Changing parameters of function call

Septimus · March 7, 2019, 8:54pm

Hello guys,

I’m trying to unlock features in an executable, it’s an exemple for education purposes only.
So basicaly to make some features unreachable i just don’t pass a parameter to a function.

Here is as exemple of code:

void myDumbFunction(void *param1, void *param2, void *param3, void *param4)
{
theFunctionICall(param_1,param_2,0,param_4);
return;
}

The compiled version look like this

                         **************************************************************
                         *                          FUNCTION                          *
                         **************************************************************
                         undefined __stdcall FUN_004013c0(undefined4 param_1, und
         undefined         AL:1           <RETURN>
         undefined4        Stack[0x4]:4   param_1                                 XREF[1]:     004013dc(R)  
         undefined4        Stack[0x8]:4   param_2                                 XREF[1]:     004013d5(R)  
         undefined4        Stack[0xc]:4   param_3
         undefined4        Stack[0x10]:4  param_4                                 XREF[1]:     004013c6(R)  
         undefined4        Stack[-0x10]:4 local_10                                XREF[1]:     004013c9(W)  
         undefined4        Stack[-0x14]:4 local_14                                XREF[1]:     004013cd(W)  
         undefined4        Stack[-0x18]:4 local_18                                XREF[1]:     004013d8(W)  
         undefined4        Stack[-0x1c]:4 local_1c                                XREF[1]:     004013df(*)  
                         FUN_004013c0                                    XREF[1]:     FUN_004047e0:00404886(c)  
    004013c0 55              PUSH       EBP
    004013c1 89 e5           MOV        EBP,ESP
    004013c3 83 ec 18        SUB        ESP,0x18
    004013c6 8b 45 14        MOV        EAX,dword ptr [EBP + param_4]
    004013c9 89 44 24 0c     MOV        dword ptr [ESP + local_10],EAX
    004013cd c7 44 24        MOV        dword ptr [ESP + local_14],0x0
             08 00 00 
             00 00
    004013d5 8b 45 0c        MOV        EAX,dword ptr [EBP + param_2]
    004013d8 89 44 24 04     MOV        dword ptr [ESP + local_18],EAX
    004013dc 8b 45 08        MOV        EAX,dword ptr [EBP + param_1]
    004013df 89 04 24        MOV        dword ptr [ESP]=>local_1c,EAX
    004013e2 a1 d4 b5        MOV        EAX,[->theFunctionICall = 0000c76c
             40 00
    004013e7 ff d0           CALL       EAX=>theFunctionICall
    004013e9 c9              LEAVE
    004013ea c2 10 00        RET        0x10

How can i change the third parameter 0 to the param3 ?

Leeky · March 7, 2019, 9:40pm

Assuming I understand what you want to archive right, patching

    004013cd c7 44 24        MOV        dword ptr [ESP + local_14],0x0
             08 00 00 
             00 00

to

    004013cd 8b 45 10        MOV        EAX, dword ptr [EBP + param_3]
    004013d0 89 44 24 08     MOV        dword ptr [ESP + local_14], EAX
    004013d4 90              NOP

should work.

NOTWORKS · March 8, 2019, 5:17am

This should mean function (){}, right?.

Septimus · March 8, 2019, 7:00am

No sorry i mean i don t pass the param3 that i receive when calling theFunctionICall

Septimus · March 8, 2019, 7:02am

You are right but i can’t add a line of assembly in IDA or Radar2, i can only modify one. Anybody know a simple way to achive this ?

Replacing 0 by EAX is easy but i don’t know how to move my param3 in it

system · April 6, 2019, 8:54pm

This topic was automatically closed after 30 days. New replies are no longer allowed.