0

Added a bit more assembly on top of the function and below it to get a clearer image

00427F38   . 50             PUSH EAX
00427F39   . 8975 08        MOV DWORD PTR SS:[EBP+8],ESI
00427F3C   . E8 0FFE0200    CALL Test.00457D50
00427F41   . 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
00427F44   . 51             PUSH ECX                                 ; /Arg1
00427F45   . 8D4D E8        LEA ECX,DWORD PTR SS:[EBP-18]            ; |
00427F48   . E8 13FE0200    CALL Test.00457D60                       ; \Test.00457D60
00427F4D   . 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
00427F50   . 8D4D E8        LEA ECX,DWORD PTR SS:[EBP-18]
00427F53   . 52             PUSH EDX

IDA Pro produced this function declaration

void *__userpurge sub_457D60<eax>(void **a1<ecx>, int a2<ebx>, int a3)

Here is what I tried, doesn't work.

int callAddress = (*This is calculated by me 100% correct*)

//void *__userpurge sub_457D60<eax>(void **a1<ecx>, int a2<ebx>, int a3)
__declspec(naked) void stepOneWrapped(int a1, char* a2, int a3)
{
    __asm{
        push ebp
        mov ebp, esp
        push a3
        mov ebx, [a2]
        mov ecx, a1
        call [callAddress]
        leave
        ret
    }
}

Special note: this is like a dll injection so the Test program is loaded with this program altogether.

SSpoke
  • 5,656
  • 10
  • 72
  • 124
  • Why you guys just down rating me.. I was just asking for help.. I did try.. and I didn't get far. – SSpoke Sep 11 '11 at 16:20

1 Answers1

2

you need to preserve ebx, as its a non-volatile register:

__declspec(naked) void stepOneWrapped(int a1, char* a2, int a3)
{
    __asm{
        push ebp
        mov ebp, esp
        push ebx
        push a3
        mov ebx, [a2]
        mov ecx, a1
        call [callAddress]
        pop ebx
        leave
        ret
    }
}

but according to you IDA dump, your params are wrong, so it should be like this (to match IDA):

__declspec(naked) void stepOneWrapped(void** a1, int a2, int a3)
{
    __asm{
        push ebp
        mov ebp, esp
        push ebx
        push a3
        mov ebx, a2
        mov ecx, a1
        call [callAddress]
        pop ebx
        leave
        ret
    }
}
Necrolis
  • 25,836
  • 3
  • 63
  • 101
  • why must I push ebx? Sorry if parameters are wrong.. I renamed one of the int's to char* because after all it points to a array of bytes. Ah right i'm calling this method from a unknown area.. i'm not working in the area it should be called from is that why? – SSpoke Sep 11 '11 at 15:48
  • @SSpoke: then the only other cause for that is a missanalysis, which could mean wrong/bad parameter types or incorrect registers. The only way to tell is to analyse the actual function (and the crash you get, would help if you posted the asm at the crash site actually). Also, the registers won't match cause they all are stack addresses (which check due to the stack frame + register spill) – Necrolis Sep 11 '11 at 17:10
  • Found out the problem.. some of the assembly code deep in... uses like CALL EAX.. and EAX isn't what the dll suppose to be.. i mean the image base of the DLL is 400000... but when loaded into my application it loads until 520000 how do I make it load at 400000? I guess I have to compile my program at a different image base now i got to figure out how to do that. – SSpoke Sep 11 '11 at 17:30
  • `#pragma comment( linker, "/BASE:8000000")` got the program's image base pretty high and now the loaded dll dropped to 0x460000 still not 0x400000 how i expect it to be dang – SSpoke Sep 11 '11 at 17:37
  • SSpoke: prefered image bases are now useless, as ASLR will either reloc the module or cause a reloc from overlapping address space. You should rather use base + RVA to avoid any binding to static virtual addresses – Necrolis Sep 11 '11 at 17:58
  • That's the thing it's obfuscated assembly it was built like this to use mathematics to generate next function offset idk how they did it.. probably updated the mathematics by hand after software was already compiled. So now I have to keep image base non-random. I'll ask another question on this matter. – SSpoke Sep 11 '11 at 18:07
  • @SSpoke: the code looks like debug mode code, not obfuscated code, and if its using 'maths' to do addressing etc, its most likely position independent code (see `-fPIC` under gcc) – Necrolis Sep 11 '11 at 18:15
  • I see, well to be honest here however this code is compiled I don't have access to source code. I'm trying to mod a pretty abandoned game here. Anyways I guess I'd have to use WriteProcessMemory to move all of the code yeah very crappy unsafe but other then that only option is to rip it all out that could take ages haha. Thanks again you been a huge help i'm really new to this field in general. – SSpoke Sep 11 '11 at 18:32