5 replies to this topic

[Prodian]

This should return a pointer correct?

sharp.Assembly.InjectAndExecute(asm);

Any idea why its only returning "1"?  

 

I thought it would return the pointer which could be read.

var injectPointer = sharp.Assembly.InjectAndExecute(asm);
varResult = sharp.ReadString(injectPointer); 

Thanks for the help.

[ZenLulz]

Hi, Prodian,

 

In fact, it depends on what you inject, in other words, it takes the return value (the value of EAX) given by your injected assembly code.

To observe this behavior, try to perform the following.

var result = sharp.Assembly.InjectAndExecute<int>("mov eax, 2");

Using the above code, the value of result will be 2.

 

I hope I clarify how the return value is retrieved.

 

Cheers,

ZenLulz

[Prodian]

Hi, Prodian,

 

In fact, it depends on what you inject, in other words, it takes the return value (the value of EAX) given by your injected assembly code.

To observe this behavior, try to perform the following.

var result = sharp.Assembly.InjectAndExecute<int>("mov eax, 2");

Using the above code, the value of result will be 2.

 

I hope I clarify how the return value is retrieved.

 

Cheers,

ZenLulz

 

Ok makes sense.

 

Here is what I have.  Guess that explains why its only returning "1".

 

There isnt a "mov eax" instruction.

sharp.WriteString(Codecave.BaseAddress, Command, false);

              var asm = new[]
            {
                "push 0",
                "push -1",
                "mov edx, " + Codecave.BaseAddress,
                "push edx",
                "call " + FrameScript__GetText,
                "add esp, 0Ch",
                "retn"
            };
              
              IntPtr inject = sharp.Assembly.InjectAndExecute(asm);

              sResult = sharp.ReadString(inject);

Edited by Prodian, 17 November 2013 - 04:04 AM.

[ZenLulz]

The convention defines that the register EAX contains the return value of functions. In your example, EAX can be set by the function FrameScript__GetText.

You should check the return value of this function.

 

 

Cheers,

ZenLulz

[Prodian]

I added "mov ["+pReturnBlock.BaseAddress+"], eax " instruction to return the pointer.

 

But when it tries to read the pReturnBlock.BaseAddress it gives an ArgumentOutofRangeException: The relative address cannot be greater than the main module size.

 

Any idea?

 

Thanks for all your help! 

var pReturnBlock = sharp.Memory.Allocate(0x4);
              
sharp.Write<int>(pReturnBlock.BaseAddress,0,false);

              var asm = new[]
            {
                "push 0",
                "push -1",
                "mov edx, " + Codecave.BaseAddress,
                "push edx",
                "call " + FrameScript__GetText,
                "add esp, 0Ch",
                "mov ["+pReturnBlock.BaseAddress+"], eax ",
                "retn"
            };
              
              
              sharp.Assembly.InjectAndExecute(asm);

              sResult = sharp.ReadString(sharp.Read<IntPtr>(pReturnBlock.BaseAddress));

              sharp.Memory.Deallocate(Codecave);

[ZenLulz]

You have to specify the second parameter to false when reading the value within the memory.

sResult = sharp.ReadString(sharp.Read<IntPtr>(pReturnBlock.BaseAddress, false));

The address is then not rebased to the application module.