Page 1 of 1
CODE INJECTION HELP
Posted: Tue May 19, 2020 9:31 pm
by KevinDA
Good evening, in my injection code instead of API_x64.exe+FCDC50 I would like to put the future address of the line where there is lea eax, [rcx + 09] (the last line of my script)
How to do ?
[CODE=cea]alloc(newmem,2048,"API_x64.exe"+FCDC50)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
ja API_x64.exe+FCDC50
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja API_x64.exe+FCDC50
mov rdx,[r9+rax*8]
test rdx,rdx
je API_x64.exe+FCDC50
cmp [rdx+00000118],r12d
je API_x64.exe+FCDC50
cmp [rdx+0000011C],r12d
je API_x64.exe+FCDC50
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]
originalcode:
lea eax,[rcx+08]
cmp eax,09
exit:
jmp returnhere
"API_x64.exe"+FCDC50:
jmp newmem
nop
returnhere:[/CODE]
CODE INJECTION HELP
Posted: Tue May 19, 2020 10:32 pm
by TimFun13
Use and [URL='https://fearlessrevolution.com/threads/6637/'][U]AOB scan[/U][/URL].
[CODE=cea]aobScanModule(injectionPoint, API_x64.exe, )
registerSymbol(injectionPoint)
alloc(newmem,2048, injectionPoint)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
ja injectionPoint
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja injectionPoint
mov rdx,[r9+rax*8]
test rdx,rdx
je injectionPoint
cmp [rdx+00000118],r12d
je injectionPoint
cmp [rdx+0000011C],r12d
je injectionPoint
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]
originalcode:
lea eax,[rcx+08]
cmp eax,09
exit:
jmp returnhere
injectionPoint:
jmp newmem
nop
returnhere:[/CODE]
CODE INJECTION HELP
Posted: Tue May 19, 2020 10:54 pm
by KevinDA
I entered the following request and it crashed the application. do I have to add something else?
CODE INJECTION HELP
Posted: Tue May 19, 2020 10:58 pm
by TimFun13
Where is says "" you need to add an AOB signature. I linked a post about AOB signatures above.
CODE INJECTION HELP
Posted: Tue May 19, 2020 11:56 pm
by KevinDA
This way is it good ?
I put "API_x64.exe" + FCDC50
and 8D 41 09 corresponds to this: lea eax, [rcx + 09]
aobScanModule(injectionPoint, "API_x64.exe"+FCDC50 , 8D 41 09)
registerSymbol(injectionPoint)
alloc(newmem,2048, injectionPoint)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
ja injectionPoint
cmp ecx,01
cmove eax,r8d
cmp eax,3F
ja injectionPoint
mov rdx,[r9+rax*8]
test rdx,rdx
je injectionPoint
cmp [rdx+00000118],r12d
je injectionPoint
cmp [rdx+0000011C],r12d
je injectionPoint
mov eax,ebx
mov [rbp+rax*8+000012D0],rdx
mov ebx,[rbp-70]
inc ebx
mov [rbp-70],ebx
lea eax,[rcx+09]
originalcode:
lea eax,[rcx+08]
cmp eax,09
exit:
jmp returnhere
injectionPoint:
jmp newmem
nop
returnhere:
CODE INJECTION HELP
Posted: Wed May 20, 2020 1:16 am
by TimFun13
You should add a few more bytes, you need it to be unique. And you want the second parameter to be a module not an address.
[CODE=cea]...
aobScanModule(injectionPoint, API_x64.exe, 8D 41 09 ?? ?? ?? ??)
...[/CODE]