I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful.
I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW.
The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg?
Basically I'm trying to make a code cave in assembly to call MessageBoxW again.
I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed?
Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.
(reply to comment on original post)
Ah, no, the address specified in the "call" opcode is relative to the call instruction. However, for imported functions, it's most likely an indirect call (which reads the function's address from a memory location).
There is really no "official"/reliable way to get the address of any function without having no access to the import segment. If you are patching a certain executable, just look at the values Windows places in its import segment. If you are injecting code from another process, you can rely on the fact that the address of a function in a system DLL will remain the same, relative to the DLL's load address. It is also possible to manually locate and parse the program's import segment in memory.
1- find address of message box in your executable module. suppose your exe file is a1.exe
Executable modules > select a1.exe > press ctrl + N and find the address of message box. suppose address is 00402008
2- use ff25 08204000 machine code to call message box but before push parameters and push your EIP for returning address.
Related
I have been asked to update a system where header information gets injected into a tif via a 3rd party console application. I don't need to worry about that bit.
The part I have been asked to look at it the merge process that generates the header information.
The current file generated by the process is assumed as correct, before I make any changes, so I want to add this as an approved result, from that I can then check that the changes I make will alter the file as expected.
I thought this would be a good opportunity to look at using ApprovalTests
The problem I have is that for what ever reason the links to the videos are considered corruptible (Possibly show me kittens jumping into boxes or something, which will stop me working, which ironically means I slow down my work done because I cannot see any help videos).
What I have been looking at is the Approvals.Verify and Approvals.VerifyFile extensions.
But what appears to be happening is confusing me.
using VerifyFile creates a received file, but the contents of the file are just a line the name of the file I have asked it to verify.
using Verify(new FileInfo("FileNameHere")) does not appear to generate the received file that I need to flag as approved, but the test does return saying that it cannot find the approved tif file.
I am probably using VerifyFile completely wrong and might be looking at using Verify wrong as well.
useful info?
Might be useful to know, that as this is a legacy application, running as a windows service, I have wrapped the service in a harness that allows me to call the routines, so the files are physically being written elsewhere on the machine outside of my control (well there is a config, but the return of the service I call generates a file in a fixed location if it is successful). I have tried copying that into the Unit Test project, but that doesn't appear to help.
Verify(File) and VerifyFile(string) are both meant to verify an existing file. As such they merely setting the received file to the file you pass in. You will still need to move/approval/create the approved file.
Here is the pseudo code and process.
[UseReporter(typeof(DiffReporter), typeof(ClipboardReporter)]
public void TestTiff()
{
string tif = YourProcessToCreateTifFile();
Approvals.VerifyFile(tif);
}
[Note: if you don't have an image diff installed, like TortoiseDiff, you might want to use the FileLauncherReporter]
Run this, once you get the result, move the file over by pasting your clipboard into a cmd window.
It will move the temporary tif to your test directory with the name ClassName.TestTiff.approved.tif
After that the test should pass until something changes.
Happy Testing!
I'll explain what i'm trying to do (and why) first and then get more into the details.
I'm trying to get Registration Free COM activation working in the context of a language that is compiled JIT. I use Reg-Fre COM because i would like to avoid having to register my COM component and would like this application to be installable without administrative rights.
The JIT compiler is the main executable is signed and contains an embeded manifest. Latest versions of Windows prefer the embeded manifest over an external one, by default (it was the opposite on Windows XP).
Since the JIT is signed, i cannot extract/modify/update it's manifest without breaking the signing. Also, this would introduce complexity in the maintenance of our application (always making sure we embed a new manifest). And there's are also the legal implications of modifying a program for which i don't own the rights.
So, my idea was to try to get the WinSxS activation going thru a Win32 wrapper library for which i would provide a manifest that lists the dependencies. As a proof of concept, i decided to make a simple VB6 app, a C++ Wrapper Library and two COM library (1 in .NET and 1 in VB6).
The wrapper contains 3 methods, one that calls the VB6 COM, one that calls the .NET COM and one that returns a simple string.
As long as everything as my COM are registered, it works, of course.
If i unregister them, provide manifests for the COMs and add them as dependencies to the main executable's manifest, it works.
If i unregister them, provide manifests for the COMs and the C++ Wrapper and add the com as dependencies for the C++ Wrapper and then add the C++ Wrapper as the only dependency in the main executable's manifest, it works.
