• Welcome to Valhalla Legends Archive.
 

CALL ABSOLUTEADDR?

Started by TheMinistered, December 29, 2003, 12:09 AM

Previous topic - Next topic

TheMinistered

Could someone provide the opcode for CALL with the operand being an absolute address?

i.e. psuedo code:

...
DWORD* ptrFunction = (DWORD*)&add;
...

void add(int* value, int amount) {
// code to add amount to value
}


now, what i'm wanting to do is patch a program to call my add function basically.  I have the function pointer, but I need the right opcode.  Additionally, I'm also willing to accept solutions that generate the relative offset.

Kp

For a relative call, use e8 and then the 32bit displacement.  For an absolute call, you can't (directly) call to an absolute address.  Your options are to either call by pointer and have the correct address in the pointer or place the address in a register and do call-by-register.  Call by pointer is ff15 iirc.  The opcode for call-by-register will vary depending on which register you use.  If you just need to transfer control and don't need to come back, you could also try putting the destination on the stack and then executing 'ret' to pop it into eip.

Call by pointer example:
At 00401000, have &add.  For the code, put ff1500104000. (call dword ptr 00401000).
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

TheMinistered

#2
taking your advice, i guess i could do the following:

...
DWORD *ptrFunction = &add;
...

// Patch in the following
FF15 + [&ptrFunction]


These opcodes look useful too:
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand

Kp

Quote from: TheMinistered on December 29, 2003, 12:19 AM
taking your advice, i guess i could do the following:

...
DWORD *ptrFunction = &add;
...

// Patch in the following
FF15 + [&ptrFunction]


These opcodes look useful too:
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand

Interesting.  I've never actually seen those opcodes in use, so didn't know about them.  Also, in your code, there's no need to declare ptrFunction as a DWORD* -- if you don't care about 64bit, you could just call it a DWORD.  If you do, you probably ought to call it a void*.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Adron

If there's a relative call that I'm patching, I'd typically patch it with another relative call so I don't have to make more space for my replacement instruction.

What you do then is:


char *calltoreplace = 0x12345678; // some offset that holds a relative jmp/call instruction
*(unsigned*)(calltoreplace + 1) = (char*)add - (calltoreplace + 1 + 4);


+1 for the opcode byte size
+4 for the operand size (the offset)


iago

If that's the problem, I'll post the code to my memory patcher.  It takes care of all that stuff.  I don't have it handy right now, but I should tonight.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

Here we go, take a look at this:

http://www.valhallalegends.com/iago/MemoryPatcher.rar

It's extremely useful, I've found.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*