[php][size=medium][color=#339933]In this lesson, we will see how to inject new code into a precompiled executable. We will change the Windows notebook to show a simple text message when it starts up (as it is one of the easiest functions Windows provides).
First of all, make a copy of the notebook (C: \  WINDOWS \  notepad .exe) to any folder (we will use this copy to keep the original). What we are going to do is: point the beginning of the notebook code to another location, view the message, and then return to the original point.

[img]https://3.bp.blogspot.com/-lQkAReVsK_o/WyE-xTOEsnI/AAAAAAAAA_Q/8ai6iJQDWMoX8elfCV5-g8Sps0Jj46RUgCLcBGAs/s1600/tut10_1.png[/img]

To do this, we need to find an empty location in the code section of the notebook, which does not change the functionality of the program called " Code- cave ". Open the notepad. exe file in Olly and scroll down. There, in the 8747 offset, you should find the beginning of the code cave, a section with no code at all, only 00

[img]https://2.bp.blogspot.com/-ihPk4-kPm_Y/WyE-3_26dBI/AAAAAAAAA_U/heIdNHET0TsqNmssRaCgJFVKkIKcu8RlQCLcBGAs/s320/tut10_2.png[/img]
After 8747, this is the region we will use to write our code. As I said, we will add a MessageBox at the beginning of the work. Let's look at the MessageBoxA function to see what we need:


https://pastebin.pl/view/eb5be685


We need to pass 4 arguments to call the function. hWnd indicates which window Msgbox belongs to. lpText and lpCaption are message text and window title, respectively. Finally, uType shows the style of the window, such as the number of buttons and icons.
We need to save the text and the title of the window somewhere, and this is the code cave itself. Let's go to the title first.
From the beginning of the code cave, choose the number of lines you will use to store the title, each line you select covers an area of 1 character. "F3rGO!" Containing 6 characters Then I select 6 lines from the beginning of the CV (code-cave), right click the selection using SHIFT and select "Binary ->  Edit". Then check the "Preserve  Size" box and write your message in the ASCII field:
[img]https://2.bp.blogspot.com/-gmfidfSBnK4/WyE--csuEQI/AAAAAAAAA_Y/wRTEXca5Vdgdl2z2tRRxizPJuBB1Dc86QCLcBGAs/s320/tut10_3.png[/img]

Press the OK button. Olly first understands what you are writing as a script so that your message does not appear properly in the code window. For Olly to analyze the code again, press CTRL + A and you should see your string correct. Repeat the same process for the window text (select lines from the line containing your title). "Modified Notepad with 19 characters (space is counted as characters!") I used it as text. Select 19 lines and do the same for the header. In the end, something like this will happen:

[img]https://1.bp.blogspot.com/-c_rOUtnVhXE/WyE_EEu7kpI/AAAAAAAAA_g/gSiMbNCCCi8DoxDDB4rfzamKm0b05iC-gCLcBGAs/s1600/tut10_4.png[/img]

We have already stored our strings so we can call the function. Note that the arguments of the function are drawn in reverse order, that is, we need to use the uType PUSH command for hWnd. Select any offset from the CV (it can be just below the strings). I  used 01008763 . Write the code of the function call (when capturing the title and text, specify the address of each in the code (in my  case 01008747 and 0100874E ). To write the code, double-click the line and enter the command. Your code should look like this (comments  I added):

[img]https://2.bp.blogspot.com/-esJ2QVGW97g/WyE_INIYWEI/AAAAAAAAA_o/giu6tRkxC-QhCCbkhoI6HyHRrVo3kKRGQCLcBGAs/s320/tut10_5.png[/img]

We already have msgbox code, we need to direct the start of the program 01008763 to call the message and then return to the original code order. For reasons I will explain later, we will not recall JMP after the call. Memorize 01008763 as this is what we will redirect (this is where the msgbox call starts).
Right click anywhere in the code and then click "Go ->  Source *" . We were taken to the program's EntryPoint.

https://pastebin.pl/view/b63c215d

We have to jump PUSH  70 to  01008763. Write the commands for this first 2 offset (PUSH 70  and PUSH NOTEPAD ...) before replacing. I already explain why. Now double click on PUSH 70 and change it to JMP  01008763 (check Fill with NOPs option). Okay, we've deviated our code, but we noticed that 2 commands were missing due to this jump (you typed 2). This is because the JMP command covers the area of ​​PUSH 70 and part of the other PUSH and completes the remaining bytes with NOPs. We can't stop this, somehow we need to add these 2 missing commands somewhere. Where? In the code cave after calling MessageBoxA.
Before returning to the MessageBox, note the CALL  NOTEPAD. 01007568 offset (010073A4) as we will have to jump to this address for execution to continue when the msgbox is displayed.
Go back to your MessageBox region and add the 2 commands noted (when adding the second command, just stop pushing with the address, remove the text " NOTEPAD "). Now we can go back to the normal code. After the end of the injected code, add a new JMP to address 010073A4  (the offset you just noted). In the end, your code should look like this:

[img]https://3.bp.blogspot.com/-0zS7cpX6B3E/WyE_NIAls0I/AAAAAAAAA_s/dLO5Bu-1AvgWp6BPqbIeZZYKpjOGr8M1ACLcBGAs/s320/tut10_6.png[/img]

You can save your file (" Right  Button -> Copy  to Exetuable -> All Changes  -> Copy All-  > Right Button->   Save File ") and test it. If you did everything right, you should have seen this when starting your modified notebook

[img]https://4.bp.blogspot.com/--y8bxBQauHc/WyE_SSXeRtI/AAAAAAAAA_0/soObN5MzBqUVRI6wZkUQPkE6M9F-cY0nQCLcBGAs/s1600/tut10_7.png[/img]

http: //www.fergonez.net/tutoriais/fergo/reveng/[/color][/size][php][/php][/php]