Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Can I move Entry Point to the middle of the codz ?
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-22-2005, 03:12
tbone
 
Posts: n/a
If you're just trying to insert some of your own code into the program to run before the program does, there's several ways of getting there. Since you're just starting out, you probably don't want to try to write a loader just yet, but there's still plenty of ways to do it.

The simplest method goes like this:
  1. Replace the instructions at the entry point with:

    PUSHAD
    JMP xxxxxxxx

    where xxxxxxxx is some free space in the module where you've stuck your own code (more on that later).

    At xxxxx:
  2. execute whatever code you want to run
  3. POPAD
  4. Execute any instructions that you wiped out in step 1.
  5. Jump back to the original program's instructions at whichever one would have followed the last instruction at step 4.

Or in short, save the processor's "state", jump away, do stuff, restore the processor's state, execute anything that you blew away, and jump back.

The free space where you stick your "code cave" can come from several sources. It could be unused space in the original executable file, or you could overwrite some code that *know* will never be executed. You can also expand the size of the last section with a PE editor, per diablo2002's suggestion. Or you could add a whole new section with a PE editor and have all the empty space that you want.

Of course, many programs have ways of checking if they've been modified like this, so you can't just run around modifying some programs without also removing the protection checks. But non-protected programs and simple-minded protection schemes will never know the difference.

Loaders work a lot like debuggers. They load the target application as a debugged process or as a child process, and then modify the file at runtime before and/or during the execution of the target. They're more flexible and powerful than static binary modification, but they're also a more advanced topic. Loaders not only have to avoid the anti-modification checks in the target, but also have to avoid being detected. ARTeam and others have written some good tutorials on how to write loaders when you get to that point.
Reply With Quote
  #2  
Old 11-23-2005, 08:51
netxman
 
Posts: n/a
Thanks tbone very much.

I will read carefully about what you said and have a try.

Best regards.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
entry point to function in comobj/activex dlls Mitchjs General Discussion 5 12-15-2005 05:45
how to get the address of the entry point in an API Warren General Discussion 6 08-30-2005 16:18
Is it possable breakpoint on entry point of DLL jadesk99 General Discussion 17 01-18-2004 12:08
How to make sure this is really the Entry Point merursinecury General Discussion 7 04-13-2003 08:20


All times are GMT +8. The time now is 17:56.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )