1

I'm reversing this x64 program and I'm trying to call a function of this target program through a debugger. Everytime I click "Hit me" a numeric value gets subtracted.

Target program

I've found the caller of that function (I've added a breakpoint on it and it breaks when I click on the "Hit me" button). Here it is the relevant code:

enter image description here

I know that x64 calling convention is to pass arguments via RCX, RDX, R8 and R9. I want call this function programmatically, and I'm planning to do it by allocating memory to the program (through debugger function) and inject the "hit me" call relevant code. After I'd create a thread on the right address allocated memory (this would call the "hit me" function" programmatically).

This is the code I've wrote:

enter image description here

but just after that (creating a thread on 0x014D0000), the program crashes. Why? Am I missing something?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Leon
  • 63
  • 5
  • 1
    You also need to allocate shadow space on the stack and possible take care to align the stack to 16 bytes. Refer to the relevant ABI documents for details. There is probably a useful question linked in the [x86] tag wiki, too. – fuz Apr 12 '21 at 17:20
  • @fuz, AFAIK shadow space isn't needed (it's just for debugging purposes). – Leon Apr 12 '21 at 17:24
  • 1
    Nope. Functions may store arbitrary data in the shadow space. And with optimisations enabled, it is likely that they do. – fuz Apr 12 '21 at 17:46
  • @fuz ok. I have no idea on how to create that. Maybe you could show me an example of creating it? I'm allocating space to the stack to create shadow space (`sub rsp,32`). Is substracting 32 bytes to thread's stack enough? Also how should I fill this space? Don't hesitate to answer. – Leon Apr 12 '21 at 17:56

0 Answers0