This article was written by Mr. eXoDia about the usefulness of the Multiline Ultimate Assembler Library, which is a (dis)assembler library with similar functionality to the Multiline Ultimate Assembler OllyDbg plugin.
Kudos to him!
The Multiline Ultimate Assembler Library
Multiline Ultimate Assembler library.zip (525.6 kB)
Article files (with the library included)
multi_asm_lib_test.zip (116.81 kB)
Alright, so what’s the use of the Multiline Ultimate Assembler Library? In my case it was useful as backend for a ‘generic’ API hooking tool. The tool was used to hook various APIs to prevent CRC checks and then the idea was to hook an API (VirtualProtect for example) that was accessed just before the OEP of the protected file was reached.
In our case we will not deal with a real protector, but just with a simple file that mimics a protector. Our protected file must have VirtualProtect in the import table.
Analyzing the file
The file (Hooking_example.exe) is just a simple crackme that does a check on static memory to see if it was ‘registered.’ Look in OllyDbg at
0x00401470 to see the check. Our goal is to patch
0x00404008 to anything other than zero.
0x004013E6 we see that the PE header is removed. To change the page protection of the PE Header, the API VirtualProtectEx is used. That will be our hooking target for today.
Writing a hooking template
Alright, so let’s say we’re hooking a DLL. In that case we would need to add relocations, but we’re smart reversers so we write relocatable hooking code. This is an example of such a template:
<0%X> ;00407000 pushad call @f @@: pop ebp sub ebp,0%X ;7006 mov ebx,dword ptr ds:[ebp+0%X] ; virtualprotect (standard) mov esi,dword ptr ds:[ebp+0%X] ; virtualprotectex (api to hook) call @f @vpex_addr: mov eax,0FFFFFFFF ret @@: pop eax mov dword ptr ds:[eax+1],esi call @f "\x00\x00\x00\x00" @@: push 40 push 50 push esi call ebx call @skip @original_bytes: call @f "\x90\x90\x90\x90\x90" @@: jmp short @hook_back @skip: pop edi add edi,5 mov ecx,5 rep movs byte ptr es:[edi],byte ptr ds:[esi] sub esi,5 mov byte ptr ds:[esi],0E9 call @f @hook_VirtualProtectEx: push edi push esi push ecx jmp short @original_bytes @hook_back: pop esi call @vpex_addr mov edi,eax mov ecx,5 rep movs byte ptr es:[edi],byte ptr ds:[esi] pushad pushfd %s ;hooking code here popfd popad pop ecx pop esi pop edi jmp eax @@: pop eax sub eax,5 sub eax,esi mov dword ptr ds:[esi+1],eax popad jmp 0%X
This template is fully relocatable and we will use it with our tool.
Writing the tool
So the tool is gonna be written in C++. It will allow the user to select the API to hook (this API must be in the import table) and the user can also specify the empty space to store the assembled code in.
The user will only see his/her own code and there will be various quick functions (like argument reading, return address reading, inserting bytes and declaring a relocatable variable). The Multiline Ultimate Assembler library API is well-documented, just see the headers for details.
The rest is just limited to your imagination.
Quick tutorial on Hooking_example.exe
1) Load up hooking example in CFF explorer.
2) Add a section (100h bytes should be enough).
3) Discover code for an inline patch (patch 00404008 to 1 in VirtualProtectEx):
mov eax,dword ptr ds:[esp+38] ; arg1 (imagebase) inc byte ptr ds:[eax+4008] ; patch address rva
4) Enter data in tool (DLL: kernel32.dll, API: VirtualProtectEx, Free Space: 00407000).
5) Drag & drop file with added section.
6) Click ‘Load Data’ to reparse the file and check if the selected API is in the import table.
7) Click ‘Copy Code’ to copy the complete code (including the template).
8) Click ‘Assemble!’ and save the file to let the program automatically assemble everything (with template), this is what the tool was made for.
Additional Info (buttons)
Argument: Get arg n from the function you hook (pushad, pushfd change ESP).
Bytes: Insert hex bytes in your code.
Variable: Create a ‘variable’ that is full relocatable.
Return: Get the return address (ESP changes because of pushad etc).