[Ivanziinho 2.0]

Hello people,

I wonder if anyone could make a small tutorial about ASM Injections in SCM, as I can see in various scripts.
I already know the basics of Assembly and would like to use it in SCM.

Another doubt here, how do you know the opcodes in hex? (ex.: 6A = push)

Thanks.

This post has been edited by IvanzinhoX10: Sep 12 2011, 08:42 PM

[fastman92]

Download Cheat Strings Loader with included source.

I`m using Cheat Engine to compile mnemonics and see ASM bytes of instructions.

Basics:
mov eax, [esp+4] put value from calculated adress: esp_val+4
so that there`s a pointer on esp + 4 and we`re reading that pointer
lea eax, [esp+4] Very misleading instruction which can seem like a mov equivalent for a beginner. Although it works differently.
lea eax, [esp+4] will do calculations and mov result into eax here.

Difference:
mov eax, [esp+4] - on right side: do calculations (VALUE from ESP + 4 ) and it is assumed to be correct memory address. Value is taken from that address and stored to eax
lea eax, [esp+4] - on right side: do calculations (VALUE from ESP + 4 ), don`t take value from this adress, just store that address or any calculated value to eax.

Stack, how it works:

esp - contains an adress of temporary data stored used by functions.
[esp] - value of last pushed value
pushing value decreases stack

push eax is:

esp -= 4
move [esp], eax

So that push eax subtracts 4 bytes from current esp register and puts eax on memory adress stored in esp.

Many times __cdecl procedures are called by pushing parameters
e.g
push 53
push 2
call myFunction
But cdecl won`t fix stack adress. Adress of esp must be fixed, restored to previous value.

CODE

add esp, 8   // it would be applied, because 2 pushes subtracted 8 from stack

popping is fixing stack with moving current value back to CPU register.
unlike add esp, 4 for example
It fixes stack, but value doesn`t go to any of CPU registers. That`s a difference

pop eax:
move eax, [esp] // get value from current esp
esp += 4 // eax takes 4 bytes, it states how many bytes will be added esp

Relative adresses
Addresses of jumps, calls and are relative
For example we are on address 0x40.
There is

CODE

call 0x52

As call near in hex bytes it will be:

CODE

E8  0D 00 00 00

0D 00 00 00 = 0x0D // you should know how 4-byte int is saved in hex
So that there is relative pointer calculated from: DESTINATION - END_OF_CURRENT_INSTRUCTION
end of current instruction is 0x45, epi is here after call is processed.
0x52 - 0x45 = 0xD

[Deji]

Or, there is a much easier way using CLEO 3:

SANNY

{$CLEO}
0A9F: 0@ = current_thread_pointer
0@ += 0x10
0A8D: 0@ = read_memory 0@ size 4 virtual_protect 0
0@ -= @_ASM
0AA5: call 0@ num_params 0 pop 0
0A93: end_custom_thread

:_ASM
hex
    C3  // ret
end

Of course, CLEO 4 simplifies things that bit extra...

SANNY

{$CLEO}
0AC6: 0@ = label @_ASM offset
0AA5: call 0@ num_params 0 pop 0
0A93: end_custom_thread

:_ASM
hex
    C3  // ret
end

For writing ASM in hex, use an assembly compiler or an online reference. I personally memorised a few of the instructions as well.

[LINK/2012]

EDITED

This post has been edited by LINK2012: Sep 18 2011, 11:35 PM