I need some help i found the address of some text however that address changes so i found out what wrote to it and got:
77189b2b - mov [edi],al
77189b30 - mov [edi+01],al
76064195 - and word ptr [esi+edi],00
77189926 - mov [edi+ecx*4-04],eax
76064250 - mov byte ptr [esi+edi],00
76064258 - and word ptr [esi+edi], 00
could somebody tell me whats going on in this code? ive tried to make a code cave and did
mov al, 400420
and it would only display one letter of the text and sometimes it was some weird character even when i had just typed a normal letter so can somebody help me out? im trying to figure out a way to copy this text that changes addresses to a static address i could find every time
Text Address
Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo
3 posts • Page 1 of 1
Text Address
by bobshandel » Thu Jul 09, 2009 1:24 am
- bobshandel
- I Have A Question
- Posts: 1
- Joined: Thu Jul 09, 2009 1:12 am
by WhiteHat » Fri Jul 10, 2009 3:24 pm
I’m just a beginner at ASM, but allow me to help a little...
First, the codes that wrote to your address reside in high address of memory (0x76nnnnnn ~ 0x78nnnnnn). Most likely they are included within OS modules. Any knowledge about API (?) programming will help you a lot (suppose that L. Spiro will have the answer)...
Next, you tried to do this injection: mov al, 400420.
That looks inappropriate as al register should be the lowest byte from a double word value or it’s size should be one byte long.
If, for example, EAX = 0x12345678, then:
- AX = 0x5678
- AH = 0x56
- AL = 0x78
So your injection should be like this: mov eax, 400420.
Hope this helps a little, and please correct me if i’m wrong...
First, the codes that wrote to your address reside in high address of memory (0x76nnnnnn ~ 0x78nnnnnn). Most likely they are included within OS modules. Any knowledge about API (?) programming will help you a lot (suppose that L. Spiro will have the answer)...
Next, you tried to do this injection: mov al, 400420.
That looks inappropriate as al register should be the lowest byte from a double word value or it’s size should be one byte long.
If, for example, EAX = 0x12345678, then:
- AX = 0x5678
- AH = 0x56
- AL = 0x78
So your injection should be like this: mov eax, 400420.
Hope this helps a little, and please correct me if i’m wrong...
.. to boldly go where no eagle has gone before...
-
WhiteHat - Elang Djawa
- Posts: 1059
- Joined: Fri Jul 21, 2006 12:49 pm
- Location: Away for a while...
by L. Spiro » Tue Jul 14, 2009 10:19 am
As mentioned, you are looking at OS modules, and those functions work with strings (no surprise, since you were searching for a string).
Look up the 1-byte AL register on Google.
All that is happening in that code is moving things from the AL register to a memory address, checking for 0 (AND), moving 4 bytes at a time to a memory address, moving a constant (00) to a memory address, and checking a 2-byte memory address with 0 (AND again).
MOV and AND can also be found on Google.
There is nothing special in this code.
The reason your code failed is because you tried to moving multiple bytes to a single-byte memory address.
And string must terminate with 0. So if you do not write a 0 at the end and try to print it, the best case is that you will see garbage.
L. Spiro
Look up the 1-byte AL register on Google.
All that is happening in that code is moving things from the AL register to a memory address, checking for 0 (AND), moving 4 bytes at a time to a memory address, moving a constant (00) to a memory address, and checking a 2-byte memory address with 0 (AND again).
MOV and AND can also be found on Google.
There is nothing special in this code.
The reason your code failed is because you tried to moving multiple bytes to a single-byte memory address.
And string must terminate with 0. So if you do not write a 0 at the end and try to print it, the best case is that you will see garbage.
L. Spiro
Our songs remind you of songs you’ve never heard.
-
L. Spiro - L. Spiro
- Posts: 3129
- Joined: Mon Jul 17, 2006 10:14 pm
- Location: Tokyo, Japan
3 posts • Page 1 of 1
Return to General Related Discussions
Who is online
Users browsing this forum: No registered users and 0 guests