Search code examples
cassemblyreturnreverse-engineeringollydbg

(reversing)return to specified location in c , assembly

I want to modify below c code and assembly code to pop up only one message box. The 'failed' message box pops up and then the 'success' message box pops up next now but I want to know the way of only the 'success' message box pops up after "Func" function is called.

I got a hint that the answer is related to "RET(assembly)" and I don't know how to modify not only the assembly code but also the c code. RET is the return address of previous function isn't it? Then how can I change this value in either side of code?

I know the RET is saved right before Func function is called so how can i do it??? pls someone help me with it!

#include <windows.h>
#include <stdio.h>

void Func(int n1, char ch) {
    int sum;
    sum = n1 + ch;
}

int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) {

    Func(10, 'A'); 

    MessageBox(0, "Failed", "", 0);
    MessageBox(0, "Success", "", 0);
    return 0;
}

compiled the c code and it looks like this in ollydbg.

// Func 
00401000  /$  55            PUSH EBP
00401001  |.  8BEC          MOV EBP,ESP
00401003  |.  51            PUSH ECX
00401004  |.  0FBE45 0C     MOVSX EAX,BYTE PTR SS:[EBP+C]
00401008  |.  8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
0040100B  |.  03C8          ADD ECX,EAX
0040100D  |.  894D FC       MOV DWORD PTR SS:[EBP-4],ECX
00401010  |.  8BE5          MOV ESP,EBP
00401012  |.  5D            POP EBP
00401013  \.  C3            RETN

// WinMain
00401014  /$  55            PUSH EBP
00401015  |.  8BEC          MOV EBP,ESP
00401017  |.  6A 41         PUSH 41                                  ; /Arg2 = 00000041
00401019  |.  6A 0A         PUSH 0A                                  ; |Arg1 = 0000000A
0040101B  |.  E8 E0FFFFFF   CALL test.00401000                       ; \test.00401000
00401020  |.  83C4 08       ADD ESP,8
00401023  |.  6A 00         PUSH 0                                   ; /Style = MB_OK|MB_APPLMODAL
00401025  |.  68 A0544000   PUSH test.004054A0                       ; |Title = ""
0040102A  |.  68 30504000   PUSH test.00405030                       ; |Text = "Failed"
0040102F  |.  6A 00         PUSH 0                                   ; |hOwner = NULL
00401031  |.  FF15 94404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
00401037  |.  6A 00         PUSH 0                                   ; /Style = MB_OK|MB_APPLMODAL
00401039  |.  68 A4544000   PUSH test.004054A4                       ; |Title = ""
0040103E  |.  68 38504000   PUSH test.00405038                       ; |Text = "Success"
00401043  |.  6A 00         PUSH 0                                   ; |hOwner = NULL
00401045  |.  FF15 94404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040104B  |.  33C0          XOR EAX,EAX
0040104D  |.  5D            POP EBP
0040104E  \.  C2 1000       RETN 10

Are these __stdcall, __cdecl, __fastcall functions related with this question? or maybe the RETN argument?

Solution

  • If I understand your question correctly - you need to modify your C code to make one MessageBox call disappear, without removing a call from the source code. Most easiest way will be modifying a function return address to jump directly to the second MessageBox. Lets illustrate this approach with the simple example.

    #include <stdio.h>

void test(){}

int main(void)
{
    test();

    printf("%s\n", "test1");
    printf("%s\n", "test2");

    return(0);
}

    Disassembly (relevant) of the main function: enter image description here

    Return address from the test function will be 011B17F3. If we want to skip first printf call, we want it to be 011B1805 instead. So it has to be increased by 0x12.

    To do that, we have to retrieve saved return address from the stack, increase it, and then write it back.

    void test()
{
    __asm
    {
        mov eax, [ebp+4]
        add eax, 0x12
        mov [ebp+4], eax
    }
}

    enter image description here