 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Uzeil
Moderator
 Reputation: 6
Joined: 21 Oct 2006
Posts: 2411
|
 Posted: Sun Mar 18, 2007 2:42 am Post subject: [Assembly] Storing the stack |
 |
|
This is a script to store the stack as well as all general registers(which will work dually for us)
I'm writing this in means for an API hook. I saw someone not long ago ask for a way to read through the stack... well here it is. (also, writing in CE's auto assembler format. IE alloc(), label() )
| Code: | alloc(myhook,124)
alloc(myarray,512)
label(again)
label(exit)
myarray:
dd 0
<address>:
call myhook
myhook:
push deadcafe
pushad
cmp [myarray+32],0
jne exit
mov eax,esp
mov ecx,myarray
again:
cmp eax,ebp
jle exit
lea ebx,[eax-esp]
cmp ebx,32
jge exit
mov edx,[eax]
mov [ecx],edx
add eax,4
add ecx,4
exit:
popad
add esp,4
<original opcodes>
ret
[disable]
<address>:
db 90 90 90 90 90 |
Now I'll break apart for those who are wearing the  , the  , the  , the  , or even the  face.
| Code: | alloc(myhook,124)
alloc(myarray,512)
label(again)
label(exit) |
The 512 is what is important. Just remember that we only have 512 bytes to work with here. You can increase this to be able to capture more of that stack if it is that big, but otherwise... oh well. I included error safety for this.
| Code: | <address>:
call myhook |
This call is going to be 5 bytes. Take note of at least the first 5 bytes of opcodosity, and include nop's for anything extra.
| Code: | myhook:
push deadcafe |
This is so that in the data structure we are creating, you can go know when we're switching from general purpose registers to the stack. (I could also push something more attention catching like 12345678, whatever floats your boat. I personally enjoy cafe's full of dead shit)
Pushes general registers in the following order (I doublechecked)
EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI
Which means that when looking at the data structure/array that we are creating, you will see them like this (starting from the beginning of our structure to the end)
| Code: | EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
DEADBEEF
<address that you had the call come from>
<newest things on the stack>
...
<oldest shit on the stack> |
Everything will be stored as dwords, just as the stack is. (we're working 32-bit here, so says our 'e'sp. And you can make sure of this by adding dword ptr if you're afraid of defaults)
| Code: | cmp [myarray+32],0
jne exit |
pushad would push 8 registers in total, all being dwords (4 bytes), which means that, after storing the stack in myarray, 32 bytes after the start would be deadcafe. (some people might've at first seen that and said 'why not do cmp [myarray],0'. Well for all we know, edi is 0, and that wouldn't handle that issue. We only want to run through once (otherwise, take these two lines out.).). After storing, deadcafe... will still be deadcafe. (Unless it gets revived and grew legs, we're pretty safe with it's 4-byte value not being 0)
| Code: | mov eax,esp
mov ecx,myarray |
First, we're storing eax with whatever esp is. This sets us up to be able to change eax (or technically even esp, because we could use eax to restore the stack. But that just isn't intelligent. Why fuck with the stack when you can use a register only?)
Then we set ecx up to hold the address of our array. This will reduce clocks on later loading, save us some bytes, and make it a much simpler process to write to nice, fresh memory.)
| Code: | again:
cmp eax,ebp
jle exit
lea ebx,[eax-esp]
cmp ebx,32
jge exit |
First, it checks if we've already met the old shit of the stack. If so, we pull ourselves out before trying to read any more. (I personally am not sure if reading [ebp] is a smart idea, but I voted 'no'. If you want [ebp], just change 'jle' to 'jl'.)
Then it checks if we've met the end of our allocated space. (32 is 512 in hexadecimal) Nothing else to really see here. If you don't want to have this anymore, just include a lot more than 512, or already know how big the stack is. (and no, you can't create some automation for the allocation to fit ebp - esp. Think of allocation like a preprocessor, because it is)
| Code: | mov edx,[eax]
mov [ecx],edx |
Ok. So eax is the address of a location in the stack (first runthrough = the bottom/the last thing pushed, which in this case we know is edi from pushad, by the way.). Now we're getting the 4-byte value of whatever was pushed, and storing it into edx.
Remember how ecx holds the address for myarray? Well right here, we're storing edx (read up to see what it holds) in uncharted territory of myarray.
| Code: | add eax,4
add ecx,4 |
Like I said, we're storing 4-byte values. So right here, we are incrementing both where we read on the stack, and where we store what we read in myarray. This is why we'll always be reading a different section and storing in a different section.
| Code: | exit:
popad
add esp,4 |
First, get restore all of our registers. Then restore the stack fully without having to pop into any other registers (deadcafe would still be there after the popad)
| Code: | <original opcodes>
ret
[disable]
<address>:
db 90 90 90 90 90 |
Remember how I said to take note of those original opcodes? Well this is where they go. Always remember the original opcodes.
