![[Asm] Codecaving tutorial Uyeols10](https://2img.net/r/ihimizer/img697/561/uyeols10.gif)
Giriş yap
En iyi yollayıcılar
| Hello EMO |
| |||
| EMO |
| |||
| eMoStyLe |
| |||
| BesimBICER |
| |||
| GameKinG |
| |||
| Crysis |
| |||
| ~>!.DεvιLρяιεsт.!<~ |
| |||
| MeTaL |
| |||
| TrueCrime |
| |||
| djhayal3t |
|
![[Asm] Codecaving tutorial I_vote_lcap](https://2img.net/s/t/16/52/15/i_vote_lcap.png){kind=small}
![[Asm] Codecaving tutorial I_voting_bar](https://2img.net/s/t/16/52/15/i_voting_bar.png){kind=small}
![[Asm] Codecaving tutorial I_vote_rcap](https://2img.net/s/t/16/52/15/i_vote_rcap.png){kind=small}
Istatistikler
Toplam 203 kayıtlı kullanıcımız varSon kaydolan kullanıcımız: crayzboy76
Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
Arama
akısı
Sosyal yer imi
Sosyal bookmarking sitesinde Emo, Emo nedir, Emo resimleri, Emo Kıyafetleri, Emo Sözleri, Emo Oyunları, EmoTurkey, Emo Nickler, Emo Avatarları, Punk, Punk Resimleri, Punk Avatarları, Rock, Rock Resimleri, Rock Avatarları, Msn Nickleri, Msn Avatarları, Müzik adresi saklayın ve paylaşın
Sosyal bookmarking sitesinde EMO Style ForumPro - Hos Geldiniz adresi saklayın ve paylaşın
Kimler hatta?
Toplam 1 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 1 Misafir Yok
Sitede bugüne kadar en çok 217 kişi C.tesi Tem. 29, 2017 1:46 am tarihinde online oldu.
En son konular
Reklam
[Asm] Codecaving tutorial
1 sayfadaki 1 sayfası
![[Asm] Codecaving tutorial Empty](https://2img.net/i/empty.gif)
[Asm] Codecaving tutorial
tarafından Hello EMO Cuma Ocak 14, 2011 5:28 pm
Codecaving tutorial
Codecaving is, basically, to put a jump before a target offset that needs to be patched to an empty or unimportant zone in memory, put your modified code there, and then jump back under the target address.
What's the point of doing this?
Codecaving allows you to get the effects of modifying an offset that could be blacklisted by poor anti-cheat software (ex: Warden in Warcraft 3), since you never modify it directly.
You could therefore take the offsets of some hack and make them almost "undetectable" (considering you keep that hack private or simply for yourself).
Pseudo example:
Before the code cave and patching:
- 1 Address 1 and its content
2 Target
3 Address 3 and its content
4 Unimportant stuff
5 Unimportant stuff
6 Unimportant stuff
(Unimportant stuff is mostly 00's and INT3's)
After the Code cave and patching:
- 1 JUMP to address 4
2 Target
3 Address 3 and its content
4 Address 1's content
5 Patched target
6 JUMP back to address 3
As you can see, the target code is still being patched, but not at Address 5 instead of Address 2.
Let's do a codecave now!
Things you will need:
- An offset to patch
- A real-time debugger (OllyDBG)
For this example, we are going to use some stupid offset I found while offset-hunting in Warcraft 3:
6F39B991 BA 08000000 MOV EDX,8
to
6F39B991 BA 00000000 MOV EDX,0
Effect: Removes ground textures (ground becomes all black).
Let's analyze the bunch of code over that address. Open up Warcraft 3 and get in a custom game. Then start OllyDBG and attach war3.exe, then right click -> go to -> 6F39B991 or CTRL+G -> 6F39B991 (you may need to do this twice to get to the address).
We must first find some empty memory zone in which we will input our code.
By scrolling down to the end of Game.dll, I found out this neat little place:
[code=asm] 6F85BE24 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE26 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE28 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE2A 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE2C 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE2E 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE30 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE32 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE34 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE36 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE38 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE3A 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE3C 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE3E 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE40 0000 ADD BYTE PTR DS:[EAX],AL
6F85BE42 0000 ADD BYTE PTR DS:[EAX],AL [/code]
etc.
Then let'a go back to our target address, 6F39B991, and analyse what's around it.
