### Code Injection - Working with Integers

Posted:

**Mon May 07, 2018 4:55 am**[Link]

This tutorial builds on the topic of Code Injection:
What if what writes to the value is only a [Link]. Try to find a spot above the write instruction that has an [Link] (or a [Link] depending on what you want to do).

We could just hardcode a value for this.

We could use a [Link], giving it some memory. And optionally [Link] it so the label can be used on the table as an address.

We could add an editable value like above but use [Link] to add a multiplier to the script.

But what if we wanted to be able to multiply by a fractional number (i.e.: "0.5"). Well this can take a bit more, but we can use [Link] and [Link] to convert the value form an integer to a float and back a gain. Then we can just use [Link] to do the multiplying, but we will need an [Link] [Link] to work with. So we will need some extra memory and use [Link] to save and restore the XMM registry.

Let's say we just can't find an [Link] or a [Link], and all we have is a [Link].
We can just do some math in the script, to calculate a value for a multiplier.

**Code Injection - Working with Integers**This tutorial builds on the topic of Code Injection:

- [Link]
- [Link]
- [Link]
- [Link]

Code: Select all

`add [eax+10],ecx`

Code: Select all

```
add ecx,ebx
//...
mov [eax+10],ecx
```

**Hardcoded value**We could just hardcode a value for this.

Code: Select all

`add dword ptr [eax+10],(int)100 // #100 //// "#" is a short hand for integer`

**Editable value**We could use a [Link], giving it some memory. And optionally [Link] it so the label can be used on the table as an address.

Code: Select all

```
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
mov ecx,[someSymbol]
add [eax+10],ecx
//...
jmp return
//...
someSymbol:
dd (int)100
//...
```

**Adding a Multiplier**We could add an editable value like above but use [Link] to add a multiplier to the script.

Code: Select all

```
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
imul ecx,[someSymbol]
add [eax+10],ecx
//...
jmp return
//...
someSymbol:
dd (int)10
//...
```

**Fractional Multiplier**But what if we wanted to be able to multiply by a fractional number (i.e.: "0.5"). Well this can take a bit more, but we can use [Link] and [Link] to convert the value form an integer to a float and back a gain. Then we can just use [Link] to do the multiplying, but we will need an [Link] [Link] to work with. So we will need some extra memory and use [Link] to save and restore the XMM registry.

Code: Select all

```
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
label(extraStuff)
//...
someMem:
//...
movups [extraStuff],xmm0 //// save
cvtsi2ss xmm0,ecx
mulss xmm0,[someSymbol]
cvtss2si ecx,xmm0
movups xmm0,[extraStuff] //// restore
//...
jmp return
//...
someSymbol:
dd (int)10
extraStuff:
dd 0 //// Data double-word (4 bytes)
dd 0
dq 0 //// Data quad-word (8 bytes)
//...
```

**Calculate a value for a Multiplier**Let's say we just can't find an [Link] or a [Link], and all we have is a [Link].

Code: Select all

`mov [eax+10],ecx`

Code: Select all

```
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
sub ecx,[eax+10]
imul ecx,[someSymbol]
add ecx,[eax+10]
mov [eax+10],ecx
//...
jmp return
//...
someSymbol:
dd (int)10
//...
```

**See Also**- [Link]
- [Link]
- [Link]
- [Link]