This is my first post, and I am new to assembly and debugging, so bear with me please.
I was trying to inject some code (a little call to MessageBoxA) into the Windows 7 Notepad executable. However, I ran into the problem of addresses. First, I opened up the exe in OllyDbg, then I went to the line that contains the ASCII text of “notepad.pdb.” Then I put an ASCII string below that (For example, “INJECTED NOTEPAD”). Next, below that, I entered this asm code:
PUSH 0
PUSH address_of_ASCII_string ; In this case, 00A6B668C
PUSH address_of_ASCII_string ; In this case, 00A6B668C
PUSH 0
CALL MessageBoxA
Next, I went to the first line of code in the program (simply by right clicking and pressing Go to Origin (or just press * on the number pad)) Then I replaced the first line with a JMP instruction to the address of the first PUSH 0 in my injected code. Then, I put the instruction that I replaced at the end of my injected code. After that, I put a JMP instruction to the line of code after my JMP instruction that jumps to my injected code (yes, I just described a codecave or sort of). It all works fine when I run it. However, when I save the modified code to a new executable and run it with OllyDbg again, it doesn’t work. When I try to reference the ASCII string that I put in, the address is completely wrong. Example is in pictures below:
As you can see, I push the string onto the stack, but when I reload the modified program into the debugger again, the address of the string changes, but my code doesn’t. So when I call the MessageBoxA function, it errors out because I have loaded the wrong address for the Text and Caption arguments. How do I fix this?
What you've encountered are the effects of ASLR. In short, this means that an executable running on an OS (in this example Windows) will not have the same base address across multiple executions.
So there are a few ways to inject your code into another binary, I will address 2 here and I will also guess (after reading the comments) that you are trying to patch the binary that's on the disk.
Patching the binary on disk:
a. The first way to go about this is strip the relocation table from the PE. I would definitely not recommend this way as it may crash the executable in the future in case it doesn't get loaded into its favored base address (OptionalHeader.ImageBase) which is the default that all instructions needing relocation will use as a base to add an offset to.
Let's say you have a string at offset
0x600from the image base, in case the executable is mapped to its preferred base address (usually0x00400000) the string will be held at address0x00400000. The way your compiler will link the file will be with an address of0x00400000 + 0x600so0x00400600. Then what happens when an executable is loaded into a different base address? In that case the windows executable loader will add the offset of the base address (effectively the one mapped minus the preferred base address) to each relocation entry (the example above will need one). So in case the executable will be loaded into0x00500000the loader will add0x00100000to that relocation entry leading to the absolute address of0x00500600.b. The second way to go would be to add a relocation entry to the binary. This way, as opposed to the way described in (a) you will not harm the binary and will only add a relocation entry, which upon loading the executable the loader will change the address to the correct one (if you've added a correct entry).
c. Write position independent code and patch the binary using this code. Example:
This code will write the 2 needed strings to the stack and push the pointers to the strings on the stack, this way the code doesn't need any relocation since its a piece of poisiton independent code.
Patching the binary in memory:
a. Position independent code (see above)
b. Use VirtualAllocEx, this API will, after calling it, return an address to which you can write, this way you simply have the mapped address in memory and know where and how to inject your code.