Invoke functions with a spoofed return address. For 32-bit Windows binaries

Related tags

Miscellaneous reverse-engineering game-hacking assembly-language x86 cpp17 single-header assembly-x86 anticheat-bypass
Overview

x86RetSpoof Windows

Invoke functions with a spoofed return address. For 32-bit Windows binaries.

How to use

  1. Include x86RetSpoof.h in your project.
  2. Find FF 23 byte sequence (gadget, machine code equivalent of jmp dword ptr [ebx]) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the gadgetAddress and the invoked function will see it as the return address.
  3. Call the function with x86RetSpoof::invoke...() matching the calling convention of the target function.

Example

Calling MessageBoxW function:

x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);
You might also like...
It is a C / C++ console based project made by team: return 0.

LU Student Assistant In the latest version release v1.02, we add time and date in our system. It is a C / C++ project made by team: return 0. It is ve

Shah Sayem Ahmad 1 Feb 1, 2022
A C++ implemented set of 8,16,32,64 bit cyclic redundancy check (CRC) functions conforming to the CRC spec given by AUTOSAR

A C++ implemented set of 8,16,32,64 bit cyclic redundancy check (CRC) functions conforming to the CRC spec given by AUTOSAR. Written in C++ and compiled as a 'C++ addon' for use in JavaScript. Available on NPM.

Richard Haar 3 Jul 13, 2022
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Paulo Rafael Ramalho 0 Jan 1, 2023
Powerful automated tool for reverse engineering Unity IL2CPP binaries
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 2.1k Jan 7, 2023
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 43 Dec 15, 2022
Universal binaries for Linux.

FatELF The latest information about FatELF can be found at https://icculus.org/fatelf/ What is this? FatELF is a simple file format that allows you to

Ryan C. Gordon 40 Dec 21, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

null 11 Aug 31, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem4CPM This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so eve

null 11 Aug 31, 2022
「👾」Some binaries for you to crack

「 👾 」Crackme Hello visitor! I'll leave some binaries made by me for you to try to crack. I'm not experienced in this area but I'm taking the opportun

null 3 Oct 10, 2022
Comments
  • I don't get how to spoof __fastcall call.

    I don't get how to spoof __fastcall call.

    Hello,

    So, I'm using this library for a few days, and i got an small problem.

    I want to spoof __fastcall? for example. I want to spoof call to SetClanTag (game / csgo) I got an correct address to an function and i use it like that; x86RetSpoof::invokeFastcall<void>(0, 0, address, csgo::jmpEbxGadgetInClient, "clantag", "clantag"); it leads to the following error: YKQLmX4F when using __cdecl, this error doesn't happen, the function gets called, but strings doesn't get passed correctly which is causing some weird unicodes.

    Can you please point what am i doing wrong and/or tell me how to fix it?

    Thanks!

    opened by R3BHXAB 2
  • x64retspoof

    x64retspoof

    would be possible to fuse both codes into one? 1file for x86 and x64 https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html

    opened by rafalohaki 1
Owner
Daniel Krupiński
Daniel Krupiński
GitHub
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 137 Jan 3, 2023
idf.py.exe, wrapper tool to invoke idf.py on Windows

IDF wrapper tool (idf.py.exe) This tools helps invoke idf.py in Windows CMD shell. In Windows CMD shell, python scripts can be executed directly (by t

Espressif Systems 3 Dec 13, 2021
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Bobby Cooke 65 Nov 9, 2022
Bypass Roblox's Trustcheck via the JNZ address of it

What is a Trustcheck? Roblox has a check to see if the URL that was inputted is trusted by them or not, this can be bypassed via 2 options. You can ei

Rexi 5 Sep 25, 2022
A faster,smaller,Address Sanitizer,200X Faster,95% Smaller.

FirASAN(Fir Address Sanitizer) A faster,smaller,Address Sanitizer 200X Faster,95% Smaller. FirASAN 结论: 内存消耗 CPU消耗 ASAN原版 +100-150% +200%以上 FirASAN +5%

null 11 Aug 16, 2022
Bitcoin/Ethereum Address Prefix Finder

VanitySearch A small modification of VanitySearch Added private key random between minimum and maximum hash values. Example for CPU Run: VanitySearch.

Fialka M-125 11 Jun 17, 2022
A video input (V4L2) to NDI converter that works with Raspberry Pi (32-bit and 64-bit), and Intel/AMD CPUs

V4L2 to NDI V4L2 to NDI is an application that connects to attached V4L2 devices and encodes the video signal into NDI It uses the NDI library, allowi

Luke Plassman 52 Dec 30, 2022
Allows for multiple SwitchBot buttons and curtains to be controlled via MQTT sent to ESP32. ESP32 will send BLE commands to switchbots and return MQTT responses to the broker. Also supports Meter/Temp Sensor

SwitchBot-MQTT-BLE-ESP32 Switchbot local control using ESP32. no switchbot hub used/required. works with any smarthub that supports MQTT https://githu

null 343 Dec 27, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022