If i delete my main executable's manifest, the COM calls stop working but the simple string method still works.
Please note that for all my tests, i run a Powershell script that changes the Modified Date of all my files, making sure to trip the activation context cache (manifest).
From there, i started debugging using SXSTrace.exe and setting the COMPlus_LoadLogDir variable. I found out that if my manifest is external, it never gets taken into consideration. I also found out that if i embed it in the .DLL, sxstrace shows it is found, parsed and that the dependencies are found, their manifest found and i get the usual successful context activation lines in the log.
INFO: Parsing Manifest File C:\RegFreeComWrapper\bin\vbCom.MANIFEST.
INFO: Manifest Definition Identity is vbCom,type="win32",version="1.0.0.0".
INFO: Parsing Manifest File C:\RegFreeComWrapper\bin\netCom.MANIFEST.
INFO: Manifest Definition Identity is netCom,processorArchitecture="msil",version="1.0.0.0".
INFO: Activation Context generation succeeded.
End Activation Context Generation.
However, even tho the log says that, my COM calls still dont go thru.
When the call goes thru for the .NET COM call, i get some output in the COMPlus_CLRLoadLogDir configured path.
In this case, i don't get any output.
As soon as i add the manifest that only lists my C++ Wrapper as a dependency to my main executable, everything starts working again. I get a similar output from SXSTrace, but now the COM call works. As mentioned, in all cases, the C++ Wrapper's simple string method works. Meaning that even tho i have no manifest from my main executable, it can still find my .dll and call it.
Seems like the COMs don't work if i dont have the full manifest chain:
Application.Manifest > Wrapper.Manifest > COMs manifests
So, two things here...
1. Is the thing i'm trying to do even possible? (Having dependencies listed only in the manifest of a DLL that belongs to me, without touching the main executable's manifest)
2. If it is possible, i'm probably only missing a small thing to get everything going... what is it ? :)
I can provide all my code/executable as examples, should someone be interested in trying stuff with em.
Got it working!
I modified my C++ Wrapper to use the Activation Context API and force a context activation using 'ActivateActCtx'
http://msdn.microsoft.com/en-us/library/aa374151(v=vs.85).aspx
I wrapped my code with their example's code and made sure to reference my manifests and now all is working fine. No manifest on my main executable!
On Mac Os, I see that all content on my application can be readable (mxml and as files).
Indeed with right clic on application, you can see all application content and so all files.
So It's very dangerous for a company to distribute air application like that.
Is a solution exist to protect those files.
Thanks
It is not possible to protect 100% your code. After all, if the computer can run it, it can be decompiled, regardless of the language. However, you can make it more difficult.
One method is to encrypt the swf as stated in another answer. But all the "attacker" needs to do is find the key and then they can decrypt all your swfs.
Another method is to use obfuscators. Obfuscators don't depend on encryption, nor they prevent decompiling, they just make it harder to understand what gets decompiled.
For example if you had a method called saveInvoice() the obfuscator would rename it to aa1() or something like that, so it would make it diffucult to guess what that function does. It basically turns everything into spaguetti code.
You can use a decompiler to see what can be obtained from a SWF file (which is alot), and play with obfuscators to see if they meet your espectations.
An example of one is http://www.kindi.com/ which I'm not endorsing btw, it just shows up quickly on google.
Although there are loads of decompilers which can read all your code. There is one guy who came up with encryption solution it might worth a try. (It's for Desktop AIR applications)
Have a look at this post: http://forums.adobe.com/message/3510525#3510525
Quoted text (in case of page being erased)
The method I use will allow you encrpyt most of your source code using
a key that is unique to every computer. The initial download of my
software is a simple air app that does not contain the actual program.
It is more like a shell that first retreaves a list of the clients mac
addresses and the user entered activation code that is created at time
of purchase. This is sent to server and logged. The activation code
is saved to a file client side. At the server the mac address and
activation key are used to create the encryption key. The bulk of the
program code is then encrypted using that key, then divided into parts
and sent back to the client. The client puts the parts back together
and saves the encrypted file. At runtime the shell finds the mac
address list and the activation key, then using same method as server
gets the encryption key and decrypts the program file. Run simple
check to make sure it loaded. For encyption i found an aes method that
works in php and javascript.
