by erichumale » Mon Feb 11, 2008 12:51 am
We're going to be breakpointing on the fourth line, SUB ESP, 10. Whether we use a Hardware or Software breakpoint, the stack will be aligned by the time the breakpoint is hit and an aligned stack means we'll have no problem getting the parameters off of it. At 71AB428F, the stack looks like this:
EBP+0x00: Old EBP
EBP+0x04: Return Address of Calling Function
EBP+0x08: Parameter 1 -- socket
EBP+0x0C: Parameter 2 -- packet buffer
EBP+0x10: Parameter 3 -- length
EBP+0x14: Parameter 4 -- flags
etc...
So, to grab the 2nd and 3rd parameters, we have to read EBP+0x08 and EBP+0x0C. First, lets set up the function that will handle this breakpoint, then we'll compile and set the breakpoint.
(script here)
It's rather well commented, but just so we're clear: if you want to compare the packet to something or change the packet around, you'd do so directly after the ReadProcessMemory call. Make any changes to byte array packet as you want, then WriteProcessMemory(GetCurProcessHandle(), (void *)ptr, packet, len, NULL);.
Save the script as whatever you want. Choose File -> Add to Scripts. Either hit [F5] or click the Compile button in the bottom-right.
Now, to set the breakpoint, go back to the Disassembler window and right-click on the line that says SUB ESP, 10. Choose Breakpoints -> Add Breakpoint Here. Put in a name that reminds you that this is the WS2_32:send() breakpoint (the name doesn't actually matter at all). Make sure both On Execute and Hardware are selected/checked. Set the Callback Function to Script Function by choosing it out of the dropdown box; make sure to set the Parm for Callback Function to 1 (note: the function we wrote is called On_BP_1, which is why the Parm for Callback Function needs to be 1 as well).
um.. i dont get these bits =S how do i complie the script? i been finding it for so long and still cant find it. and how do we save it? which way do we save it to compile it?
also how do i look at the stacks?
i cant see these
EBP+0x00: Old EBP
EBP+0x04: Return Address of Calling Function
EBP+0x08: Parameter 1 -- socket
EBP+0x0C: Parameter 2 -- packet buffer
EBP+0x10: Parameter 3 -- length
EBP+0x14: Parameter 4 -- flags