Memory Hacking Software

Discussions Regarding Memory Hacking Software
http://www.memoryhacking.com/forums/

Text Address

http://www.memoryhacking.com/forums/viewtopic.php?f=1&t=4681

Page 1 of 1

Text Address

PostPosted: Thu Jul 09, 2009 1:24 am
by bobshandel
I need some help i found the address of some text however that address changes so i found out what wrote to it and got:

77189b2b - mov [edi],al
77189b30 - mov [edi+01],al
76064195 - and word ptr [esi+edi],00
77189926 - mov [edi+ecx*4-04],eax
76064250 - mov byte ptr [esi+edi],00
76064258 - and word ptr [esi+edi], 00

could somebody tell me whats going on in this code? ive tried to make a code cave and did

mov al, 400420

and it would only display one letter of the text and sometimes it was some weird character even when i had just typed a normal letter so can somebody help me out? im trying to figure out a way to copy this text that changes addresses to a static address i could find every time

PostPosted: Fri Jul 10, 2009 3:24 pm
by WhiteHat
I’m just a beginner at ASM, but allow me to help a little...

First, the codes that wrote to your address reside in high address of memory (0x76nnnnnn ~ 0x78nnnnnn). Most likely they are included within OS modules. Any knowledge about API (?) programming will help you a lot (suppose that L. Spiro will have the answer)...

Next, you tried to do this injection: mov al, 400420.
That looks inappropriate as al register should be the lowest byte from a double word value or it’s size should be one byte long.

If, for example, EAX = 0x12345678, then:
- AX = 0x5678
- AH = 0x56
- AL = 0x78

So your injection should be like this: mov eax, 400420.

Hope this helps a little, and please correct me if i’m wrong...

PostPosted: Tue Jul 14, 2009 10:19 am
by L. Spiro
As mentioned, you are looking at OS modules, and those functions work with strings (no surprise, since you were searching for a string).

Look up the 1-byte AL register on Google.

All that is happening in that code is moving things from the AL register to a memory address, checking for 0 (AND), moving 4 bytes at a time to a memory address, moving a constant (00) to a memory address, and checking a 2-byte memory address with 0 (AND again).

MOV and AND can also be found on Google.
There is nothing special in this code.
The reason your code failed is because you tried to moving multiple bytes to a single-byte memory address.
And string must terminate with 0. So if you do not write a 0 at the end and try to print it, the best case is that you will see garbage.


L. Spiro
All times are UTC + 7 hours
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/