Home/ Questions/Q 3661902
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T01:21:24+00:00

I am changing minesweeper.exe in order to have an understanding of how code injection

  • 0

I am changing minesweeper.exe in order to have an understanding of how code injection works. Simply, I want the minesweeper to show a message box before starting. So, I find a “cave” in the executable and then define the string to show in messagebox and call the messagebox. Additionally of course, I have to change the value at module entry point of the executable and first direct it to my additional code, then continue its own code.
So at the cave what I do;

"hello starbuck",0

push 0 //arg4 of MessageBoxW function
push the address of my string //arg3, must be title
push the address of my string //arg2, must be the message
push 0  //arg1
call MessageBoxW
...

Now since the memory addresses of codes in the executable change everytime it is loaded in the memory, for calling the MessageBoxW function, I give the offset of the address where MessageBoxW is defined in Import Address Table. For instance, if MessageBoxW is defined at address1 in the IAT and the instruction just after call MessageBoxW is at address2
instead of writing call MessageBoxW, I write call address2 - address1.

So my question is, how do I do it for pushing the string’s address to the stack?
For example, if I do these changes via ollydbg, I give the immediate address of “hello starbuck” for pushing and it works. But after reloading the executable or starting it outside of ollydbg, it naturally fails, since the immediate addresses change.

Thanks in advance,
Yigit.

Edit : Now this problem happens because the high-word of Module Entry Point changes everytime the exe is opened. So, in order to see how other strings are pushed to the stacks, I did this :

I found the “Destroy Canvas” string in the code. It is at the address : 00403E44. And at the address 0042878E, there is the instruction PUSH 00403E44 (68 44 3E 40 00) which means the pointer to the string is pushed to the stack. Then I opened the exe in UltraEdit, found the corresponding address, which is 00027D8E. There, instead of “68 44 3E 40 00”, it writes “68 44 3E 00 01”. Now it means that when OllyDbg loads the exe, it updates these codes; 00 01 to 40 00. I looked at the other strings, and their push instructions are likewise. So I thought maybe if I write “68 DA 9A 00 01” instead of “68 DA 9A 40 00” in UltraEdit in order to push the string, it’ll be updated too. But it doesn’t. When I open the exe in OllyDbg after this, the address to be pushed remains “01009ADA”.

So I think there must be something which organizes these “updating code” procedures. Maybe it has something to do with the relocation tables, I don’t know.

Would you think that maybe I should ask this as another question?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your solution:

    The string you add should be UTF-16.

    For string “Hello” you should write “H.e.l.l.o” the dot being 00h. Make sure that at the end of this string there are at least 00h00h00h (3 X 0’s)
    Also make sure that when you cal msgbox you call it with dword ptr[]
    CALL DWORD PTR DS:[10010B8]

    In details:

    At the end of the program, near LoadLibrary string (which is not unicode), add your string in UTF-16, ie each ASCII character separated by 00h and with unicode string termination at least 00h00h (00h is represented by a dot in the dump window of ollydbg)

    At the entry point of the program you probably have this:

    01003E21 PUSH 70
01003E23 PUSH winmine_.01001390
01003E28 CALL winmine_.0100400C

    Replace it with JMP 01004A5F by double clicking on the PUSH 70 line: (don’t write “winmine_.”)

    01003E21 JMP winmine_.01004A5F
01003E26 NOP
01003E27 NOP
01003E28 CALL winmine_.0100400C

    At 01004A5F you inject your code:

    01004A5F PUSH 0
01004A61 PUSH winmine_.01004A5F
01004A66 PUSH winmine_.01004A5F
01004A6B PUSH 0
01004A6D CALL DWORD PTR[010010B8] ;msgbox

    And add the original code that you deleted when adding your jump at the entry point, then jump back to the normal program execution:

    01004A72 PUSH 70
01004A74 PUSH winmine_.01001390
01004A79 JMP winmine_.01003E28

    To find the address of MessageBoxW, press CTRL+N and you will get an ordered list of registered functions.

    As for the string, it looks like this:

    01004A58 UNICODE "Hello",0

    Enjoy.

    Original post:
    When you’ve injected your string in the exe, in OllyDbg try to right-click on the disassembly window and search->all reference text string.
    There you should be able to find your string and its address.

    Here are 2 articles that you should read carefully:

    http://osix.net/modules/article/?id=633

    In part2 of this article it is explained how you can replace an existing (unused) string in the exe with your own message and how to call it with your custom function.

    http://osix.net/modules/article/?id=758

    In part2 of this article there is an explanation about the text section and strings and how to reference to them.

    That should give you plenty of informations to start resversing a windows application.

    As a bonus tutorial on reversing windows games:
    http://osix.net/modules/article/?id=723 (freecell)

    • 0