2 replies to this topic

[iifuzz]

How do i use the InjectAndExecute method to call a function with __thiscall convention.

The function should take in two parameters as well.  how do  I pass the this pointer?

[ZenLulz]

Hello iifuzz,

 

In fact, InjectAndExecute methods allow you to write your own assembly code and then calling it. By design, the injected code must not receive any parameter in order to work.

 

Maybe you'd rather want to execute existing code in the remote process ? For that, you can use the Execute methods, those allow you to specify parameters.

 

Best,

ZenLulz

[iifuzz]

Hello iifuzz,

 

In fact, InjectAndExecute methods allow you to write your own assembly code and then calling it. By design, the injected code must not receive any parameter in order to work.

 

Maybe you'd rather want to execute existing code in the remote process ? For that, you can use the Execute methods, those allow you to specify parameters.

 

Best,

ZenLulz

 

Thanks for the response zen.

I have switched to using Execute with _thiscall, i assumed that the ecx register should be passed as the first parameter and by following along in ollydbg the parameters and ecx appear to be passed correctly.  The call to the game seems to work in some cases, but I am crashing in others even though the values passed through are correct.

 

I know this probably isnt the right place to ask, but I have tried everything and any help would be great!

 

This is the game function I am calling:

 

PUSH EBP ; game.009B1870(guessed Arg1,Arg2)

MOV EBP,ESP

MOV EAX,DWORD PTR SS:[ARG.1]

SHL EAX,4

ADD EAX,DWORD PTR SS:[ARG.2]

IMUL EAX,EAX,164

LEA EDX,[ECX+EAX+48]

PUSH EDX ; /Arg1

CALL 009B0F10 ; \CRASH HERE

POP EBP

RETN 8

 

 

 

 

Here is a snippet of another game function calling this one:

MOV ECX,DWORD PTR DS:[EAX] ; Case 14 of switch game.9B262C
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+8]
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+0C]
MOV EAX,DWORD PTR DS:[EAX+4]
PUSH ECX ; /Arg2
MOV ECX,DWORD PTR DS:[ESI+233B4] ; |
PUSH EAX ; |Arg1
CALL 009B1870 

 

 

 

I have tried using Execute with the _thiscall convention, I have tried injecting assembly into a codecave and executing that.. in both cases, arg1, arg2, and ecx seem to be passed correctly but it still results in a crash..

 

Here is the asm I injected into the codecave

var asm = new[]
{
"mov esi, " + esi, // Probably not needed...

"mov ecx, " + slot, // arg
"push ecx",
"mov ecx, " + ecx, // Set *this

"push " + bar, // arg

"call " + address, // Call function
"retn"
};

 

 

Please if you can spot what i am doing wrong, let me know.