i am using c# to read a exe file and inject a code to display a message box when the exe run so the code i am using is the following :
6A 00 //push 0
68 OXxxxx //push Address of Message Title
68 OXxxxx //push Address of Message Body
6A 00 //push 0
FF 15 OXxxxx //Call Address of User32.MessageBoxA
E9 OXxxxx // jmp to old entry point
all addresses i am using are virtual addresses but the new exe cant run , i think the addresses should translate to memory address (by windows loader) but how i can do that ??.
thanks
Virtual addresses are memory addresses.
But if .exe has relocation table, it can be relocated to new base address, and if your push
and call
instructions hasn't entries in relocation table, it will be broken.
Also I'm not sure that your code is right, because I don't see where are strings used in your code.
To ensure that issue is missing entries in relocation table, try the following position-independent code:
6A 00 // push 0
6A 00 // push 0
E8 04 00 00 00 // call $+5+4
31 32 33 00 // '123', 0
6A 00 // push 0
68 XX XX XX XX // push user32.MessageBoxA address, it's the same in all processes
C3 // retn
E9 XX XX XX XX // jmp OEP
Upd: as ruslik noted, if we patch a file, we don't know the user32.MessageBoxA address, so we should find it in another way.
If we know address of its IAT entry, we should replace FF 15 (__imp_MessageBoxA)
to something base independent:
E8 00 00 00 00 // call base:
base:
58 // pop eax
05 XX XX XX XX // add eax, __imp_MessageBoxA - base
FF 10 // call dword ptr [eax]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.