Next I use this code to load the program
var loader = air.HTMLLoader.createRootWindow(true, options, true, windowBounds);
loader.cacheResponse=false;
loader.placeLoadStringContentInApplicationSandbox=true;
loader.loadString(page);
This method makes it very difficult to copy
to another computer although since I wrote it i know there are some
weeknesses in the security but to make it harder i obv. the shell
code. It at least keeps most from pirating. However there are issues
with this that I have found. First i was using networkInfo to get the
list of mac address but this failed in a test windows XP computer.
When the wireless was off it did not return the MAC. I was not able
to recreate this in VISTA or 7. Not sure if it could happen. Was not
tested on a mac computer. To fix this (at least for windows). I
wrote a simple bat file that gets the MAC list, then converted it to
an exe which is included. This does force you to create native
installers. call the exe with this
var nativeProcessStartupInfo = new air.NativeProcessStartupInfo();
var file = air.File.applicationDirectory.resolvePath("findmac.exe");
nativeProcessStartupInfo.executable = file;
process = new air.NativeProcess();
process.start(nativeProcessStartupInfo);
process.addEventListener(air.ProgressEvent.STANDARD_OUTPUT_DATA, onOutputData);
process.addEventListener(air.ProgressEvent.STANDARD_ERROR_DATA, onErrorData);
process.addEventListener(air.NativeProcessExitEvent.EXIT, onExit);
process.addEventListener(air.IOErrorEvent.STANDARD_OUTPUT_IO_ERROR, onIOError);
process.addEventListener(air.IOErrorEvent.STANDARD_ERROR_IO_ERROR, onIOError);
put the list together in the onOutputData event using array.push and
continue on the onExit event using the findmac.exe will return the
same info every time (that i know of) beware thought that using the
native install will break the standard application update process so
you will have to write your own. My updates are processed the same way
as above. This is contents of the .bat file to get the mac list
#Echo off
SETLOCAL SET MAC = SET Media = Connected
FOR /F "Tokens=1-2 Delims=:" %%a in ('ipconfig /all^| FIND "Physical Address"') do #echo %%b ENDLOCAL
using this method makes it simple to implement at try before you by
method. at runtime if no activation code get try me version from
server instead of full version.
My function is definitely working; it's tested and was at one point being recognized.
Here's the function prototype:
function [X Y] = calculateEllipse(x, y, a, b, angle)
%# Code here
end
Here's the call I'm making from the Matlab terminal:
calculateEllipse (612, 391, 107, 60, 331)
Here's the error popping out at me:
??? Undefined function or method 'calculateEllipse' for input arguments of
type 'double'.
Now, I am 100% positive I am in the same directory as the function. I even used
addpath('C:\path-to-function')
to make sure. It's just not working, and I'm baffled.
Any help is appreciated.
To summarise other posts, here is a workflow for determining the cause of the problem.
You mistyped the name of the function. Check the function definition and make sure it really it called calculateEllipse.
You saved the function to a file named something other than the function name. Check the filename of the function and make sure it matches the function name.
The folder containing the function name isn't on the MATLAB path. There are several ways to check this. Type path to see the current path, or which calculateEllipse to find the location that MATLAB is using for that file. (If there is a problem, that last command will display 'calculateEllipse' not found.. Note that addpath does not permanently update the path, so when you close down MATLAB, the path will be reset. Use savepath for this.
The folder containing the function is a subdirectory of matlabroot. These folders are reserved for fully fledged toolboxes; bad things happen when you store your code here. See Bob's answer for more information.
Other useful things to check are:
Can you call other functions that are stored in the same folder?
If you save the function in a different folder, will it run then?
Adding to what Jeff said; another possibility is that you placed the function somewhere inside of your MATLAB installation. By default MATLAB does't re-search its own file structure for new files; it assumes that its internal file structure remains unchanging. Make sure that you're saving the file (which, as Jeff pointed out, must be named calculateEllipse.m) somewhere outside of your MATLAB installation.
See https://www.mathworks.com/help/matlab/matlab_env/toolbox-path-caching-in-the-matlab-program.html, or go to the MathWorks web site and search for
path cache
for more information.
The key to this problem is this: %Has no license available. This implies that a function in the directory of the function you are trying to use has the same name as a function in a toolbox you do not own. MATLAB by default disables the whole directory and not just the function of the same name in a toolbox you do not own. Here is an example:
files in directory:
myfunction.m
scoobydoo.m
blackman.m
If I do not own the "Signal processing toolbox," then blackman.m will disable the whole directory.
