Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Welcome to our site

Take a moment to join our board

Sign in to follow this  


Recommended Posts

Hi guys, 

I would like to know how to change the following EntryPoints at run-time
00544B9B JE to JMP
00577D19 JE to JMP
0060C9C8 JE to JMP

Found those entrypoints with OllyDBG, but they are only there when the software is running. 
Since i can not change them and save the Executable i would have to inject something to change the JE to JMP. 

Anybody that can help me a little bit so i know where to start and if it's even possible. 

Thanks in Advance. 

Share this post

Link to post
Share on other sites

That can be achieved by editing the instruction bytes at run-time.

There are two types of JE/JZ which are Near and Short jumps and the main difference is short jumps only jump a distance of a byte while near can jump a distance up to 4 bytes.

You will need to identify which it is because the new bytes representing the JMP instruction will vary based on the jump distance, if the distance is a short then the new byte should be 0xEB while the near jump will be 0xE9 , keep in mind that a near JE instruction code is 2 bytes long while the near JMP code is 1 byte long so you will need to keep that in mind.

  • Like 1

Share this post

Link to post
Share on other sites

Thanks for the answer. 
i have to check if its a short or not, for the first 2 i know for sure, 3rd i would have to check. 

I have to do it in memory since the data is loaded after the executable is running. 
could C# be the language to do this in? 

Share this post

Link to post
Share on other sites

I usually use C++ for things like this. Lower level Windows APIs are all in C/C++, so you'll have much finer control of memory and processes on Windows from C++. For example, if you wanted to create a new process in a suspended state and then modify its memory, you could use CreateProcess with a creation flag (CREATE_SUSPENDED). You don't have that option from C# ProcessStartInfo class. You can always use C# and use PInvokes, but I don't think it's an appropriate use for the language. Plus, if you want to inject a library as well, it means you'd be using two separate languages at that point (or trying to inject the .NET runtime which is extremely painful). Those are my two cents on the topic.

  • Like 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


Important Information

By using this site, you agree to our Terms of Use.