Jump to content

Recommended Posts

Hi,

why do you want to use assembler to make a " mov eax,pe call eax"? This could be done easily with native AutoIt functions DllCall() or/and DllCallAddress() .

If you want to create your own Assembler-Functions, take a look at AssembleIt(). It has an integrated debugger, you can use AutoIt-variables within the asm-code, use could macros and you can assemble your code to "standalone"-opcodes where can be called by DllCallAddress() (no need of AssembleIt() in this case)

Link to comment
Share on other sites

Did you ever read the helpfile?

If you want to call a function, first you need is.....a function (that´s where the (base) adress is come from, the "pe" in your first post.)

The most functions have some parameters, what are the parameters of your function? 

Where did the "pe" come from?

If you want some help, first you have to give (us) some (as much as possible) informations!

1 hour ago, giangnguyen said:

All I am interested in is executing that ASM snippet

ok, but don´t ask for help any more if it crashes your script...$pe is the address

dllcalladdress("none",$pe)

Link to comment
Share on other sites

15 hours ago, giangnguyen said:

$pe is the address that I obtained from calling VirtualAlloc which I use to allocate an executable.

hmmm, it could be that i am wrong, but i think you don´t know what you are talking about...

VirtualAlloc is used to allocate a piece of (empty! ) memory. If you want to call that address, what do you think will happens next? You know what a asm-"call" is in difference to a "jmp"? Ever heard about calling conventions?  

15 hours ago, giangnguyen said:

DllCallAddress("none",$pe) will work as long as $pe is valid right?

If your program, which base address is at $pe, is so programmed that this  "DllCallAddress("none",$pe)" will work, yes, that works....

Think about what you really mean with "valid". This depends on what you are expecting....

 

If you want another answer, describe in simple words what you WANT TO DO! 

Edited by AndyG
Link to comment
Share on other sites

11 hours ago, AndyG said:

hmmm, it could be that i am wrong, but i think you don´t know what you are talking about...

VirtualAlloc is used to allocate a piece of (empty! ) memory. If you want to call that address, what do you think will happens next? You know what a asm-"call" is in difference to a "jmp"? Ever heard about calling conventions?  

If your program, which base address is at $pe, is so programmed that this  "DllCallAddress("none",$pe)" will work, yes, that works....

Think about what you really mean with "valid". This depends on what you are expecting....

 

If you want another answer, describe in simple words what you WANT TO DO! 

 

What I am doing:
Read data from resource
Use virtual alloc and WriteProcessMemory to write a piece of position independent executable to memory
And after that I am trying to execute it.

Link to comment
Share on other sites

  • Moderators

giangnguyen,

When you reply, please use the "Reply to this topic" button at the top of the thread or the "Reply to this topic" editor at the bottom rather than the "Quote" button - responders know what they wrote and it just pads the thread unnecessarily. Thanks in advance for your co-operation.

M23

 

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites

Link to comment
Share on other sites

A concise example ->

#include <Memory.au3>

Global $g_pTinyAdd = _MemVirtualAlloc(0, 4096, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)

DllStructSetData(DllStructCreate("BYTE[7]", $g_pTinyAdd), 1, "0x" _
            & "5A"   _ ;  pop    edx
            & "59"   _ ;  pop    ecx
            & "58"   _ ;  pop    eax
            & "01C8" _ ;  add    eax, ecx
            & "FFE2" _ ;  jmp    edx
        )

ConsoleWrite(DllCallAddress("INT", $g_pTinyAdd, "INT", 10, "INT", 17)[0] & @CRLF)

 

Link to comment
Share on other sites

3 hours ago, giangnguyen said:

write a piece of position independent executable to memory

Ok, and what´s the problem? Many times (not only here in this thread) is shown how to do this....you have to READ the given answers...but I still do not believe that you know what you are talking about, nor able to understand the given hints...never mind, last one from me, i am out.

@all others, if you know something about hexspeak, have fun :lmao:

#AutoIt3Wrapper_UseX64=n
;#include "AssembleIt2_64.au3"


#cs separatestheboysfromthemen

    use32                                                                    ;32-Bitmode

    mov edi,edx                                                              ;hard stuff is our daily job...
    mov eax,0xDEADBEEF                                                       ;you have to know, i am old...
    xor eax, 0xB1D9CBAE
    mov dword[edi],eax
    mov eax,0xA921A444
    xor eax,0xC001D00D                                                       ;not to mention,
    mov dword[edi+4],eax
    mov eax,0x6FD9FA26
    xor eax,0xBADA55                                                         ;thats me, too^^
    mov dword[edi+8],eax
    mov eax,0xBAFD6182
    xor eax,0xBADC0DED                                                       ;yes thats true :o)
    mov dword[edi+12],eax

    ret

#ce


;~ $code_asm = _AssembleIt2("retbinary", "separatestheboysfromthemen");returns the opcodes...
;~ ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $code_asm = ' & $code_asm & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console
; _AssembleIt2("ptr", "separatestheboysfromthemen");...or executes the code



;this is how it works...copied from console
$code_asm = "0x89D7B8EFBEADDE35AECBD9B18907B844A421A9350DD001C0894704B826FAD96F3555DABA00894708B88261FDBA35ED0DDCBA89470CC3"

$struct_asm = DllStructCreate("byte[" & StringLen($code_asm) / 2 - 1 & "]")  ;platz für asmcode im speicher
$ptr_asm = DllStructGetPtr($struct_asm)                                      ;pointer asmcode
DllStructSetData($struct_asm, 1, $code_asm)                                  ;asmcode in struct schreiben


DllCallAddress("ptr:cdecl", $ptr_asm)                                        ;executes code

MsgBox(0, 0, BinaryToString(DllStructGetData($struct_asm, 1)))               ;surprise, surprise^^

 

Edited by AndyG
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...