Monitoring opcode - c++

I am trying to monitor the assembly instructions of a functions opcode. I get the functions size in bytes by subtracting a stub address from the functions in memory. I am currently only looking for the mov instruction. When I display the currentByte, it outputs only Ú, which has a hex value of 0xDA, which is FIADD in assembly http://ref.x86asm.net/coder32.html#xDA Why does no mov instruction display?
#include <iostream>
#include <Windows.h>
#include <ctime>
#include <vector>
#define PUSH 0x50
#define POP 0x58
#define MOV 0xB8
#define NOP 0x90
#define ADD 0x01
#define AND 0x21
#define XOR 0x31
#define OR 0x09
#define SBB 0x19
#define SUB 0x29
using namespace std;
int add(int x, int y)
{
int result;
__asm
{
mov eax, x
add eax, y
mov result, eax
xor eax, eax
}
return result;
}
void stub() { return; }
DWORD GetFunctionSize(DWORD* functionStartAddress, DWORD* stub)
{
DWORD dwOldProtect;
DWORD *func, *stubAddr;
func = (DWORD*)functionStartAddress;
stubAddr = (DWORD*)stub;
DWORD size = func - stubAddr;
VirtualProtect(func, size, PAGE_EXECUTE_READWRITE, &dwOldProtect);
return size;
}
void GetCurrentByte(PVOID function)
{
vector<PBYTE> currByte;
PBYTE pCurrentByte = (PBYTE)function;
if (*pCurrentByte == MOV)
{
cout << "MOV instr.\n";
}
cout << *pCurrentByte;
currByte.push_back(pCurrentByte);
}
int main()
{
DWORD size = GetFunctionSize((DWORD*)&add, (DWORD*)&stub);
for (int i = 0; i < size; i++)
{
GetCurrentByte(add);
}
system("pause");
return 0;
}


Why does no mov instruction display?
If you are in debugging mode, you need to know that you are passing a wrong address to the GetCurrentDate(PVOID), thats mean you are reading bytes from a wrong address and there is another few mistakes, to solve this issue follow those steps :
Firstly, the code bytes generated from :
mov eax, x // code bytes: 8B 45 08
mov result, eax // code bytes: 89 45 FC
0x8B and 0x89 are the values that you should look for inside your add(int, int) function.
secondly, to get the address of the first byte of your add(int, int) function i suggest to use this function :
#define ASM_CALL 0x000000E8
#define ASM_JMP 0x000000E9
#define ASM_CALL_SIZE 0x00000001
#define ASM_CALL_FULL_SIZE 0x00000005
DWORD GetFuncAddress(DWORD funcAddress)
{
BYTE calledAddress = *(BYTE*)funcAddress;
while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
calledAddress = *(BYTE*)funcAddress;
}
return funcAddress; // The address of the first byte of the function.
}
thirdly, i suggest an optimization inside your GetFunctionSize(DOWRD), as you know that your add function ends with a single return :
return result; // code bytes: C3
why not just loop throw the bytes of the add function, so when you find a byte equivalente to 0xC3, you will end up with the exact size of your function (in bytes), this code will make things clear:
#define ASM_RET 0xC3
SIZE_T GetFunctionSize(DWORD functionAddress)
{
SIZE_T funcSize = 0;
// Loop thru func's bytes, and breaks when return byte found.
while (*((PBYTE)functionAddress++) != RET)
funcSize++;
return funcSize;
}
fourthly, the GetCurrentByte(PVOID) function needs some maintenance, so i suggest :
#define ASM_MOV1 0x8B
#define ASM_MOV2 0x89
VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
BYTE tempByte = *((PBYTE)functionAddress + index);
// search for bytes which contains a mov instruction:
if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;
}
finally, the full code will be like this :
#include <iostream>
#include <Windows.h>
#define ASM_RET 0xC3
#define ASM_MOV1 0x8B
#define ASM_MOV2 0x89
#define ASM_CALL 0xE8
#define ASM_JMP 0xE9
#define ASM_CALL_SIZE 0x01
#define ASM_CALL_FULL_SIZE 0x05
using namespace std;
INT add(INT x, INT y)
{
int result;
__asm
{
mov eax, x
add eax, y
mov result, eax
xor eax, eax
}
return result;
}
DWORD GetFuncAddress(DWORD funcAddress)
{
BYTE calledAddress = *(BYTE*)funcAddress;
while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
calledAddress = *(BYTE*)funcAddress;
}
return funcAddress;
}
SIZE_T GetFunctionSize(DWORD functionAddress)
{
SIZE_T funcSize = 0;
while (*((PBYTE)functionAddress++) != ASM_RET)
{
funcSize++;
}
return funcSize;
}
VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
BYTE tempByte = *((PBYTE)functionAddress + index);
if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;
}
INT main()
{
DWORD funcAddress = GetFuncAddress((DWORD)add); // Get func address.
SIZE_T size = GetFunctionSize(funcAddress); // Get func size (bytes).
for (UINT i = 0; i < size; i++) // loop thru the function memory block.
{
GetCurrentByte(funcAddress, i);
}
system("pause");
return 0;
}
Don't be surprised if you found many MOV instructions in your function because the compiler created them.
Amrane Abdelkader.