I can think of a couple of reasons this could happen.
First, as Jeff said, you could have named the file 'calcEllipse.m' instead of 'calculateEllipse.m'. In which case you need to rename the function to be the same as the m file you saved.
Second, you have not added the correct path. There is no reason for this to give an error to my knowledge otherwise. Double check that you have added the path to the m file that is being saved. An easy way to check is if you type in 'calculateEll' and then press tab, does the autocomplete work? If not you are out of the path.
Hope it is one of those thing you can quickly fix!
This question already has answers here:
"Undefined function 'function_name' for input arguments of type 'double'."
(3 answers)
Closed 5 years ago.
I'm a new user of Matlab, can you please help:
I have the following code in an .M file:
function f = divrat(w, C)
S=sqrt(diag(diag(C)));
s=diag(S);
f=sqrt(w'*C*w)/(w'*s);
I have stored this file (divrat.M) in the normal Matlab path, and therefore I'm assuming that Matlab will read the function when it's starting and that this function therefore should be available to use.
However, when I type
>> divrat(w, C)
I get the following error
??? Undefined function or method 'divrat' for input arguments of type 'double'.
What is the error message telling me to do, I can't see any error in the code or the function call?
You get this error when the function isn't on the MATLAB path or in pwd.
First, make sure that you are able to find the function using:
>> which divrat
c:\work\divrat\divrat.m
If it returns:
>> which divrat
'divrat' not found.
It is not on the MATLAB path or in PWD.
Second, make sure that the directory that contains divrat is on the MATLAB path using the PATH command. It may be that a directory that you thought was on the path isn't actually on the path.
Finally, make sure you aren't using a "private" directory. If divrat is in a directory named private, it will be accessible by functions in the parent directory, but not from the MATLAB command line:
>> foo
ans =
1
>> divrat(1,1)
??? Undefined function or method 'divrat' for input arguments of type 'double'.
>> which -all divrat
c:\work\divrat\private\divrat.m % Private to divrat
As others have pointed out, this is very probably a problem with the path of the function file not being in Matlab's 'path'.
One easy way to verify this is to open your function in the Editor and press the F5 key. This would make the Editor try to run the file, and in case the file is not in path, it will prompt you with a message box. Choose Add to Path in that, and you must be fine to go.
One side note: at the end of the above process, Matlab command window will give an error saying arguments missing: obviously, we didn't provide any arguments when we tried to run from the editor. But from now on you can use the function from the command line giving the correct arguments.
The most common cause of this problem is that Matlab cannot find the file on it's search path. Basically, Matlab looks for files in:
The current directory (pwd);
Directly in a directory on the path (to see the path, type path at the command line)
In a directory named #(whatever the class of the first argument is) that is in any directory above.
As someone else suggested, you can use the command which, but that is often unhelpful in this case - it tells you Matlab can't find the file, which you knew already.
So the first thing to do is make sure the file is locatable on the path.
Next thing to do is make sure that the file that matlab is finding (use which) requires the same type as the first argument you are actually passing. I.el, If w is supposed to be different class, and there is a divrat function there, but w is actually empty, [], so matlab is looking for Double/divrat, when there is only a #(yourclass)/divrat. This is just speculation on my part, but this often bites me.
The function itself is valid matlab-code. The problem must be something else.
Try calling the function from within the directory it is located or add that directory to your searchpath using addpath('pathname').
The error code indicates the function definition cannot be found. Make sure you're calling the function from the same workspace as the divrat.m file is stored. And make sure divrat function is not a subfunction, it should be first function declaration in the file. You can also try to call the function from the same divrat.m file in order to see if the problem is with workspace selection or the function.
By the way, why didn't you simply say
s = sqrt(diag(C));
Wouldn't it be the same?
Also, name it divrat.m, not divrat.M. This shouldn't matter on most OSes, but who knows...
You can also test whether matlab can find a function by using the which command, i.e.
which divrat
I am pretty sure that the reason why this problem happened is because of the license of the toolbox (package) in which this function belongs in. Write which divrat and see what will be the result. If it returns path of the function and the comment Has no license available, then the problem is related to the license. That means, license of the package is not set correctly. Mostly it happens if the package (toolbox) of this function is added later, i.e., after installation of the original matlab. Please check and solve the license issue, then it will work fine.