[question] basic asm injection

[abuckau907]

Basically I'm just trying to copy a cpu register by injecting bytecode into wow.exe

wow.exe
0x00554433 mov eax, [ecx + 100] I want to copy ecx

Pseudocode
1.Create code cave (which copies register, re-writes original wow.exe code back into 00554433, and jumps back to 00554433 to continue execution as normal)
2. over_write wow.00554433 with a JMP command to our codecave
3. (code-cave eventually gets run by wow.exe)
4. _myVariable = ReadInt(codeCave.returnValueLocation)

But I don't thinking I'm doing the asm correctly...more specificly, using [ ]

_codeCaveLoc = VirtualAlloc(200)
_rtnValueLoc = _codeCaveLoc + 100 //stores register here
_stackLoc = _codeCaveLoc + 125 //stores orig wow code here (..only 8 bytes)

.AppendLine("push eax")
.AppendLine("push ebx")
'copy our rtnValueLoc to a register
.AppendLine("mov eax, 0x" & (_rtnValueLoc.ToInt32 + registerOffset).ToString("X"))
'copy value stored at register eax into the value at rtnValueLoc
.AppendLine("mov [eax], " & registerAsString) //in my case, passing in ecx at the moment.
'clean-up
.AppendLine("mov eax, 0x" & sourceLoc.ToString("X"))
.AppendLine("mov ebx, 0x" & _stackLoc.ToString("X"))
.AppendLine("mov [eax], ebx")
.AppendLine("add ebx, 0x4")
.AppendLine("add eax, 0x4")
.AppendLine("mov [eax], ebx")
.AppendLine("pop ebx")
.AppendLine("pop eax")
//.AppendLine("jmp sourceLoc")

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
set break point right before .ExecuteCodeCave
actual asm (w/ no variable names) comes out to..

push eax
push ebx
mov eax, 0xC4800AF 'rtnValueLoc
mov [eax] ecx
mov eax, 0x5B534B 'wow.exeLoc
mov ebx, 0xC480064 'wow.exe_backup_orig
mov [eax], ebx
add ebx, 0x4
add eax, 0x4
mov [eax], ebx
pop ebx
pop eax

I keep crashing wow. I think it's the 3rd line under 'clean-up..

Any thoughts would be much appreciated. If i can't figure it out, I'll probably end up making a super basic C++ app and trying to inject to it.
I know its fugly..like the alloc(200) instead of alloc(needed_size) etc etc...work in progress: first time working with assembly.
The problem isn't Read/WriteProcess..tested..both work fine...I think the trouble is with my use of MOV, specifically in the clean-up section.
ps. I know I'm not using IntPtr correctly. .ToInt32 lol. I'll make it x64 when i have an x64 machine..

Thanks.

[Valtharak]

-Get IDA
-Break point before your ExecuteCodeCave in Visual studio
-attach IDA to wow
- jump to your code cave address with ida
- set a breakpoint
- resume visual studio
- step by step in ida and see where the crash is .

also i don't think you need to change your pointer to string
just. Atleast with Fasm i don't have to do what your doing.

.AppendLine("mov eax, " + sourceLoc);

[abuckau907]

Thank you. I kind of figured..just been working on this for 3+ days and hoping it was a dumb little syntax error or something. Thanks again.

[Jadd]

1. For hex numbers, assembly uses "h", for example, 1234ABCDh
2. Don't pass things in hex yourself, it will do that for you. If you keep doing it, you're likely to slip up (forgetting to convert the value to a hex string, etc.)
3. You never replace the original opcode(s).
4. Your code is ugly as hell.

[serock1]

Before debugging, try to replace the code for moving the original WoW code with the code below:

Code:

push edx
mov edx, [ebx]
mov [eax], edx
add ebx, 0x4
add eax, 0x4
mov edx, [ebx]
mov [eax], edx
pop edx

EDIT: Confirm the original WoW code place is writable.

