I have to write a lot of data decoders, so I am always experimenting with new techniques. One realization I had last night is that I could use the /patch option in scdbg to load code fragments from executables and run them directly.
Using the example code from a previous article I cooked up a quick patch to test it. Whole process took about 10 minutes which is quite efficient.
The steps were:
Find start and end offsets of target function block(s)
extract function bytes as hex blob(s)
extract hex blob of a data to decode
figure out what mem offsets to use (keeping original function base)
if using api for data display find offsets using -lookup
The demo I used, has a main decoder function, which also calls out to strlen and chkesp which were also patched in. The cool thing about this trick is that you can keep all your subfunctions at their proper virtual addresses very easily.
Couple other notes:
I wouldnt use this trick for lots of string decodes.
patch generator is included in gui_launcher-> more menu
this will work for multi function extractions if you keep the offsets right. As long as the functions dont use any external api.
note how the stub was coded to be position independant (call eax)
To develop the small asm calling stub, I just opened a random exe in olly and did it there
For a file decode, set a breakpoint to enter the dbgshell and then use .savemem to dump the decoded data to disk.
yes I trashed the stack with my call to MessageBoxA with only 1 arg :p
Anyway, just another cool trick for the quiver. enjoy..