How to change a call with Reverse engineering

StackOverflow https://stackoverflow.com/questions/13673516

Question

I have an example program test1.exe that uses an example library test2.dll.

  • test.dll contains the functions A() and B() of the same type.
  • test1.exe calls A and then exits.

Here I've found the call to A(): The line which test.exe calls A (http://i.stack.imgur.com/5W9Jd.jpg)

Now, if i'm not mistaken, I need to replace 88FDFFFF with the correct offset of B(), but how can I calculate it so that B() will be invoked instead of A()?

Was it helpful?

Solution

If this in an x86 call-relative instruction, the offset value is computed by subtracting the address of the instruction following the call (= call instruction location + 5 bytes), from the address of the target. So, you need to patch the offset to be address(B)-address(callinstruction+5).

OTHER TIPS

if b is imported in test1.exe it is easy otherwise you have to use LoadLibrary and GetProcAddress.

press ctrl+N to see if b is imported or not.

I would recommend to learn asm basics first and play with HIEW hexeditor/disassembler to change simple codes.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top