• Welcome to Valhalla Legends Archive.
 

finding the "map ping" function in SC

Started by thetempest, December 11, 2003, 07:27 PM

Previous topic - Next topic

indulgence

Quote from: Newby on July 19, 2004, 04:44 PM
Quote from: Adron on July 11, 2004, 05:06 PM
Quote from: Zeller on July 11, 2004, 04:59 PM
How do you nop a function and what program do you use to do it?

The literal way is to replace all the contents of the function except the return statement with nops. You'd probably do it using whatever debugger you're using on the program.

An easier way to "nop" a function is to insert a ret at the start.
Heh, never thought of inserting a ret at the start. I'd just assume start typing out 90's :P

You wouldnt want to NOP the WHOLE function -- youd at least want to leave the return... otherwise you'd have some major issues
<3

iago

Quote from: indulgence on July 12, 2004, 06:43 AM
mov BYTE PTR [FunctionAddr], 0C3h
; Assume the code segment area you write to has been protected w/  VirtualProtect
; Also assume you are in the processes address space...

That won't always work, if it's a __stdcall or __fastcall function with stack parameters.  You'd want C4xx to clear the stack.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Kp

Quote from: iago on July 21, 2004, 02:26 PM
Quote from: indulgence on July 12, 2004, 06:43 AMmov BYTE PTR [FunctionAddr], 0C3h
; Assume the code segment area you write to has been protected w/  VirtualProtect
; Also assume you are in the processes address space...
That won't always work, if it's a __stdcall or __fastcall function with stack parameters.  You'd want C4xx to clear the stack.

Why would he want to use les (load es segment register)?  That's at best useless and at worst might cause the program to crash later. :)
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

iago

Quote from: Kp on July 21, 2004, 04:16 PM
Quote from: iago on July 21, 2004, 02:26 PM
Quote from: indulgence on July 12, 2004, 06:43 AMmov BYTE PTR [FunctionAddr], 0C3h
; Assume the code segment area you write to has been protected w/  VirtualProtect
; Also assume you are in the processes address space...
That won't always work, if it's a __stdcall or __fastcall function with stack parameters.  You'd want C4xx to clear the stack.

Why would he want to use les (load es segment register)?  That's at best useless and at worst might cause the program to crash later. :)

Ok, my bad, it's C2 xx.  Boo :)

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*