Author Topic: Needs some work  (Read 8756 times)

Magnum

  • Member
  • *****
  • Posts: 2372
Needs some work
« on: February 24, 2013, 12:37:27 PM »
don't laugh too hard.

It's causing an access violation.

push offset code_to_call

ret

This is what it's supposed to do.

What it does is changes a jump into a return. This code is equivalent to:

jump code_to_call

Code: [Select]
.code

start:


call Check


    fn MessageBox,0,str$(eax),"Title",MB_OK

Good_Boy:



invoke ExitProcess,0


Check proc


push (Good_Boy + 754841h)
mov eax,esp
sub eax,754841h
mov [esp],eax
ret
Check endp

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Needs some work
« Reply #1 on: February 24, 2013, 12:52:26 PM »
Code: [Select]
push (Good_Boy + 754841h)
mov eax,[esp]                          ;<-------------

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Needs some work
« Reply #2 on: February 24, 2013, 12:59:00 PM »
try this   :P
it's a console app - you have to open a console window
guess i could add inkey - lol

attachment removed
« Last Edit: February 25, 2013, 11:33:28 AM by dedndave »

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #3 on: February 24, 2013, 01:45:06 PM »
Thanks.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #4 on: February 25, 2013, 10:32:41 AM »
I liked your StackFun.

Where do put code that I want to run ?

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Needs some work
« Reply #5 on: February 25, 2013, 10:47:59 AM »
well - the idea was to set up the stack with all the stuff - then execute it
in that example, i had to exit to some inline code in order to store the standard output handle   :biggrin:
i made another one using MessageBox, but that function uses a lot of internal stack space

if you wanted to run other code, you could preserve the original stack pointer from ESP,
then restore it after you run the "pre-initialized stack" code
« Last Edit: February 25, 2013, 01:38:06 PM by dedndave »

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #6 on: February 25, 2013, 11:01:48 AM »
Super Dave,

I will look up your info.

Terse is hard for me, I am very guilty of it.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: Needs some work
« Reply #7 on: February 25, 2013, 11:20:58 AM »
great guys ... return based programming.
What will be the next malware technique we have to discuss with Magnum?
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Needs some work
« Reply #8 on: February 25, 2013, 11:32:32 AM »
i had no malicious intent when i wrote it, i assure you
i was just playing around
but, i'll remove the attachment - wouldn't want to give anyone ideas

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #9 on: February 25, 2013, 12:03:32 PM »
great guys ... return based programming.
What will be the next malware technique we have to discuss with Magnum?

My real name is Andy.

That is a real name, not an alias.

Denken Sie positiv.

The correct definition is anti reversing/anti disassembly.

I have been burned by malware writers.

I have been proactive.

pro·ac·tive or pro-ac·tive  audio  (pr-ktv) KEY

ADJECTIVE:

    Acting in advance to deal with an expected difficulty; anticipatory: proactive steps to prevent terrorism.

I have a good relationship with  those who work to mitigate harmful behavior.

They are less available than they used to be.  :t






















Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1196
Re: Needs some work
« Reply #10 on: February 25, 2013, 01:21:09 PM »
The correct definition is anti reversing/anti disassembly.

Malware techniques are what they are, regardless of how you use them.

Quote
I have a good relationship with those who work to mitigate harmful behavior.

Which harmful behavior, the cracking of applications or the, much more harmful, coding of malware? Seeking help for this sort of thing on an open forum is irresponsible.

ir·re·spon·si·ble adj.
  1. not caring, not having or showing any care for the consequences of personal actions
  2. lacking a sense of responsibility
Well Microsoft, here’s another nice mess you’ve gotten us into.

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #11 on: February 25, 2013, 01:59:43 PM »
None of the above.

It's a shame.

You seem to be an intelligent person who I think seeks the truth and knowledge.

I may be mistaken.

You seem to feel the need to defend others, but it may be misplaced.

I have had disagreements with others, but we have worked things out thru private messages.

I have made mistakes and been banned from forums, but I admitted my mistakes and things are going well in general.

Take care,

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: Needs some work
« Reply #12 on: February 26, 2013, 02:13:34 AM »
My real name is Andy.

That is a real name, not an alias.
I'm not interested in your real name. If you have a problem with being called "Magnum", there is no way around deleting your account.


Denken Sie positiv.
Dafür gibt es keine Veranlassung.

The correct definition is anti reversing/anti disassembly.
[...]
I have been proactive.
I've got the impression that you (beside script kiddie bomz) are trying to convert this forum into a reverse engineering / malware forum...


BTW, I'm curios what you did send people who respons to your "I can hide files on XP"-thread? - a rootkit?
MREAL macros - when you need floating point arithmetic while assembling!

Magnum

  • Member
  • *****
  • Posts: 2372
Re: Needs some work
« Reply #13 on: February 26, 2013, 02:37:05 AM »
i had no malicious intent when i wrote it, i assure you
i was just playing around
but, i'll remove the attachment - wouldn't want to give anyone ideas

Dave, don't be intimated by a very miniscule amount of bullies.

We are doing nothing wrong.

Some people make a free choice to be miserable.

I don't.

It's a free world.

Take care.

Andy

Keep the greasy side down.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1196
Re: Needs some work
« Reply #14 on: February 26, 2013, 07:43:03 AM »
It's a free world.

There are always restrictions, and ways of forcing compliance.
Well Microsoft, here’s another nice mess you’ve gotten us into.