CODE INJECTION HELP

K

KevinDA

Cheater
Joined
Apr 16, 2020
Messages
26
Good evening, in my injection code instead of API_x64.exe+FCDC50 I would like to put the future address of the line where there is lea eax, [rcx + 09] (the last line of my script)
How to do ?

CEA:
alloc(newmem,2048,"API_x64.exe"+FCDC50)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
ja API_x64.exe+FCDC50
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja API_x64.exe+FCDC50
mov rdx,[r9+rax*8]
test rdx,rdx
je API_x64.exe+FCDC50
cmp [rdx+00000118],r12d
je API_x64.exe+FCDC50
cmp [rdx+0000011C],r12d
je API_x64.exe+FCDC50
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]


originalcode:
lea eax,[rcx+08]
cmp eax,09

exit:
jmp returnhere

"API_x64.exe"+FCDC50:
jmp newmem
nop
returnhere:
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
Use and AOB scan.
CEA:
aobScanModule(injectionPoint, API_x64.exe, <bytes here>)
registerSymbol(injectionPoint)

alloc(newmem,2048, injectionPoint)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
ja injectionPoint
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja injectionPoint
mov rdx,[r9+rax*8]
test rdx,rdx
je injectionPoint
cmp [rdx+00000118],r12d
je injectionPoint
cmp [rdx+0000011C],r12d
je injectionPoint
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]


originalcode:
lea eax,[rcx+08]
cmp eax,09

exit:
jmp returnhere

injectionPoint:
jmp newmem
nop
returnhere:
 
K

KevinDA

Cheater
Joined
Apr 16, 2020
Messages
26
I entered the following request and it crashed the application. do I have to add something else?
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
Where is says "<bytes here>" you need to add an AOB signature. I linked a post about AOB signatures above.
 
K

KevinDA

Cheater
Joined
Apr 16, 2020
Messages
26
This way is it good ?
I put "API_x64.exe" + FCDC50
and 8D 41 09 corresponds to this: lea eax, [rcx + 09]

aobScanModule(injectionPoint, "API_x64.exe"+FCDC50 , 8D 41 09)
registerSymbol(injectionPoint)

alloc(newmem,2048, injectionPoint)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
ja injectionPoint
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja injectionPoint
mov rdx,[r9+rax*8]
test rdx,rdx
je injectionPoint
cmp [rdx+00000118],r12d
je injectionPoint
cmp [rdx+0000011C],r12d
je injectionPoint
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]


originalcode:
lea eax,[rcx+08]
cmp eax,09

exit:
jmp returnhere

injectionPoint:
jmp newmem
nop
returnhere:
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
You should add a few more bytes, you need it to be unique. And you want the second parameter to be a module not an address.
CEA:
...
aobScanModule(injectionPoint, API_x64.exe, 8D 41 09 ?? ?? ?? ??)
...
 
Top