Shellcode crashing target PE


I am currently attempting to patch a target x86 PE file from the disk with a tool, patch.exe.


The purpose of this tool will be to eventually write/insert a multi-function payload into the target executable, who's purpose is to track the position of certain frames inside a game which I created.


I am doing this by mapping the file into memory with PAGE_READWRITE protection flag. After locating the RVA of foobar(...) function from memory, I am replacing the call to this function with a JMP (0xE9) instruction followed by the RVA of the payload shellcode (which is previously appended to a new section I have created within the target PE file beforehand).

When the shellcode simply contains the following bytes

unsigned char shellcode[16] = {0x33, 0xc0, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc}

which translates to the following C function

unsigned long basic_ret() { return 0; }

the target executable successfully executes


however, if I try to include another function (0xDEADBEEF) within the code

unsigned char shellcode[32] =
    0x6a, 0x0b, 0x68, 0x9c, 0xc2, 0xf4, 0x00, 0x6a, 0x0a, 0x68, 0xa8, 0xc2, 0xf4, 0x00, 0x68, 0xb4,
    0xc2, 0xf4, 0x00, 0xb8, 0xef, 0xeb, 0xda, 0xed, 0xff, 0xd0, 0x83, 0xc4, 0x14, 0xc3, 0xcc, 0xcc

which translates to the following C function (a simple JMP taking 3 arguments on the stack, to another function)

int simple_jmp()
    typedef int (*_jmp_target)(void*, int, void*);
    _jmp_target jmp_target = (_jmp_target) 0xDEADBEEF;

    return jmp_target (0, 5, 0);

where jmp_target is filled by patch.exe with the RVA to a function previously referred to, which was inserted into the new section of the target PE.

When the the target executable is executed, this time, it reaches some type of violation/crash (confirmed by the presence of WerFault.exe alongside its execution).

What is the reason for this problem, what am I missing?


When I observe the patched bytes in memory (of the mapped PE file), I can see that 0xdeadbeef is replaced by 0x0dc3f4de which is the same address from which the inserted function shellcode starts. At this point, I assumed there would be no crash, little to my surprise - crash!

asked on Stack Overflow Jul 19, 2020 by egghuntr • edited Jul 20, 2020 by egghuntr

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0