so made simple c program study how c works on inside. has 1 line in main() excluding return 0:
system("cls"); if use ollydebugger analyze program show this(text after semicolons comments generated ollydebugger.
mov dword ptr ss:[esp],test_1.004030ec ; ||ascii "cls" call <jmp.&msvcrt.system> ; |\system can explain means, , if want change "cls" called in system() command, "cls" stored? , how modify it?
you using 32 bit windows system, corresponding abi (the assumptions used when functions called).
mov dword ptr ss:[esp],test_1.004030ec is equivalent push 4030ech instruction, store address of string cls on stack.
way parameters passed functions , tell string cls @ address 4030ech.
call <jmp.&msvcrt.system> ; |\system this call system function crt.
jmp in name due how linking works default visual studio compilers , linkers.
so 2 lines passing address of string system function.
if want modify need check if in writable section (i think not) checking pe sections, debugger may have tool that. or try anyway following:
inspect memory @ 4030ech, see string, try editing (this debugger dependent).
note: use tasm notation hex numbers, i.e. 123h means 0x123 in c notation.
Comments
Post a Comment