Page 1 of 1

To avoid the injection code

Posted: Sat May 23, 2020 11:04 am
by KevinDA
Hello, to avoid using the injection code I found in my game a location where there are only zero (00 00 00 00 00 00 00 00)

I used HxD hex editor to put my code. and after I made a jmp to this one. but the moment my game executes the code it crashes. Why ?

Do you need to add something before or after ?

To avoid the injection code

Posted: Sat May 23, 2020 3:01 pm
by mgr.inz.Player
Find a cave filled with "90" or "cc" as close as possible.

You can also find caves filled with many kinds of nop with "Assemblyscan" (memory viewer -> search -> find assembly code)



Use a call instead of jump. Last instruction should be ret.







Example with Tutorial-x86_64.exe. There is nice spot with multibyte NOP:

[CODE=cea]Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]

Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]



Fortunately there is a jump which skips whole NOP'ed area:

[CODE=cea]Tutorial-x86_64.exe+315F - EB 21 - jmp Tutorial-x86_64.exe+3182[/CODE]



And Dissect code shows there are no jumps to "Tutorial-x86_64.exe+3161" and "Tutorial-x86_64.exe+316C"



We can use whole 15 bytes... Lets do a hack for tutorial step 2. We will bring health to 999, so it will be still 990 something after hit.



First, test it with AA script:

[CODE=cea]define(address,"Tutorial-x86_64.exe"+2B0EE)

define(bytes,83 BB F0 07 00 00 00)



[ENABLE]

// cave with 15 bytes

Tutorial-x86_64.exe+3161:

code:

mov dword ptr [rbx+000007F0],#999

ret



address:

call Tutorial-x86_64.exe+3161

nop

nop



[DISABLE]

address:

db bytes

// cmp dword ptr [rbx+000007F0],00



//cave's orig bytes

Tutorial-x86_64.exe+3161:

db 66 66 66 0F 1F 84 00 00 00 00 00

db 0F 1F 40 00

// Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]

// Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]





[B]Edit:[/B]

Someone could say 15 bytes is not that much. This already takes 10bytes (of course plus 1 byte for ret)

[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999[/code]



What if you want to change other addresses at the same time, e.g. armor, lets say at [rbx+000007FC]?

[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999 // health

C7 83 FC070000 E7030000 - mov [rbx+000007FC],#999 //armor

ret[/code]

That's 21 bytes.



Maybe 999 is too fancy, lets try 99:

[code=cea]C7 83 F0070000 63000000 - mov [rbx+000007F0],#99 // health

C7 83 FC070000 63000000 - mov [rbx+000007FC],#99 //armor

ret[/code]

Nope, still 21 bytes. We can go around that. You can analyze the code and check which CPU registers you can alter.



For example RAX and RCX registers are free - in your case those can be different registers. This changes previous codes to this:

[CODE=cea]B1 63 - mov cl,#99 // 2 bytes

48 8D 83 F0070000 - lea rax,[rbx+000007F0] // 7 bytes

88 08 - mov [rax],cl // 2 bytes

88 48 0C - mov [rax+0C],cl // 3 bytes

// 14 bytes total

[/CODE]

14 bytes plus 1 byte for ret = 15

To avoid the injection code

Posted: Sun May 24, 2020 6:42 pm
by KevinDA
Thank you very much for your explanation. If I understood correctly you can write code only on 90 and CC?

On 00 is it impossible?

To avoid the injection code

Posted: Wed May 27, 2020 1:06 am
by mgr.inz.Player
It is possible to use code caves filled with 0x00. But:

- it can happen you just found a structure with many vars and those vars are initialized with zeros. Altering it will cause unpredictable behavior.

- when you found code cave filled with 0x00 in memory, let's say cave size is 300-500 bytes, it can happen that this cave is few times smaller in the EXE file.



Usually the number of CC bytes or multibyte NOP doesn't change. E.g. in memory you see twelve CC between two functions - there are very high chances it will still be twelve CC in EXE file opened with hex editor.



[QUOTE="KevinDA, post: 136749, member: 39812"]

code only on 90

[/QUOTE]

NOP aren't just 90. There are also multibyte NOPs. You can scan for them with Assemblyscan and this pattern:

[code=cea]nop*[rax+rax+00][/code]

and this

[code=cea]nop*[rax+rax+00000000][/code]

The second one I used to find code cave inside Tutorial-x86_64.exe.



I also saw other "fillers" used by compilers.



e.g.

[code=cea]lea rsi,[rsi+00]

lea rdi,[rdi+00000000]

lea rsi,[rsi+00000000][/code]