Then it returns.. yadayada
Then in the disable section (for when you untick it), you can either put the original bytes or the opcodes themselves. Whichever. I put 5 nop's there just to remind you that the call was 5 bytes, so you're going to have 5 bytes there are the very least.
=)
_________________
|
|
| Back to top |
|
 |
furiosity
Master Cheater
 Reputation: 0
Joined: 03 Oct 2006
Posts: 448
Location: The Netherlands
|
| Posted: Sun Mar 18, 2007 3:05 am Post subject: |
|
|
| Very nice, you explained it so everybody can understand it Good job (Y)
|
|
| Back to top |
|
|
--Pillboi--
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 06 Mar 2007
Posts: 1383
Location: I don't understand the question. Is this a 1 to 10 thing?
|
| Posted: Sun Mar 18, 2007 3:13 am Post subject: |
|
|
Nice, thx a lot. Obviously I know but you might want to explain what a stack is. With pics. XD
--Pillboi--
_________________
 
Enter darkness, leave the light, Here be nightmare, here be fright...
Earth and Water, Fire and Air. Prepare to meet a creature rare.
Enter now if you dare, Enter now the dragon's lair. |
|
| Back to top |
|
|
Disgruntled Citizen
Master Cheater
 Reputation: 0
Joined: 03 Oct 2006
Posts: 462
Location: Canada
|
| Posted: Sun Mar 18, 2007 3:16 am Post subject: |
|
|
Wonderfull job, I just learned some Assembly, with no questions at the end. Good job!
_________________
Selling lvl 13X F/P Mage [khani] pm for information
PW Cracker |
|
| Back to top |
|
|
Flexi
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 05 Dec 2006
Posts: 1544
Location: Singapore
|
| Posted: Sun Mar 18, 2007 4:03 am Post subject: |
|
|
Any question can ask me too. 
_________________
|
|
| Back to top |
|
|
Uzeil
Moderator
Reputation: 6
Joined: 21 Oct 2006
Posts: 2411
|
| Posted: Sun Mar 18, 2007 4:13 am Post subject: |
|
|
If anyone wants to post a stack of books
then the desk they are on suddenly moving down a little
then a new book being shoved in before hte others fall
Now we've got our own stack, taking into consideration that the newest things pushed are actually less than the older things 
_________________
|
|
| Back to top |
|
|
xlcs
Grandmaster Cheater
 Reputation: 0
Joined: 14 Nov 2006
Posts: 945
|
| Posted: Sun Mar 18, 2007 4:36 am Post subject: |
|
|
What's the diffrence between:
ebp and esp?
ebp, [ebp], ss:[ebp], ss:ebp(if there is one)
|
|
| Back to top |
|
|
Uzeil
Moderator
Reputation: 6
Joined: 21 Oct 2006
Posts: 2411
|
| Posted: Sun Mar 18, 2007 4:50 am Post subject: |
|
|
Well I tested some things with Delphi's inline assembly (once I figure out how to convert numbers to strings in masm, I'll try that as well  ) and ss:[esp] amd plain [esp] both worked just fine :S
Difference:
[esp] = last thing pushed onto the stack
[ebp] = oldest thing pushed onto the stack.
| Code: | push 0
push 52
push 84 |
[esp] would be 84 after this code
then [esp+4] would be 52
and [esp+8] would be 0, and so on (other things should have been pushed before this as well.)
_________________
|
|
| Back to top |
|
|
xlcs
Grandmaster Cheater
Reputation: 0
Joined: 14 Nov 2006
Posts: 945
|
| Posted: Sun Mar 18, 2007 5:18 am Post subject: |
|
|
everything pushed inside the stack is 4 bytes no matter what?
and if ebp is the oldest thing then [ebp+4] is the second oldest thing?
and is there such a thing as ebp or esp without the brackets?
|
|
| Back to top |
|
|
XxOsirisxX
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 30 Oct 2006
Posts: 1597
|
| Posted: Tue Mar 20, 2007 4:44 pm Post subject: |
|
|
| xlcs wrote: | everything pushed inside the stack is 4 bytes no matter what?
and if ebp is the oldest thing then [ebp+4] is the second oldest thing?
and is there such a thing as ebp or esp without the brackets? |
Yeah E Stack Pointer, theys can be without the brackets, like mov [ebp-18], esp.
like an example
_________________
|
|
| Back to top |
|
|
xlcs
Grandmaster Cheater
Reputation: 0
Joined: 14 Nov 2006
Posts: 945
|
| Posted: Thu Mar 22, 2007 6:57 am Post subject: |
|
|
LOL, busted! Don't ban me I'm good...
Actually i'm trying to say, what's the diffrence between [esp] and esp?
[esp] is the value that is stored inside the location stack right?
So, esp will be the location of the stack? Or there's no such thing?
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
