Codecave and patching

All the information shared in this website is seriously, only for educational purposes.

Before we continue, I suggest you to read these posts :
Introduction to Reverse Engineering & Starting with OllyDbg

** Read this full post to understand all the things without skipping any line.

I am going to write about Codecaving and patching . The program used in this post can be downloaded here : Download

What we are going to do is , write some of our own code in the program's empty space and make it run at the starting of the program and attach the real starting of the program to it too. This method is called as Codecave. 

Extract and open InjectMe #1. Our goal is to inject a message box at start up of that program. With that, I will show you how to change things inside the program too.

Open InjectMe #1 in OllyDbg.

Now, Right click on 1st windows and go to 

Search for ----> All referenced text strings

Now you will see some strings including "Inject a messageBox at startup: 'Injected by [your pseudo here]' "
Double click on that and you will see where that string was actually used. Note the address of that push command, i.e., 0040152D

Now scroll down, and you will see some empty area like this :

Select a few of them, right click and select "Binary ------> Edit"

Click on edit, and in the Ascii coloumn, type "Injected by 0xl33t" and click ok.

Note the starting of that string which is, in my case, 00404394

Scroll up and go back to 0040152D and double click on the instruction "PUSH 406028" to edit it. 

Now, replace it with the instruction "PUSH *your string address here*" . My string address was 00404394. So, i did "PUSH 00404394". And then, click on assemble.

                                   

Now, again scroll down to another empty area and make another string as shown above, saying "Injection".
Now, pick any empty area again and edit each line with the code given below :

PUSH 0
PUSH *new string address ( Injected )*
PUSH *your string address here*
PUSH 0
CALL MessageBoxA

Now, note down the value of EIP register which is 00401000

and below "CALL MessageBoxA" instuction, Add another instruction "JMP 00401000"

Now, right click on the first PUSH 0 instruction and select "New origin here".

Now, right click the Play symbol on the top to run our program. You will see this :

What we actually did, wrote some of our own code in the program's empty space and made it run at the starting of the program and attached the real starting of the program to it too. This method is called as Codecave. 

Now if we try to save that program, it wont give this popup because EIP will change back to its original value. So, we need to do something else for a messagebox at start up.

If we look at 004010B0 ( press Ctrl + g to goto that address ) You will see a CALL 004014D3 instruction. And 004014D3 is just after the whole NOP ( NOP means NO OPERATION) instructions below it. So, we can just remove that CALL instruction because its use less. Now, the whole NOPs can be used to write any code and they will be executed well. So, Just write this code in the place of  "CALL 004014D3". You might need to restart the program and create new strings again in empty areas.

PUSH 0
PUSH *new string address ( Injected )*
PUSH *your string address here*
PUSH 0
CALL MessageBoxA

 It should look like this (before and after) :

Now you can save it by right clicking and selecting "Copy to Executable ---> All modifications" and select "Copy all"

Now again right click on the windows that popups and click save file. It will ask for a name. Give it a name and save it. Thats it !

If you have any kinds of doubts or facing any problems, Please comment them and I will respond ASAP.

Credits : +XyliboxFrance for the InjectMe.