0

We use an application at work whose maintence has long since been abandoned but we still need to maintain. In this case that means reverse engineering the program. I have used ghidra to decompile the program and have found the line of code I want to add, and where.

The original instruction reads: 

007b6aae 8d 7e 50        LEA        EDI,[ESI + 0x50]

Just above that I want to add:

[Some offset] 31 f6      XOR        ECI,ECI

Ghidra won't let me do that so I am using a raw hexcode editor. The problem is that just inserting the bytes before the 8d 7e 50 doesn't work because it messes with the LEA instruction creating invalid code. I think that I need to place the new code at a new offset, but I don't know enough about hex/assembly code to know how to do that.

richbai90
  • 4,994
  • 4
  • 50
  • 85
  • 1
    There is no such thing as an `ECI` register, so did you mean `ESI`? If so, I note that making that zero would turn the `LEA` argument into just `[0x50]`. Have you checked what that can be encoded as? (This is assuming that the code further down does not rely on the zero in the register, of course). – 500 - Internal Server Error Feb 19 '20 at 16:28
  • 4
    you can make previous instructions shorter to make space, or jump to a free space nearby where you can put the new instructions. See [how do I add a 5 byte instruction into a 3 byte space in the debugger](https://stackoverflow.com/q/40363247/995714) – phuclv Feb 19 '20 at 16:29
  • 3
    @500-InternalServerError: Unfortunately x86 doesn't have a 3-byte instruction to put a small constant into a register :/ I wish some extension would add that for at least 64-bit mode. The only encoding for a `[0x50]` addressing mode is disp32 (leading to a 6-byte instruction), and `mov edi, 0x50` is 5 bytes. The only 3-byte option is `push 0x50` / `pop edi` , or LEA relative to some known register that's within -128..+127 of 0x50. ([Tips for golfing in x86/x64 machine code](//codegolf.stackexchange.com/a/132985)) – Peter Cordes Feb 19 '20 at 16:35
  • 1
    Can you use a binary re-writer like "pin" https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool ? – John D McCalpin Feb 19 '20 at 21:03
  • 3
    If you show the whole function, I expect someone here can find space to fit that change. – prl Feb 20 '20 at 07:33

0 Answers0