Automatic Convert Virtual Address to Memory Address?

Question

i am using c# to read a exe file and inject a code to display a message box when the exe run so the code i am using is the following :

6A 00               //push 0
68 OXxxxx          //push Address of Message Title
68 OXxxxx          //push Address of Message Body
6A 00              //push 0
FF 15 OXxxxx      //Call Address of User32.MessageBoxA 
E9 OXxxxx          // jmp to old entry point

all addresses i am using are virtual addresses but the new exe cant run , i think the addresses should translate to memory address (by windows loader) but how i can do that ??.

thanks

Answer 1

Virtual addresses are memory addresses.
But if .exe has relocation table, it can be relocated to new base address, and if your push and call instructions hasn't entries in relocation table, it will be broken.

Also I'm not sure that your code is right, because I don't see where are strings used in your code.

To ensure that issue is missing entries in relocation table, try the following position-independent code:

6A 00          // push 0
6A 00          // push 0
E8 04 00 00 00 // call $+5+4
31 32 33 00    // '123', 0
6A 00          // push 0
68 XX XX XX XX // push user32.MessageBoxA address, it's the same in all processes
C3             // retn
E9 XX XX XX XX // jmp OEP

Upd: as ruslik noted, if we patch a file, we don't know the user32.MessageBoxA address, so we should find it in another way.

If we know address of its IAT entry, we should replace FF 15 (__imp_MessageBoxA) to something base independent:

     E8 00 00 00 00  // call base:
base:
     58              // pop eax
     05 XX XX XX XX  // add eax, __imp_MessageBoxA - base
     FF 10           // call dword ptr [eax]