GetCurrentByte() looks at the first byte every time you call it. Looking at the first byte size times doesn't help you.

Related

how can I change modular code to OOP design?

I am trying to porting this sample of self-mutation of c to c++, but i am having problems with pointers to make it work this example for c++ OOP. I have changed this the part of displaying the data , but how can I change the rest of pointers?
aa.h
void aa::display(std::string data){
const char* str;
str = data.data();
std::cout << str << std::endl;
}
void aa::printfFunctionStub() {}
void aa::enc(DWORD dwAddress, DWORD dwSize) {
__asm {
mov ecx, dwAddress
add ecx, dwSize
mov eax, dwAddress
C_loop :
xor byte ptr ds : [eax], 0x5A
inc eax
cmp eax, ecx
jl C_loop;
}
}
aa.cpp
class aa{
public:
void debugger();
bool IsVmRunning();
void sandbox();
void foo(void);
void display(std::string data);
void printfFunctionStub();
void enc(DWORD dwAddress, DWORD dwSize);
};
main.cpp
int main(){
DWORD dwPrintFunctionSize = 0, dwOldProtect;
DWORD *fA = NULL, *fB = NULL;
// Obtain the addresses for the functions so we can calculate size.
fA = (DWORD *)&printfFunction;
fB = (DWORD *)&printfFunctionStub;
// Get total function size
dwPrintFunctionSize = (fB - fA);
// Test the function
aa.display("Hello A!\n");
// We need to give ourselves access to modifify data at the given address
VirtualProtect(fA, dwPrintFunctionSize, PAGE_READWRITE, &dwOldProtect);
enc((DWORD)fA, dwPrintFunctionSize); // XOR encrypt the function
enc((DWORD)fA, dwPrintFunctionSize); // XOR decrypt the function
// Restore the old protection
VirtualProtect(fA, dwPrintFunctionSize, dwOldProtect, NULL);
// Test the function
aa.display("Hello B!\n");
_getch();
return 0;
}

Too Few Arguments & Expected A Declaration

I can't seem to figure out what is wrong with a game hack that makes the character auto jump for faster movement and I may sound very to dumb to what easy of an error it probably is so if anyone could help me that would be much appreciated!
#include <Windows.h>
Memory Mem;
#define key_space 0x20
#define key9 0x39
#define key_sc 0x0A
void bhopFunc();
const DWORD localBase = 0xA6C90C;
const DWORD flagOffset = 0x100;
void bhopFunc() {
int FL_ONGROUND = 257;
Mem.Process("csgo.exe");
DWORD ClientDLL = Mem.Module("client.dll");
}
if (GetAsyncKeyState(key_space) & 0x8000 && m_fFlags == FL_ONGROUND) {
keybd_event(KEY9, KEY9SC, 0, 0);
keybd_event(KEY9, KEY9SC, KEYEVENTF_KEYUP, 0);
}
int main()
{
while (true) {
bhopFunc();
}
}
}

