Can I move Entry Point to the middle of the codz ?
 

It's simple that move EP to the end of the code by using Ollydbg.But for some reasons I want to move OEP to the middle of the codz and insert a little very simple code follow the OEP.

In my opinion it's an infinite loop in theory so I need your help or solution about how to do it. If it is possible?

Thanks very much.

What do you mean? EP is entry point of an app, OEP means usually the ep of a packed application (being ep the entry of the packer stub).
If your app isnt packed, then just alter the ep in the pe header.
If you are worrying of altering middle app code, just restore such original code after the jump to your stub, by mov-ing it back, removing tracks of any change you made.
Or do you mean something like "altering the OEP of a packed application"?

use a PE editor to change the entrypoint....

what you mean with "middle of codz" ?

OK,let me clarify what I mean.Maybe I misused the word OEP.
A normal app has its entrypoint,I just want to move this entrypiont to the middle of its code,then jmp back to the original place where follow this EP.For example.

1 push ebp
2 mov ebp,esp
3 PUSH -1
4 PUSH 0
5 PUSH 0
6 0000
7 0000
8 0000
9 0000
10 MOV EAX,DWORD PTR FS:[0]
11 PUSH EAX
12 MOV DWORD PTR FS:[0],ESP
13 SUB ESP,68

0000 means null code.
Can I put the first line (push ebp) into line 6,then jmp back to line 2 in line 7?
6 push ebp
7 jmp 2
In this example it's absolutely infinite loop,right ? Because everytime it runs into line7 it will jump back. I am not sure if PE file running as I think maybe it's a stupid question.

diablo2oo2,yes it's easy to change the entrypoint but where you put the changed EP ? In the first section ? In the middle ? Or in the end? That's what I want to know.

Thanks.

you mean you would want to change
PeHeader.AddressOfEntryPoint to point to line 7
normallly compiled exe will have an image base of 0x400000 and AddressOfEntryPoint as 1000

so you mean you want to Edit this to point to 1006 (opcode lengths not considered using your own lines as referances so 6 here means line 6)

so line 1 will still have
push ebp (doesnt matter coz it wont be executed )
line 2 = mov ebp,esp
push -1
push 0
push 0
push ebp
jmp line 2

yes it should theoratically work as an infinte loop if you have an infinite stack space but normally stack space is limited to about one virtual page (4kb granualrity iirc or about 1000 dwords)

so after about 250 cycles it would crash with stack over flow exception

btw you can easily do this kind of experiments your self
get masm32 package and start cranking out some exes and debug them
using ollydbg

you mean "where to put the attached code" ?
if you are looking for a generic solution, then i would resize the last section and place my code there.

Also, you could check the paper on injecting of Webbit, mmh... accessible also from the Code-Breakers Journal, if I remember well (maybe also in wiki?). It comes with an example for using the left empty space.

Thanks JuneMouse for your explaination. Thanks diablo2oo2 and Maxinus.

I think it's hard to me to read the book of PE format.I'm only interesting in this but lacking of many professional knowledge. So I'm shamed I just think there is a simple way to get what I want.I thought too much than done.

Thanks all.

Do this:
1 push ebp
2 mov ebp,esp
3 PUSH -1
4 PUSH 0
5 PUSH 0
*6 jmp 8
*7 jmp 1<---EP address to be set with LordPE (just count the +bytes, and add it to the original one in this case)
8 0000
The problem is: do you have this empty space in the exe? The way you posted is supposing this.

Yes Maximus,if we assume there are empty space in the exe,your method is the only way which I can understand.
And I think it will work at least in theory.
Need inprove. :)

If you're just trying to insert some of your own code into the program to run before the program does, there's several ways of getting there. Since you're just starting out, you probably don't want to try to write a loader just yet, but there's still plenty of ways to do it.

The simplest method goes like this:

1. Replace the instructions at the entry point with:
   
   PUSHAD
   JMP xxxxxxxx
   
   where xxxxxxxx is some free space in the module where you've stuck your own code (more on that later).
   
   At xxxxx:
2. execute whatever code you want to run
3. POPAD
4. Execute any instructions that you wiped out in step 1.
5. Jump back to the original program's instructions at whichever one would have followed the last instruction at step 4.

Or in short, save the processor's "state", jump away, do stuff, restore the processor's state, execute anything that you blew away, and jump back.

The free space where you stick your "code cave" can come from several sources. It could be unused space in the original executable file, or you could overwrite some code that *know* will never be executed. You can also expand the size of the last section with a PE editor, per diablo2002's suggestion. Or you could add a whole new section with a PE editor and have all the empty space that you want.

Of course, many programs have ways of checking if they've been modified like this, so you can't just run around modifying some programs without also removing the protection checks. But non-protected programs and simple-minded protection schemes will never know the difference.

Loaders work a lot like debuggers. They load the target application as a debugged process or as a child process, and then modify the file at runtime before and/or during the execution of the target. They're more flexible and powerful than static binary modification, but they're also a more advanced topic. Loaders not only have to avoid the anti-modification checks in the target, but also have to avoid being detected. ARTeam and others have written some good tutorials on how to write loaders when you get to that point.

Thanks tbone very much.

I will read carefully about what you said and have a try.

Best regards.