不使用相关性直接在ASM中调用/跳转(x86)

发布于 2024-10-17 07:50:06 字数 931 浏览 1 评论 0原文

我正在将一个 C++ DLL 注入到游戏中，并且想将一个函数挂接到我自己的一些代码上。由于DLL每次都映射到不同的位置，因此直接跳转和调用会更容易。另外，因为这是一个钩子，所以当我返回该函数时，我不想更改堆栈或寄存器。

我声明一个 char* 来存储 Asm，这样我就有一个指向它的指针。(char* asm="\x00";) 如果您可以提供十六进制，那会节省我一些时间。

我尝试过使用 FF 和 EA 进行调用和跳转，但我想我只是不明白它们是如何工作的。当我使用它们时，我注意到手术中我现在有一个结肠。

JMP FAR FWORD PTR DS:[00000000]

这不起作用，并且在我尝试使用指向跳转位置的指针后仍然不起作用。

这是我在开始尝试不同方法之前使用的程序集：

01270000    50              PUSH EAX
01270001    57              PUSH EDI
01270002    E8 E9CC1BFF     CALL fwound.0042CCF0
01270007    5F              POP EDI
01270008    58              POP EAX
01270009    50              PUSH EAX                      //replacements
0127000A    8D4C24 7C       LEA ECX,DWORD PTR SS:[ESP+7C] //
0127000E  - E9 36D11BFF     JMP fwound.0042D149

我使用 Olly 制作了该块，因此它知道当时所需的相关跳转/调用。

当 Asm 进入内存后，我必须在函数中编写两个操作（已替换）才能跳转到该位置。

那么，如何修复我的 Asm 块以使用直接跳转和调用？

原文

I'm injecting a c++ DLL into a game and I'd like to hook a function to some of my own code. Since the DLL is mapped to a different location each time, It would be easier to have direct jumps and calls. Also, because this is a hook I don't want to change the stack or registers for when I go back to the function.

I declare a char* to store the Asm so that I will have a pointer to it.(char* asm="\x00";)
If you could provide hex, that would save me some time.

Ive tried using FF and EA for the calls and jumps but I guess I just don't understand how those work. When I used them I noticed that I now had a colon in the operation.

JMP FAR FWORD PTR DS:[00000000]

This didn't work and it still didn't work after I tried to use a pointer to the jump location.

Here's the assembly that I was using before I started trying different methods:

01270000    50              PUSH EAX
01270001    57              PUSH EDI
01270002    E8 E9CC1BFF     CALL fwound.0042CCF0
01270007    5F              POP EDI
01270008    58              POP EAX
01270009    50              PUSH EAX                      //replacements
0127000A    8D4C24 7C       LEA ECX,DWORD PTR SS:[ESP+7C] //
0127000E  - E9 36D11BFF     JMP fwound.0042D149

I made that block using Olly, therefore it knew the relevant jumps/calls needed at the time.

After that Asm is in the memory, I then have to write over two operations(which are replaced) in the function to jump to this location.

So, How could I fix my Asm block to use direct jumps and calls?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

ぽ尐不点ル 2024-10-24 07:50:06

您可以像这样编码（gcc 风格/AT&T 汇编语法）：

    jmp    *.Ltgtaddr
.Ltgtaddr:  .long absoluteAddrOfFunctionToCall

这会汇编成十个字节（在 32 位 x86 上） - ff 25 对于具有 32 位内存操作数的绝对 jmp，然后是四个字节与下一个字的地址，后跟内容，这是代码的（绝对）目标地址。

编辑：我已经用编译和测试的示例更新了下面的部分。

您可以从 C 源代码动态创建这样的蹦床。示例源（需要 32 位 x86，留给读者练习如何将蹦床转换为 64 位）：

#include <sys/mman.h>
#include <stdio.h>

void oneWay(char *str, int arg)
{ printf("string is \"%s\", int is %d\n", str, arg); }

void otherWay(char *str, int arg)
{ printf(str, arg); printf("\n"); }

void *trampGen(void *tgtAddr)
{
    char *trampoline = mmap(NULL, 10, PROT_EXEC | PROT_WRITE | PROT_READ,
        MAP_PRIVATE | MAP_ANON, -1, 0);
    trampoline[0] = (char)0xff; trampoline[1] = (char)0x25;
    *(char**)(trampoline+2) = trampoline + 6;
    *(void**)(trampoline+6) = tgtAddr;
    return trampoline;
}

int main(int argc, char **argv)
{
    void * (*funcptr)(char*, int) = trampGen(oneWay);
    *funcptr("Test %d String", 12345);
    *(void **)(((char *)funcptr) + 6) = otherWay;
    *funcptr("Test %d String", 12345);
    munmap(funcptr, 10);
    return 0;
}

对我来说的输出：

$ ./tt
string is "Test %d String", int is 12345
Test 12345 String

请注意，留出整个 MMU 页面以仅使用其中的 10 个字节的效率稍低。如果您需要多个蹦床，请实现您自己的内存管理器......

You can code it like this (gcc-style / AT&T assembly syntax):

    jmp    *.Ltgtaddr
.Ltgtaddr:  .long absoluteAddrOfFunctionToCall

This assembles into ten bytes (on 32bit x86) - ff 25 for the absolute jmp with 32bit memory operand, then the four bytes with the address of the following word, followed by the contents which then is the (absolute) target address of your code.

Edit: I've updated the section below with a compiled and tested example.

You can, from C sourcecode, dynamically create such a trampoline. Example source (requires 32bit x86, left as an exercise to the reader how to convert the trampoline to 64bit):

#include <sys/mman.h>
#include <stdio.h>

void oneWay(char *str, int arg)
{ printf("string is \"%s\", int is %d\n", str, arg); }

void otherWay(char *str, int arg)
{ printf(str, arg); printf("\n"); }

void *trampGen(void *tgtAddr)
{
    char *trampoline = mmap(NULL, 10, PROT_EXEC | PROT_WRITE | PROT_READ,
        MAP_PRIVATE | MAP_ANON, -1, 0);
    trampoline[0] = (char)0xff; trampoline[1] = (char)0x25;
    *(char**)(trampoline+2) = trampoline + 6;
    *(void**)(trampoline+6) = tgtAddr;
    return trampoline;
}

int main(int argc, char **argv)
{
    void * (*funcptr)(char*, int) = trampGen(oneWay);
    *funcptr("Test %d String", 12345);
    *(void **)(((char *)funcptr) + 6) = otherWay;
    *funcptr("Test %d String", 12345);
    munmap(funcptr, 10);
    return 0;
}

Output for me:

$ ./tt
string is "Test %d String", int is 12345
Test 12345 String

Note it's slightly inefficient to set aside an entire MMU page to use only ten bytes of it. Implement your own memory manager for trampolines if you need more than one of them ...

回复收藏 0 原文