The 4 lines of code above int main() are supposed to be inside your bhopFunct() function.
Here is your code fixed:
#include <Windows.h>
#define key_space 0x20
#define key9 0x39
#define key_sc 0x0A
void bhopFunc();
const DWORD localBase = 0xA6C90C;
const DWORD flagOffset = 0x100;
void bhopFunc() {
int FL_ONGROUND = 257;
Mem.Process("csgo.exe");
DWORD ClientDLL = Mem.Module("client.dll");
if (GetAsyncKeyState(key_space) & 0x8000 && m_fFlags == FL_ONGROUND)
{
keybd_event(KEY9, KEY9SC, 0, 0);
keybd_event(KEY9, KEY9SC, KEYEVENTF_KEYUP, 0);
}
}
int main()
{
while (true)
{
bhopFunc();
}
}

How do I compile inline assembly using x64 architecture with visual studio 2012?

I'm trying to compile an inline assembly code which works fine with x86 but as I learned you cannot compile inline assembly code with x64. Is there a work around for this? Any help appreciated. The code segment that I use _asm:
int vfscanf(FILE* file, const char *format, va_list argPtr)
{
size_t count = 0;
const char* p = format;
while(1)
{
char c = *(p++);
if (c == 0)
break;
if (c == '%' && (p[0] != '*' && p[0] != '%'))
++count;
}
if (count <= 0)
return 0;
int result;
_asm
{
mov esi, esp;
}
for (int i = count - 1; i >= 0; --i)
{
_asm
{
mov eax, dword ptr[i];
mov ecx, dword ptr [argPtr];
mov edx, dword ptr [ecx+eax*4];
push edx;
}
}
int stackAdvance = (2 + count) * 4;
_asm
{
mov eax, dword ptr [format];
push eax;
mov eax, dword ptr [file];
push eax;
call dword ptr [fscanf];
mov result, eax;
mov eax, dword ptr[stackAdvance];
add esp, eax;
}
return result;
}
The code segment that I call this function:
int scan(const char * _Format, ... )
{
va_list args;
va_start(args, _Format);
_interlockedbittestandset()
int result = vfscanf(_ptr, _Format, args);
va_end(args);
return result;
}

Is there a way to implement a wrapper function for fscanf?

I was trying to write a wrapper function for all file operations. But I couldn't manage to implement wrapper function for fscanf. My own function is like this:
scan(const char * _Format, ... )
{
va_list args;
va_start(args, _Format);
int result = ::fscanf(_ptr, _Format, args);
va_end(args);
return result;
}

You need to use vfscanf. See more on vfscanf.
int scan(const char * _Format, ... )
{
va_list args;
va_start(args, _Format);
int result = ::vfscanf(_ptr, _Format, args);
va_end(args);
return result;
}

Alternatively to the use to vfscanf which takes a va_list, you may use variadic template:
template <typename ... Ts>
int scan(const char* format, Ts&&... args)
{
int result = ::fscanf(_ptr, format, std::forward<Ts>(args)...);
return result;
}

For the ones who have to use an older standard than C++11 you can implement your own vfscanf function like the following:
int vfscanf(FILE* file, const char *format, va_list argPtr)
{
size_t count = 0;
const char* p = format;
while(1)
{
char c = *(p++);
if (c == 0)
break;
if (c == '%' && (p[0] != '*' && p[0] != '%'))
++count;
}
if (count <= 0)
return 0;
int result;
_asm
{
mov esi, esp;
}
for (int i = count - 1; i >= 0; --i)
{
_asm
{
mov eax, dword ptr[i];
mov ecx, dword ptr [argPtr];
mov edx, dword ptr [ecx+eax*4];
push edx;
}
}
int stackAdvance = (2 + count) * 4;
_asm
{
mov eax, dword ptr [format];
push eax;
mov eax, dword ptr [file];
push eax;
call dword ptr [fscanf];
mov result, eax;
mov eax, dword ptr[stackAdvance];
add esp, eax;
}
return result;
}
For further information.