[code=asm] 6F39B974 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
6F39B978 E8 E3A8C7FF CALL Game.6F016260
=> 6F39B97D E8 1E50C7FF CALL Game.6F0109A0
6F39B982 39AE 30030000 CMP DWORD PTR DS],EBP
6F39B988 74 07 JE SHORT Game.6F39B991
6F39B98A 8BCE MOV ECX,ESI
6F39B98C E8 4FEDFFFF CALL Game.6F39A6E0
6F39B991 BA 08000000 MOV EDX,8 // Target offset
6F39B996 8D4C24 5C LEA ECX,DWORD PTR SS:[ESP+5C] // Return address [/code]
We will use a normal jump to get there.
6F39B97D seems like a good place to start our jump since it is 5 bytes long. Take that address's info down in notepad or w/e.
6F39B97D E8 1E50C7FF CALL Game.6F0109A0
PAUSE OllyDBG and change this line:
6F39B97D E8 1E50C7FF CALL Game.6F0109A0
to
6F39B97D E9 A2044C00 JMP Game.6F85BE24
To do this, Select then right click the address -> Assemble or simply press spacebar then type: jmp 6F85BE24 and press enter (don't fill with NOP's)
![[Asm] Codecaving tutorial Codecavingtutorial01](https://2img.net/r/ihimizer/img832/3817/codecavingtutorial01.png)
On 6F85BE24, we will place the info of the address we took down in note. It was
CALL Game.6F0109A0
Like we did just a minute ago, we will right click -> assemble.
Type call 6F0109A0 and press enter.
![[Asm] Codecaving tutorial Codecavingtutorial02](https://2img.net/r/ihimizer/img217/4125/codecavingtutorial02.png)
[code=asm] 6F39B982 39AE 30030000 CMP DWORD PTR DS:[ESI+330],EBP
6F39B988 74 07 JE SHORT Game.6F39B991
6F39B98A 8BCE MOV ECX,ESI
6F39B98C E8 4FEDFFFF CALL Game.6F39A6E0
6F39B991 BA 08000000 MOV EDX,8 // target address [/code]
So, just like we did before, click on the line below the one we modified and assemble this:
![[Asm] Codecaving tutorial Codecavingtutorial03](https://2img.net/r/ihimizer/img256/3887/codecavingtutorial03.png)
![[Asm] Codecaving tutorial Codecavingtutorial04](https://2img.net/r/ihimizer/img816/8/codecavingtutorial04.png)
Then, on the next line:
![[Asm] Codecaving tutorial Codecavingtutorial05](https://2img.net/r/ihimizer/img408/6472/codecavingtutorial05.png)
![[Asm] Codecaving tutorial Codecavingtutorial06](https://2img.net/r/ihimizer/img401/3340/codecavingtutorial06.png)
Assemble at 6F85BE38:
![[Asm] Codecaving tutorial Codecavingtutorial07](https://2img.net/r/ihimizer/img827/6966/codecavingtutorial07.png)
Assemble this on the next line:
![[Asm] Codecaving tutorial Codecavingtutorial08](https://2img.net/r/ihimizer/img715/3764/codecavingtutorial08.png)
Your jump:
![[Asm] Codecaving tutorial 081](https://2img.net/r/ihimizer/img180/4188/081.png)
![[Asm] Codecaving tutorial 082](https://2img.net/r/ihimizer/img834/1093/082.png)
Assemble this at:
![[Asm] Codecaving tutorial Codecavingtutorial09](https://2img.net/r/ihimizer/img24/7299/codecavingtutorial09.png)
You are now ready to press on PLAY in OllyDBG. Your floor should be black.
© Tyrano
Hello EMO- EMO Team
- Cinsiyet :
Burçlar :
Mesaj Sayısı : 935
Puan : 374593
Rep Puanı : 18
Doğum tarihi : 28/11/89
Kayıt tarihi : 21/07/09
Yaş : 34
Nerden : EMO WorlD
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO -
Similar topics» [D3D][C++] No fog tutorial
» C++ -- DLL Tutorial { 1 }
» [Tutorial] D3D Crosshairs
» [C++] Winsock2 Tutorial
» Socket Tutorial
» C++ -- DLL Tutorial { 1 }
» [Tutorial] D3D Crosshairs
» [C++] Winsock2 Tutorial
» Socket Tutorial
1 sayfadaki 1 sayfası
Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz
» goldenchase.net maden yaparak para kazanma
» etichal hacker görsel egitim seti
» KO TBL Source C#
» x86 Registers
» [Tutorial] Pegando Address, Pointers de WYD
» [Tutorial] Pegando Address, Pointers de CS Metodo²
» [Tutorial] Aprendendo basico deASM OLLYDBG
» Basic C# DLL injector