The original code

Let's begin by taking a quick look at the original code of the procedure we planted into the executable as part of our patch. The code is quite straightforward and, knowing what we already know, is easy to read:

; First of all we tell the assembler
; that this is a 32-bit code
use32

; Tell the assembler that we are expecting
; this code to appear at 0x41e000
org 0x41e000

; Define labels for "external" procedures
; we are about to use
label fgets at 0x414bd8
label __acrt_iob_func at 0x41b180

; Implement the procedure
fgets_patch:

   ; We begin the procedure with the standard
   ; prolog for cdecl calling convention
   push  ebp
   mov   ebp, esp

   ; As we need the pointer to the stdin stream
   ; we call the __acrt_iob_func procedure
   push  0                      ; This is the number of the stream
   call  dword[__acrt_iob_func]
   add   esp, 4                 ; Restore the stack pointer

   ; Forward the parameter (char*) and 
   ; invoke fgets()
   push  eax                    ; Contains pointer to the stdin stream
   push  128                    ; Maximum input length
   push  dword[ebp + 8]         ; Pointer to the receiving buffer
   call  fgets
   add   esp, 4 * 3             ; Restore the stack pointer

   ; Standard epilog for procedures using cdecl 
   ; calling convention
   mov   esp, ebp
   pop   ebp
   ret

The code is rather simple and it is fairly difficult to find anything valuable to protect here. Since this is the situation, we will use this example to show how simply a call instruction may be implemented with other instructions in such a way that it would neither point to the callee nor resemble a procedure call at all.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset