if the code looks Ok or not (look if the addreses points to the right data/calls).

About this line:

Code:

mov ecx, dword ptr ds:10D898C

That's part of the thiscall calling convention used by Microsoft Compilers.
In fact, I think this is not a console method but part of a debug class method as all of the calls made to this method generally print a condition like "(pObject != NULL)" (which is an assert) with red colors.
I'm telling you in case you want to use other functions for this game or any other. If you made a call and it crash and before that call there is a mov to ecx, then you would know it's a thiscall.

If you jump to the call method you will see at the end of it 'retn 10', which can give you a hint of the parameters used (as well as pushedx guide), so the prototype of this function is: BYTE, wchar_t* (wide char, 2 bytes long), DWORD, BYTE.
When you push the arguments to that function, you're pushing them as BYTE, DWORD, wchar_t*, BYTE... I'm just saying this in case someone wants to cast the address to a function pointer (which might look better to human eyes).

Look at this part in your shellcode:

Code:

0x68, //Push
0xFF, 0xFF, 0xFF, //Color

As I said, the color is four bytes long... you're just pushing 3, your shellcode will crash.
So I'd suggest what I said before, inject your code at startup but don't start your thread or the target process thread, write down the addresses in which your function/text has been injected, then attach yourself with OllyDbg to your target process and look at those address and make sure it looks like what you wanted to inject.

vitalka · 08/21/2011, 21:55

the byte array cant divide with 0, but i dont divide with 0 grrr, i hate it...
do you have icq oder skype? maybe you can help me

bootdisk · 08/22/2011, 00:42

Without running the main thread of sro_client and/or starting your own with CreateRemoteThread, try this:

Code:

byte[] Text = {
0x60, //Pushad
0x8B, 0x0D, 0xBE, 0xBA, 0xFE, 0xCA, //mov ecx, dword ptr ds:10D898C
0x6A, 0x01, //Push 1
0x68, 0x00, 0x00, 0xFF, 0xFF, //Push Color (ARGB)
0x68, 0xEF, 0xBE, 0xAD, 0xDE, //Push message address
0x6A, 0x01, //Push 1
0xE8, 0xBE, 0xBA, 0xAD, 0xDE, //Call
0x61, //Popad
0xC3 //Retn
};

This is how it will looks inside sro_client once it's injected.
Pay attention to the 'hex dump' column and the 'command'. See how bytes are placed.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00B05C7C      60            PUSHAD
00B05C7D      8B0D BEBAFECA MOV ECX,DWORD PTR DS:[CAFEBABE]
00B05C83      6A 01         PUSH 1
00B05C85      68 0000FFFF   PUSH FFFF0000
00B05C8A      68 EFBEADDE   PUSH DEADBEEF
00B05C8F      6A 01         PUSH 1
00B05C91      E8 285EFDDD   CALL DEADBABE
00B05C96      61            POPAD
00B05C97      C3            RETN

That was copied from OllyDbg.
With that you should now complete that with the real values.
I like to have 'markers' of where should I put my variables, like:

0xCAFEBABE = here you should write 010D898C
0xFFFF0000 = your color, it's ARGB (alpha, red, green and blue)
0xDEADBEEF = the address of your text inside sro_client
0xDEADBABE = the relative jump/call address to the print console method

In your loader/tool process you can complete those markers with the real values.
Once you have those markers replaced with the real values, repeat the same: inject, check with OllyDbg.
Check if where DEADBABE is, is the print console method in there.
Check if DEADBEEF points to your string. Also, encode the string as utf-16... once it's printed on the console you might seen an square at the front of it... later you just have to skip it, it's because of the 0xFF, 0xFE mark on utf strings.

Uff, hope that clears a bit the things.

vitalka · 08/24/2011, 14:08

Thank you it works

i got the message

bootdisk · 08/24/2011, 14:45

Awesome, sorry that I didn't post anything more.
I did have a short cpp file to write this shellcode, I'll post it tonight if I remember.

Code:

#include <cstdio>
#include <cstring>
#include <windows.h>

void Shellcode()
{
	// Define the function prototype and says where it is
	typedef void (__stdcall *__ConsolePrint) (BYTE, wchar_t*, DWORD, BYTE);
	__ConsolePrint ConsolePrint = (__ConsolePrint)0x00746E60;

	// Push the values into the stack
	wchar_t myString[80];
	myString[0] = L'T';
	myString[1] = L'e';
	myString[2] = L's';
	myString[3] = L't';
	myString[4] = L'\0';
	
	DWORD color = 0xFFFF0000;

	// Set the this pointer and make the function call
	asm("pushl %ecx");
	asm( "movl %%DS:%a[Offset], %%ecx" : : [Offset] "irm" (0x01098C24));
	ConsolePrint(1, myString, color, 1);
	asm("popl %ecx");
}
void _endMark() { };

int main(int argc, char **argv)
{
	DWORD size = (DWORD)(_endMark) - (DWORD)(Shellcode);
	BYTE* ptr = reinterpret_cast<BYTE*>( Shellcode );
	for( DWORD i=0; i<size; i++, ptr++ )
	{
		printf("0x%02X ", static_cast<BYTE>(*ptr) );
	}

	printf("Shellcode size: %d\n", size);
	printf(
		"If you want to attach to this process this is the time\n"
		"The shellcode address is %08X\n"
		,
		Shellcode
	);
	system("pause");
	return 0;
}

That should print out the code of it.
Careful about local variables or you will run out of space.
You need gcc to compile this... Microsoft compiler seems to place jumps.
I'm just pushing ecx, since it's the only register I'm modifying.