[abuckau907]

@Jadd 1 & 2) I should have mentioned I was using managed_fasm .dll for asm/bytecode, his examples were given as
UpdateCurMgr()
With ASM
.Asm("mov ecx, 0x0088C301")
.Asm("mov eax, " & pScript)
.Asm("push ecx")
.Asm("push eax")
.Asm("push eax")
.Asm("mov eax, 0x00706C80")
.Asm("call eax")
.Asm("add esp, 0xC")
.Execute()
End With
3) why? in case it's scanned by warden? what it i write the original code back 2.5 instructions later? safe-ish? & reapply orig memprotection type.

------------
new thought: I was doing the jmp wrong. Instead of doing a relative jmp and using fasm i was crafting the five bytes of asm myself trying to make an absolute jump(?) to the codecave..read somewhere the
byte for relative jump is 0xE9 and abolute was 0xFF ...i think FF was just bs ..looking into using relative jmp now.
-----------------------
@serock1
I found the wow code place (0x005b.. was NOT writable..atleast via asm(from within wow.exe). at first. WriteProcessMemory, yes. but for asm, u first have to
call VirtualProtectEx() on the address (Which I do from my bot.exe before I .Inject) or the asm will try to write to read_only part of the code (0x005B5340 in my case) - i'm on windows xp 32bit

[abuckau907]

the asm JMP is relative right? For example line 0x1000 is executing "jmp 0x1122" ..it won't jump to 1122, but in fact 1000 + 1122 ? so to go backwards jmp -xx is allowed? Searching right now..


edit:

Assuming i'm writing the JMP (in wow.exe, which jumps to my codecave in wow.exe) at 0x005B534B and want it to jump to ... 0x09800000

0x9800000 - 005B534B = some number

so the JMP i'd write at 005b534b would be JMP somenumber , right, not JMP 0x9800000. relative offsets?
But the, endianness(?) is backwards in ram, so you have to .Reverse the order of the offsets's bytes..

so. 09800000 - 005b534b = 924ACb5

so WriteProcessMem(005b534b, {0xE9 , B5, AC, 24, 09}) <---last 4 bytes are in reverse order.

should make it jmp to my codecave. ?

it keeps crashing

[serock1]

1), In your code:

Code:

.AppendLine("mov [eax], ebx")
.AppendLine("add ebx, 0x4")
.AppendLine("add eax, 0x4")
.AppendLine("mov [eax], ebx")

ebx is the address of the location which stored original WoW code. It is incorrect to write ebx (just an address) to [eax]. You must want to write 'dword ptr [ebx]' to '[eax]'. So, refer to my code pasted before

2), About the usage of 'Jmp', I recommend you download Intel official software developer's manual for ia32/intel64.

Jmp supports far/near, and relative/absolute forms. For near jumping (we almost not need to do far jumping in 32bit/64bit protected mode w/o changing privilege level):

a), with the relative forms, the operand can only be an immediate number, which is signed displacement relative to next instruction of jmp code.
opcode EB: JMP rel8, rel8 is signed 1byte displacement. (target address = current address + 2 + rel8 )
opcode E9: JMP rel16, rel16 is signed 2bytes little-endian displacement. (target address = current address + 3 + rel16)
opcode E9: JMP rel32, rel32 is signed 4bytes little-endian displacement. (target address = current address + 5 + rel32)

b), with the absolute forms, the operand can be a register or a memory location, which stored the target address.
opcode FF: JMP r/m16, with 16bit register or memory location
opcode FF: JMP r/m32, with 32bit register or memory location
opcode FF: JMP r/m64, with 64bit register or memory location

So, if you want to use absolute jumping, you should store the destination into the register (e.g, eax), than jump with that register. GL

[serock1]

Oh, plus, I remember the access attribute of the memory page operated by WriteProcessMemory will be added writable attribute automatically, not sure. But it is better to use VirtualProtectEx to change it.

