知道我想替换function prologue为jmp跳转到我的分配区域(VirtualAllocateEx)。但是function prologue只有 3 个字节,并且jmp有 5 个字节。像这样:
55 `push ebp`
8B EC `mov ebp, esp`
833D C4354200 02 `cmp dword ptr ds:[4235C4],2`
E9 AD00000000 `jmp` 00140000 // replace above three instructions
如果我想使用 jmp 覆盖函数序言,则必须覆盖函数序言之后的第三条指令。
所以知道我想用 int3 替换函数序言来跳转到我的分配区域或任何地址,我该怎么做?
我尝试使用 VEH 或 SEH 来做到这一点,但我不知道如何做到这一点。
You need to write the original code (the one you quoted) on another memory location (just allocate something).
Write it while saving some space for the additional OpCodes (your custom new code). It doesn't have to fit exactly as you're allowed to fill the unused bytes with NOP (0x90 if I'm not mistaken).
Now, jump to this code from the original code.
I've been doing this stuff when I was making game trainers years ago.. Works very well.
On thing to note: Your reWritten code should, at the end, jump back to the original place to continue the code flow.
Let me know if it's unclear.