#include
const unsigned char function_data[] =
{
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x40, 0x53, 0x56, 0x57, 0x83, 0x7D, 0x08, 0x00, 0x7F, 0x04, 0x33,
0xC0, 0xEB, 0x29, 0x83, 0x7D, 0x08, 0x01, 0x75, 0x07, 0xB8, 0x01, 0x00, 0x00, 0x00, 0xEB, 0x1C,
0x8B, 0x45, 0x08, 0x83, 0xE8, 0x01, 0x50, 0xE8, 0xD4, 0xFF, 0xFF, 0xFF, 0x8B, 0xF0, 0x8B, 0x4D,
0x08, 0x83, 0xE9, 0x02, 0x51, 0xE8, 0xC6, 0xFF, 0xFF, 0xFF, 0x03, 0xC6, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC2, 0x04, 0x00
};
int main()
{
int (__stdcall *fptr)(int) = (int (_stdcall*)(int))function_data;
int a;
a = fptr(5);
printf("Test function returned: %d\n",a);
return 0;
}
It will only run on an x86 machine I suspect.
To generate the machine code, I used the object code that was compiled from the function I wanted to run. The only change I had to make was to convert the function call table to the correct locations. For instance, the sequence of bytes E8 D4 FF FF FF was E8 00 00 00 00, which is a relative call to offset 0. This would have been replaced by the linker with the correct address to the function (this is a recursive function). So I calculated the correct offset and stuck it in there. Same with the E8 C6 FF FF FF. D4 FF FF FF is -44 decimal.
In addition, it's possible to read directly from the object code, but then you'd have to do the function pointer replacements automatically, which I haven't set up yet. If there are easier ways to do that, I'd love to know.
No comments:
Post a Comment