The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Runtime memory patching on x86/x64 Polystream My title

Hey Mikey, I think he likes it! Job done right? Yes, but we can do even better. Fast iteration is the key to productivity and this solution is not that convenient if we need to do it more than once. But first lets understand what steps were taken above:

In this example the assert is simulated by a Microsoft specific intrinsic __debugbreak, which generates the INT 3 instruction. For Clang / LLVM this instruction is generated by the __builtin_debugtrap intrinsic function. This is an interrupt that the debugger understands so it can break at that point. The C assert function will also generate this instruction.

Since we would like to replace this instruction with a NOP, the first thing to do is to find where that instruction is in memory, which Visual Studio conveniently points out with a yellow arrow as the next one to be executed.

Now we know that the debugger is breaking on an INT 3 instruction and that the opcode for this instruction is 0xcc, as thats the first opcode that is visible when we paste the instructions address in the memory window. However we dont know what the opcode of NOP is. To answer that we need some reference like the intel architecture software manual or a helpful page. If you search that page for the cc opcode you will find the INT 3 instruction and if you look for the NOP instruction you will find the opcode 90. Now it is just a matter of replacing the opcode in the memory window - Make sure that Reevaluate Automatically is enabled so you can see the changes on the fly.

Since we now understand this solution, we can develop a better one. The first step is to realise that the EIP (x86) / RIP (x64) register is already pointing to the address of the next instruction to be executed. No more copypasta!

Type RIP in Visual Studios watch window (or EIP on x86) and you will get the registers integer value, which is not very convenient, but after dereferencing it to char*, then you can type the decimal representation of 0x90 which is 144, like so:

Continue reading on