Thread: How to identify the address where the test is done?
View Single Post
  #11  
Old 10-24-2016, 22:11
byvs's Avatar
byvs byvs is offline
Friend
  
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
at 0x7B31BB, the function is called with the address of your string in eax. you want to patch this call to instead call a function in your dll. add a function to your dll like this:

Code:
void __declspec(naked) patchstring() {
  __asm {
    ; modify string here somehow
    ; but be careful to preserve registers
    ; because your target looks like it uses fastcall

    ; now call old func at 0x7B31BB
    jmp 0xBB31BB ; 0x400000 + 0x7B31BB
  }
}
and in the DllMain, replace the bytes from 0x7B31BC to 0x7B31BF with the address of that function (read the tuts for more info). don't replace the 0xE8 at 0x7B31BB because that is the beginning of the call opcode ;]
@bongos_man
Thank you my friend,
I will replace the value FF bytes by 88 bytes. It worked, but not 100%
0xE88875C5FF to 0xE88875C588
it is?
Reply With Quote