views:

91

answers:

1

I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful.

I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW.

The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg?

Basically I'm trying to make a code cave in assembly to call MessageBoxW again. I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed?

Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.

+2  A: 

(reply to comment on original post)

Ah, no, the address specified in the "call" opcode is relative to the call instruction. However, for imported functions, it's most likely an indirect call (which reads the function's address from a memory location).

There is really no "official"/reliable way to get the address of any function without having no access to the import segment. If you are patching a certain executable, just look at the values Windows places in its import segment. If you are injecting code from another process, you can rely on the fact that the address of a function in a system DLL will remain the same, relative to the DLL's load address. It is also possible to manually locate and parse the program's import segment in memory.

CyberShadow
Yeah i want to be able to use the indirect call from the imports table. I just read part of http://msdn.microsoft.com/en-us/library/ms809762.aspx and it reads: (Virtual address 0x10464)-(base address 0x10000) = RVA 0x00464. Does this mean I could do something like put the base memory address in eax, add the RVA 0x0046 and then `call eax`?
Daniel
Hmm, something like that, though there might be more to it. If the executable is built with relocation info and is subjected to ASLR, the base address might change every time it is run.
CyberShadow
Yeah i have been having problems with ASLR, life would be so easy without it!
Daniel