View previous topic :: View next topic |
Author |
Message |
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Apr 03, 2017 9:07 am Post subject: How to jmp far in memory 64 bit? |
|
|
Hello guys, I'm trying to run a function that I've injected with a dll inside a process, the fact is that I want it to run like some sort of a codecave, so I'm trying to change a piece of memory of the process to make it execute my function in that desired point.
The fact is, this process is in 64 bit so my dll is injected very far away from this address that I want to change (atleast way more than 2GB) so I can't use a near jmp to execute it...
I know I could use a far push and then ret , or better a far jmp , but the fact is that I don't know how to write the algorithm that calculates the bytes that I should write to set this jmp...
I know the first one is 0xFF but I don't understand what I should put at the other 5 bytes, because I know I can't use the absolute address.
I'm using c++ visual studio, with the intel compiler .
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Mon Apr 03, 2017 9:36 am Post subject: |
|
|
do a megajump instead of a far jump
Code: |
ff 25 00 00 00 00 xx xx xx xx xx xx xx xx
|
replace xx xx xx xx xx xx xx xx with the destination address of where you want to jump to
keep in mind that this will overwrite 14 bytes, so you need to take that into account when calling the original code.
Alternatively, use a jump trampoline
allocate a piece of code near the jmp origin so it's within 2 GB.
Then in that allocated piece of code have the megajmp
and just do a 5 byte jmp to your allocated code
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Apr 03, 2017 10:01 am Post subject: |
|
|
Dark Byte wrote: | do a megajump instead of a far jump
Code: |
ff 25 00 00 00 00 xx xx xx xx xx xx xx xx
|
replace xx xx xx xx xx xx xx xx with the destination address of where you want to jump to
keep in mind that this will overwrite 14 bytes, so you need to take that into account when calling the original code.
Alternatively, use a jump trampoline
allocate a piece of code near the jmp origin so it's within 2 GB.
Then in that allocated piece of code have the megajmp
and just do a 5 byte jmp to your allocated code |
Wow ty darkbite, I didn't know about this megajump opcode! (I don't actually understand what's that 0x25 and 4 zeroes after the 0xFF meaning for the machine, but it's just my curiosity lol)
Now I may have another question, the address of my function is stored inside a variable in my c++ code, do you know a good way to separate its bytes and revert them (as I know I should start reading each byte from the end to the start of the address).
So it will be like:
Code: |
__declspec(naked) void InfiniteAmmo()
{
// my func
}
/* " InfiniteAmmo " I use this as the start address of my function, but I don't know how to separate it in bytes... to manually write it inside the megajump */
|
I've found this thread on stackoverflow ( http://stackoverflow.com/questions/2747219/how-do-i-split-up-a-long-value-32-bits-into-four-char-variables-8bits-using ) but I can bet you know a better way to do that.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Mon Apr 03, 2017 10:48 am Post subject: |
|
|
you don't split it up.
you just do *(ULONG_PTR *)addressofxxxxxxxxxxxxxxxxbytes=(ULONG_PTR)dlladdress
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Apr 03, 2017 12:48 pm Post subject: |
|
|
Dark Byte wrote: | you don't split it up.
you just do *(ULONG_PTR *)addressofxxxxxxxxxxxxxxxxbytes=(ULONG_PTR)dlladdress |
It works, thank you so much! Problem solved.
|
|
Back to top |
|
|
|