If this in an x86 call-relative instruction, the offset value is computed by subtracting the address of the instruction following the call (= call instruction location + 5 bytes), from the address of the target. So, you need to patch the offset to be address(B)-address(callinstruction+5).
How to change a call with Reverse engineering
-
04-12-2021 - |
Question
I have an example program test1.exe
that uses an example library test2.dll
.
test.dll
contains the functionsA()
andB()
of the same type.test1.exe
callsA
and then exits.
Here I've found the call to A()
:
(http://i.stack.imgur.com/5W9Jd.jpg)
Now, if i'm not mistaken, I need to replace 88FDFFFF
with the correct offset of B()
, but how can I calculate it so that B()
will be invoked instead of A()
?
Solution
OTHER TIPS
if b
is imported in test1.exe it is easy otherwise you have to use LoadLibrary and GetProcAddress.
press ctrl+N
to see if b
is imported or not.
I would recommend to learn asm basics first and play with HIEW hexeditor/disassembler to change simple codes.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow