PAGE 18
ARTEAM EZINE
argument “QuickPaste” will return the location of the QuickPaste function in EAX. We can then store that address and use it in the Menu ID comparison. After we have stored the address we need to execute any commands we overwrote with our JUMP and return to regular program execution. Finally we will need to modify the Menu ID comparison so it will call the QuickPaste function using the address we received from GetProcAddress. We start by first loading Notepad.exe into Ollydbg. You will find yourself here at Notepad's Entry Point:
Image 1.27 – Notepad.exe Entry Point
A quick trick to finding a code cave is by scrolling Olly's code window until we get to the last real instruction and just see 0's.
Image 1.28 – Code Cave in Notepad.exe
We see that our code cave starts at 1008747. This section is where we are going to redirect our entry point to. Go back to Notepad's entrypoint where we are going to assemble a JUMP. Highlight the PUSH 70 line and Press SPACEBAR. This will open the assembly window which allows us to modify the programs code.
Image 1.29 – Ollydbg Assembly Window
I prefer to leave a little space at the beginning of the code cave just in case I need to make some modifications. So I will choose to jump to 1008765 instead of 1008747. Enter JUMP 1008765 into the Assembly box. Make sure you check Fill with NOP's and press Assemble. You will see the JUMP has overwritten PUSH 70 and PUSH NOTEPAD.01001989 with a JUMP NOTEPAD.01008765. We have now redirected our entry point to the code cave. Your code should look like this:
Image 1.30 – Entry Point Redirected
We now need to figure out what code we enter into our code cave. The code I post below is incorrect in it's syntax but will give you the idea of what we need to accomplish in our code cave. PUSH “QuickText.dll”
;
PUSH POINTER TO "Quicktext.dll" ONTO THE