[_Mike]

First, learn to use a debugger. "it keeps crashing" doesn't tell us anything except that you somehow failed
Where does it crash, and how? (ie, what exception are you getting?)

Second, not exactly relevant but; If you are having trouble understanding absolute vs relative jumps just do it the cheesy way. "push <abs address>; ret"

[abuckau907]

@serock1. Thank you very, very much. Saved me..a day or two At least. haha.

So I set a breakpoint on the loc where i write my custom 'jmp' ...and a breakpoint on my codecave --
the jmp comes out correct! and i continue execution and it breaks again at my codecave! So the jumps are working
so it's the asm i fed into managed_fasm...?

Something I noticed. I'm using CheatEngine 6.1 --> When I 'memory view' the process, at my code cave, the asm is waay off.
I noticed when I use .Assemble the output is different..maybe this is ''optimization'' (each instruction is 4 bytes? vs. 1,2, etc.)?
for example, .Assemble("push eax") = ..something like 0x51, ("push ebx") = 0x52

but when I assemble
.Addline("push eax")
.Addline("push ebx") it comes out as 4 bytes: 66h, (normal value), 66h, (normal value) or something like that.
I'm guessing it's making it into 1 command. But something about that is throwing off CheatEngine?

my asm goes in ...
push eax
push ebx
push edx

but in my code cave I see..
push ax
push bx
push dx
mov ax, 00AF
dec esp
add etc, etc.
Maybe (seems very inefficient) I should just call the shared version of .Assemble for Each line of my asmCode? to eliminate the 'optimization'
i think is happening? ..doesn't make sense. but is all i can think of atm. Will try manipulating my asm strings again soon..just not sure what
to do: fasm_managed says 1 thing and CE says another.

asm I send to fasm
push eax
push ebx
push edx
mov eax, 0x4C00AF <--address where asm should write the value so i can read later
mov edx, [ecx] <--ecx is register i want to copy
mov [eax], edx
mov eax, 0x40140F <--where i wrote JMP in target process
mov ebx, 0x4C0064 <--pointer to a backup copy of code replace by JMP
mov edx, [ebx]
mov [eax], edx <--rewrite first 4 bytes back into process
add ebx, 0x4
add eax, 0x4
mov edx, [ebx]
mov [eax], edx <--rewrite 2nd 4 bytes back into process
pop , pop pop
{5 bytes: JMP target_process_orig}

[Wayne277]

Thank you. I kind of figured..just been working on this for 3+ days and hoping it was a dumb little syntax error or something. Thanks again.

[abuckau907]

something so silly...I was incorrectly using the shared version of fasm.managedFasm.Assemble --> I'm now using an object + the member method.



solved: for anyone who is interested. It works! I FindPattern() for the wow code that modifies LocalPlayer.health...creates a codecave, overwrites the wow code w/ a jmp..when the codecave is
ran it copies the register I need (which = LocalPlayer.BaseAddress) (..tho technically that same function handles all/more units..i did a 'check what addr this reads' and when i stood alone
in the corner..just mine..when i killed mobs/ppl around me killed mobs, it used their baseaddress. so this won't work for what I wanted..but it's a big start), then re-writes the original wow code back into place, then jmps back to original wow code and wow.exe continues execution as normal. no crash
!!!
@Jadd Thanks. 3. That's my goal..i want curMgrPtr + offsets obviously...this is all just how I'm trying to get there. Eventually i'll only use mem_read. maybe. I plan to keep it private. I'll try not to have too much fun with it.

@serock1 Again, thank you. For the asm part of copying old wow code from code-cave back to original loc. I now understand why it's that way. (at first I
assumed you could mov [ ] , [ ] ..but makes sense the way it is. Greatly appreciated. It's 1:47am now and I just got it working! I'll probably be up another hour experimenting, with work at 9am. Thank you.

*************
* SOLVED*
*************