squalito
November 14th, 2008, 12:24
Hello
I try to do an inline patch in an armadillo 5.40 target.
My code cave begin after the 2Nd VirtualAlloc, because here I know the base range of armadillo layer.
The code cave, just rewrite back the call, then write the second patch in the arma layer, etc...
But as I have a problem since the first patch I didn't write others
Ok let me show you
After the 2nd VirtualAlloc, at the end of the routine I call my code cave
from
to
And here is my code CAVE
To test it, I pass the debugBlocker with OpenMutexA trick, then I set a BP on the JMP to my code cave ( JMP PokerTra.00F16301 )
I do a step by step
And I finish here
When I run this step (to return to original code) I have an error Process terminated, exit code 80000004 (-2147483644.) and the target crash !
If I test the original bytes it has been well rewrote
ps: Also the second patch has been well writen
Any idea why the POPAD create this crash (when I look EAX is well restored) ?
Thansk for your help
I try to do an inline patch in an armadillo 5.40 target.
My code cave begin after the 2Nd VirtualAlloc, because here I know the base range of armadillo layer.
The code cave, just rewrite back the call, then write the second patch in the arma layer, etc...
But as I have a problem since the first patch I didn't write others
Ok let me show you
After the 2nd VirtualAlloc, at the end of the routine I call my code cave
from
Code:
00EF854A A3 5CA1F300 MOV DWORD PTR DS:[F3A15C],EAX
00EF854F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; PokerTra.00F99277
00EF8552 8BE5 MOV ESP,EBP
00EF8554 5D POP EBP
00EF8555 C3 RETN
to
Code:
00EF854A E9 B2DD0100 JMP PokerTra.00F16301
00EF854F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00EF8552 8BE5 MOV ESP,EBP
00EF8554 5D POP EBP ; kernel32.76A94911
00EF8555 C3 RETN
And here is my code CAVE
Code:
00F16301 A3 0165F100 MOV DWORD PTR DS:[F16501],EAX ; save Arma base of code
00F16306 C705 4A85EF00 A35CA1F3 MOV DWORD PTR DS:[EF854A],F3A15CA3 ; Restore First Call
00F16310 60 PUSHAD ; save registrers
00F16311 9C PUSHFD ; save registers
00F16312 A1 0165F100 MOV EAX,DWORD PTR DS:[F16501] ; Arma base of code
00F16317 05 BC860500 ADD EAX,586BC ; Displacement
00F1631C C700 683463F1 MOV DWORD PTR DS:[EAX],F1633468 ; Patch second call
00F16322 66:C740 04 00C3 MOV WORD PTR DS:[EAX+4],0C300 ; Patch second call
00F16328 9D POPFD ; Restore Registers
00F16329 61 POPAD ; Restore Registers
00F1632A ^ E9 1B22FEFF JMP PokerTra.00EF854A ; Jump to original code
To test it, I pass the debugBlocker with OpenMutexA trick, then I set a BP on the JMP to my code cave ( JMP PokerTra.00F16301 )
I do a step by step
And I finish here
Code:
00F16329 61 POPAD ; Restore Registers
When I run this step (to return to original code) I have an error Process terminated, exit code 80000004 (-2147483644.) and the target crash !
If I test the original bytes it has been well rewrote
Code:
from
00EF854A E9 B2DD0100 JMP PokerTra.00F16301
to
00EF854A A3 5CA1F300 MOV DWORD PTR DS:[F3A15C],EAX
ps: Also the second patch has been well writen
Any idea why the POPAD create this crash (when I look EAX is well restored) ?
Thansk for your help