Hi,

Take the following subroutine as an example.

---
sub_B02770 proc near

arg_0= dword ptr 4
arg_4= dword ptr 8

mov eax, [esp+arg_4]
mov edx, [esp+arg_0]
push 1
push eax
push edx
call sub_B026B0
retn 8
sub_B02770 endp

---

I'm able to modify existing instructions by changing opcodes within the IDA Hex View. However, I'm wondering how new instructions can be inserted into subroutines. Suppose I would like to add five "nop" instructions after "push edx" without overwriting existing opcodes. Do I need to use "Edit function" for this?

Thanks in advance,

FY

Nope.

The PE structure is quite complex and you need to know how to add code. You can do it by:-

1. Creating a new section
2. Increasing the size of the current section
3. Creating an external .dll and modifying a function in the local .exe to point to that .dll. Then return back when your job is done. Officially, it's called a 'Trampoline' function (search up for google. Microsoft has a good trampoline framework and also examples)

There is no preferred way here, just what's the easiest.

Also, try Razzia+'s tut on 'code caves' and 'modifying notepad' for a start.

Alternatively, you could also read up on PHRACK, Issue 55, "Win32 Buffer Overflows" where Dark Spyrit rapes Seattle mail. Of course, you'll have to go way down in the essay. While he is here coding a remote shell, he does so in an existing memory in binary. Check out his method also.

And let's hope you are not mixing up a 64-bit and 32-bit binaries as that will be, no doubt, further more complex.

If it's a .NET you'll have to bypass the integrity check after patching. But there are ways already documented. Some, undocumented too, though.

Finally, nope again. THAT's not what the IDA -> Edit function is used for.

Hope this helps.

Have Phun