Getting the machine serial number and CPU ID using C/C++ in Linux

How can I get the machine serial number and CPU ID in a Linux system?
Sample code is highly appreciated.

Here is what the Linux kernel seems to use:
static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
unsigned int *ecx, unsigned int *edx)
{
/* ecx is often an input as well as an output. */
asm volatile("cpuid"
: "=a" (*eax),
"=b" (*ebx),
"=c" (*ecx),
"=d" (*edx)
: "0" (*eax), "2" (*ecx));
}
which one then can use as e.g.:
#include <stdio.h>
int main(int argc, char **argv)
{
unsigned eax, ebx, ecx, edx;
eax = 1; /* processor info and feature bits */
native_cpuid(&eax, &ebx, &ecx, &edx);
printf("stepping %d\n", eax & 0xF);
printf("model %d\n", (eax >> 4) & 0xF);
printf("family %d\n", (eax >> 8) & 0xF);
printf("processor type %d\n", (eax >> 12) & 0x3);
printf("extended model %d\n", (eax >> 16) & 0xF);
printf("extended family %d\n", (eax >> 20) & 0xFF);
/* EDIT */
eax = 3; /* processor serial number */
native_cpuid(&eax, &ebx, &ecx, &edx);
/** see the CPUID Wikipedia article on which models return the serial
number in which registers. The example here is for
Pentium III */
printf("serial number 0x%08x%08x\n", edx, ecx);
}
Where a good reference on how to use the CPUID instruction is in this Wikipedia article.
EDIT The Wikipedia article says that the serial number was introduced with the Pentium III but was not anymore implemented in later models due to privacy concerns. On a Linux system you can check for the presence of this feature (PSN bit) by doing:
grep -i --color psn /proc/cpuinfo
if this does not show anything, your system does not support a processor serial number.

There is a cpuinfo.h include in GCC. It is safe, use it.
Sample (I have GCC 4.7+ and feel happy of using "auto" here):
#include <cpuid.h>
#include <iostream>
#include <map>
#include <string>
using namespace std;
struct CPUVendorID {
unsigned int ebx;
unsigned int edx;
unsigned int ecx;
string toString() const {
return string(reinterpret_cast<const char *>(this), 12);
}
};
int main() {
unsigned int level = 0;
unsigned int eax = 0;
unsigned int ebx;
unsigned int ecx;
unsigned int edx;
__get_cpuid(level, &eax, &ebx, &ecx, &edx);
CPUVendorID vendorID { .ebx = ebx, .edx = edx, .ecx = ecx };
map<string, string> vendorIdToName;
vendorIdToName["GenuineIntel"] = "Intel";
vendorIdToName["AuthenticAMD"] = "AMD";
vendorIdToName["CyrixInstead"] = "Cyrix";
vendorIdToName["CentaurHauls"] = "Centaur";
vendorIdToName["SiS SiS SiS "] = "SiS";
vendorIdToName["NexGenDriven"] = "NexGen";
vendorIdToName["GenuineTMx86"] = "Transmeta";
vendorIdToName["RiseRiseRise"] = "Rise";
vendorIdToName["UMC UMC UMC "] = "UMC";
vendorIdToName["Geode by NSC"] = "National Semiconductor";
string vendorIDString = vendorID.toString();
auto it = vendorIdToName.find(vendorIDString);
string vendorName = (it == vendorIdToName.end()) ? "Unknown" : it->second;
cout << "Max instruction ID: " << eax << endl;
cout << "Vendor ID: " << vendorIDString << endl;
cout << "Vendor name: " << vendorName << endl;
}
Output:
$ make
g++ --std=c++11 main.cc -o cpuid
$ ./cpuid
Max instruction ID: 6
Vendor ID: GenuineIntel
Vendor name: Intel

The Informations about the processor you could extract from /proc/cpuinfo.
To get the Serial Number you should have a look at dmidecode. I didn't look in there right now, but dmidecode is able to show you the serial number, so i would start there.

