0

Know I want to replace function prologue with jmp to jump to my allocate zone(VirtualAllocateEx). But function prologue just have 3 bytes, and jmp have 5 bytes. like this:

55                 `push ebp`  

8B EC              `mov ebp, esp`

833D C4354200 02   `cmp dword ptr ds:[4235C4],2`

E9 AD00000000  `jmp` 00140000 // replace above three instructions

If I want to use jmp to cover function prologue, the third instruction after function prologue must be covered.

So know I want to use int3 to replace function prologue to to jump to my allocate zone or any address, how can I do it?

I try to use VEH or SEH to do so, but I can't figure out how to make it.

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
user1021319
  • 117
  • 1
  • 1
  • 6

1 Answers1

1

You need to write the original code (the one you quoted) on another memory location (just allocate something).

Write it while saving some space for the additional OpCodes (your custom new code). It doesn't have to fit exactly as you're allowed to fill the unused bytes with NOP (0x90 if I'm not mistaken).

Now, jump to this code from the original code.

I've been doing this stuff when I was making game trainers years ago.. Works very well.

On thing to note: Your reWritten code should, at the end, jump back to the original place to continue the code flow.

Let me know if it's unclear.

Poni
  • 11,061
  • 25
  • 80
  • 121
  • My idea is this http://imageshack.us/photo/my-images/190/qwerb.png/ And I try to use jmp to jump to safe zone, but it will cover the third instruction. So I think I want to cover the first instruction(push ebp) by int3(0xcc), and do the same thing like the idea. – user1021319 Apr 26 '12 at 04:17
  • The pic is OK but I don't get your problem. In general you need to do these steps: Allocate space, fill it with code (can be the "instrumented function"). Then, at the "original function", in its prologue, you jump to it. How you return? Easy, return/jmp to it at the epilogue of the "instrumented function". – Poni Apr 26 '12 at 12:59