3

I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful.

I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW.

The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg?

Basically I'm trying to make a code cave in assembly to call MessageBoxW again. I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed?

Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.

Matt
  • 22,721
  • 17
  • 71
  • 112
Daniel
  • 181
  • 3
  • 10
  • I didn't understand most of your question... What are you trying to achieve with a code cave? What do you mean by "finding the position of the call"? Perhaps the GetProcAddress function would be of any help to you? – Vladimir Panteleev May 24 '10 at 01:43
  • Yeah sorry, like I said my terminology is most likely off. GetProcAddress would be great except doesn't it's address change just like any other? How would I find its address? With the code cave I simply want to display a second message box for learning purposes. "found the position of the call" meaning i think i found the bytes of the `CALL MessageBoxW` in a hex editor so if the opcode for "call" is one byte and the address of the call is 4 bytes, then those 4 bytes must be the call virtual address right? – Daniel May 24 '10 at 01:49
  • (Replying as an answer, since the text didn't fit in the comment length limitation) – Vladimir Panteleev May 24 '10 at 02:34

2 Answers2

2

(reply to comment on original post)

Ah, no, the address specified in the "call" opcode is relative to the call instruction. However, for imported functions, it's most likely an indirect call (which reads the function's address from a memory location).

There is really no "official"/reliable way to get the address of any function without having no access to the import segment. If you are patching a certain executable, just look at the values Windows places in its import segment. If you are injecting code from another process, you can rely on the fact that the address of a function in a system DLL will remain the same, relative to the DLL's load address. It is also possible to manually locate and parse the program's import segment in memory.

Vladimir Panteleev
  • 24,651
  • 6
  • 70
  • 114
  • Yeah i want to be able to use the indirect call from the imports table. I just read part of http://msdn.microsoft.com/en-us/library/ms809762.aspx and it reads: (Virtual address 0x10464)-(base address 0x10000) = RVA 0x00464. Does this mean I could do something like put the base memory address in eax, add the RVA 0x0046 and then `call eax`? – Daniel May 24 '10 at 02:44
  • Hmm, something like that, though there might be more to it. If the executable is built with relocation info and is subjected to ASLR, the base address might change every time it is run. – Vladimir Panteleev May 24 '10 at 19:47
  • Yeah i have been having problems with ASLR, life would be so easy without it! – Daniel May 24 '10 at 23:41
0

1- find address of message box in your executable module. suppose your exe file is a1.exe

Executable modules > select a1.exe > press ctrl + N and find the address of message box. suppose address is 00402008

2- use ff25 08204000 machine code to call message box but before push parameters and push your EIP for returning address.

Amir
  • 1,638
  • 19
  • 26