#include <stdio.h>
void getPSN(char *PSN)
{
int varEAX, varEBX, varECX, varEDX;
char str[9];
//%eax=1 gives most significant 32 bits in eax
__asm__ __volatile__ ("cpuid" : "=a" (varEAX), "=b" (varEBX), "=c" (varECX), "=d" (varEDX) : "a" (1));
sprintf(str, "%08X", varEAX); //i.e. XXXX-XXXX-xxxx-xxxx-xxxx-xxxx
sprintf(PSN, "%C%C%C%C-%C%C%C%C", str[0], str[1], str[2], str[3], str[4], str[5], str[6], str[7]);
//%eax=3 gives least significant 64 bits in edx and ecx [if PN is enabled]
__asm__ __volatile__ ("cpuid" : "=a" (varEAX), "=b" (varEBX), "=c" (varECX), "=d" (varEDX) : "a" (3));
sprintf(str, "%08X", varEDX); //i.e. xxxx-xxxx-XXXX-XXXX-xxxx-xxxx
sprintf(PSN, "%s-%C%C%C%C-%C%C%C%C", PSN, str[0], str[1], str[2], str[3], str[4], str[5], str[6], str[7]);
sprintf(str, "%08X", varECX); //i.e. xxxx-xxxx-xxxx-xxxx-XXXX-XXXX
sprintf(PSN, "%s-%C%C%C%C-%C%C%C%C", PSN, str[0], str[1], str[2], str[3], str[4], str[5], str[6], str[7]);
}
int main()
{
char PSN[30]; //24 Hex digits, 5 '-' separators, and a '\0'
getPSN(PSN);
printf("%s\n", PSN); //compare with: lshw | grep serial:
return 0;
}

This program will help you run Linux commands programmatically:
char* GetSystemOutput(char* cmd)
{
int buff_size = 32;
char* buff = new char[buff_size];
char* ret = NULL;
string str = "";
int fd[2];
int old_fd[3];
pipe(fd);
old_fd[0] = dup(STDIN_FILENO);
old_fd[1] = dup(STDOUT_FILENO);
old_fd[2] = dup(STDERR_FILENO);
int pid = fork();
switch(pid)
{
case 0:
close(fd[0]);
close(STDOUT_FILENO);
close(STDERR_FILENO);
dup2(fd[1], STDOUT_FILENO);
dup2(fd[1], STDERR_FILENO);
system(cmd);
//execlp((const char*)cmd, cmd,0);
close (fd[1]);
exit(0);
break;
case -1:
cerr << "GetSystemOutput/fork() error\n" << endl;
exit(1);
default:
close(fd[1]);
dup2(fd[0], STDIN_FILENO);
int rc = 1;
while (rc > 0)
{
rc = read(fd[0], buff, buff_size);
str.append(buff, rc);
//memset(buff, 0, buff_size);
}
ret = new char [strlen((char*)str.c_str())];
strcpy(ret, (char*)str.c_str());
waitpid(pid, NULL, 0);
close(fd[0]);
}
dup2(STDIN_FILENO, old_fd[0]);
dup2(STDOUT_FILENO, old_fd[1]);
dup2(STDERR_FILENO, old_fd[2]);
return ret;
}
API usage: GetSystemOutput("/usr/bin/lsb_release -a")
And following the commands:
cat /proc/cpuinfo = tells you CPU information