Jump to content
Moopler
Sign in to follow this  
Taku

Executable - Assembly Functions

Recommended Posts

I wrote some assembly functions so I can write code from my executable instead of injecting DLL into process. This is useful when target has anti hacking protection like BlackCipher that checks DLL injected into process.

Functions

PROCESSENTRY32 Entry;
HANDLE hSnapshot, hProcess;

template <typename Template>
void GetProcess(wchar_t* lpProcess, Template tFunction)
{
    Entry.dwSize = sizeof(PROCESSENTRY32);
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

    if (Process32First(hSnapshot, &Entry) == TRUE)
    {
        while (Process32Next(hSnapshot, &Entry) == TRUE)
        {
            if (wcsicmp(Entry.szExeFile, lpProcess) == 0)
            {
                tFunction();
            }
        }
    }

    CloseHandle(hSnapshot);
}

int StringToByte(BYTE* bData, char* cData)
{
    char cHexArray[128] = "0123456789ABCDEF";
    int iData, iArray, iSize = 0;

    for (iData = 0; cData[iData]; iData++)
    {
        for (iArray = 0; cHexArray[iArray]; iArray++)
        {
            if (cData[iData] == cHexArray[iArray])
            {
                if (iSize % 2 == 0)
                {
                    bData[iSize / 2] = iArray * 0x10;
                }
                else
                {
                    bData[iSize / 2] += iArray;
                }

                iSize++;
                break;
            }
        }
    }

    return (iSize / 2);
}

void AllocateHookToProcess(wchar_t* lpProcess, DWORD dwAddress, DWORD dwHook, int iSize)
{
    GetProcess(lpProcess, [dwAddress, dwHook, iSize]
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID);

        for (int i = 0; i < iSize; i++)
        {
            BYTE bHook = *(DWORD*)(dwHook + i);
            DWORD dwAddressHook = dwAddress + i;
            WriteProcessMemory(hProcess, (LPVOID)dwAddressHook, &bHook, sizeof(bHook), 0);
        }

        CloseHandle(hProcess);
    });
}

void WriteCodeToProcess(wchar_t* lpProcess, DWORD dwAddress, char* cData)
{
    GetProcess(lpProcess, [dwAddress, cData]
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID);

        LPBYTE lpbSize = new BYTE[lstrlenA(cData) / 2];

        WriteProcessMemory(hProcess, (LPVOID)dwAddress, lpbSize, StringToByte(lpbSize, cData), 0);

        delete[] lpbSize;

        CloseHandle(hProcess);
    });
}

void WriteHookToProcess(wchar_t* lpProcess, char* cHook, DWORD dwAddress, DWORD dwHook, int iNop)
{
    GetProcess(lpProcess, [cHook, dwAddress, dwHook, iNop]
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID);

        BYTE bHook = 0;

        if (cHook == "jmp")
        {
            bHook = 0xE9;
        }
        else if (cHook == "call")
        {
            bHook = 0xE8;
        }
        else if (cHook == "double")
        {
            DWORD dwDouble = dwHook;
            WriteProcessMemory(hProcess, (LPVOID)dwAddress, &dwDouble, sizeof(dwDouble), 0);
        }

        if (bHook == 0xE9 || bHook == 0xE8)
        {
            DWORD dwAddressHook = dwAddress + 0x01;
            DWORD dwDestination = dwHook - dwAddress - 0x05;

            WriteProcessMemory(hProcess, (LPVOID)dwAddress, &bHook, sizeof(bHook), 0);
            WriteProcessMemory(hProcess, (LPVOID)dwAddressHook, &dwDestination, sizeof(dwDestination), 0);
        }

        for (int i = 0; i < iNop; i++)
        {
            BYTE bNop = 0x90;
            DWORD dwAddressNop = dwAddress + 0x05 + i;
            WriteProcessMemory(hProcess, (LPVOID)dwAddressNop, &bNop, sizeof(bNop), 0);
        }

        CloseHandle(hProcess);
    });
}

 

Calling

DWORD Bypassless__SendPacket = 0x01A77C5C;

DWORD dwCodeCave = 0x01ED05C1;
DWORD dwTestHookEntry = 0x00000000;
int iTestHookSize = 0;

goto BlockEnd;
BlockStart:
_asm
{
	pushad
	mov eax,[ebp+0x08]
	push [eax+0x04]
	push [eax+0x08]
	push [ebp+0x04]
	add esp,0x0C
	popad

	rol cl,0x04
	pushad
	das
	mov dword ptr [ebp+0x1337],0x01A77C5C+0x05
	jmp dword ptr [ebp+0x1337]
}
BlockEnd:

_asm
{
	mov eax,BlockStart
	mov dwTestHookEntry,eax
	mov eax,BlockEnd
	sub eax,BlockStart
	mov iTestHookSize,eax
}

AllocateHookToProcess(L"MapleStory.exe", dwCodeCave, dwTestHookEntry, iTestHookSize);
WriteHookToProcess(L"MapleStory.exe", "jmp", Bypassless__SendPacket, dwCodeCave, 0);
Edited by Taku
  • Like 4

Share this post


Link to post

Thanks for releasing, taku. Perhaps it's an idea to compile this into a .lib?

Share this post


Link to post

Thanks for releasing, taku. Perhaps it's an idea to compile this into a .lib?

It is a nice idea but, don't really think its needed for just some functions, maybe will forge it to a lib later on if i have some time/motivation to add some more nice stuff.

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×