Code cave is a piece of code that is written to another process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script. This is what is referred to as a Code cave.
The concept of a Code cave is often used by hackers and code-pirates to reverse engineer and injection-hack a program. However, a Code cave can be an extremely helpful tool to make additions and removals to a script if the source code is absent. This includes adding dialog box pop-ups and removing/cracking software key validation checks. Similar to a JMP function in C++, the injected code allows the existing program to jump to the newly added functions without making significant changes to the program itself. However, the JMP function will replace the current flow of functions unless a return is implemented. There are also CALL functions which allow the coder to create a redirection of the script without the worry of implementing returns to get back on track.
Easy/Fast – This means the modification process is fast and easy. When modifying the existing code with byte tools like Ollydbg, the added functions can be compiled and tested without any dependencies.
No need for source – Using code caves can be extremely efficient if there is no source code provided for the coder. The programmer can make adjustments and add/remove functions to the code without having to rewrite an entire new program or link class into a project.
Easy to break the program – In many cases you will be modifying the executable file. This means that there may not be an existing code cave in the existing script for any code injection due to the lack of resources provided in script. Any replacement of the existing script may lead to program failure/crash.
Lack of versatility – Injecting code into an existing script means that the limited space given only allows for simple instruction modifications and the language used is only assembly.
OllyDbg is a debugger for code analysis. It traces the script calls and executes, as well as displays any iterations in the libraries and binaries. Code can be injected or removed into/from the EXE file directly with this debugger.
PE: Explorer lets you open and edit executable files called PE files (portable executable files). This includes .EXE, .DLLs and other less common file types.
Cheat Engine is a powerful tool that reads process memory and writes process memory. This means any client-side data values can be changed and edited. It also can display changes in the values.
Tsearch is a powerful tool that reads process memory and writes process memory. Like Cheat Engine, can change client-side values data.
- http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves The Beginners Guide to Codecaves - CodeProject
- http://thelegendofrandom.com/blog/archives/tag/code-cave Modifiying Binaries: Adding a Splash Dialog
- http://eryanbot.com/jtp/2012/06/30/game-hacking-utilizing-code-caves/ Game Hacking-Utilizing Code Caves
- http://www.progamercity.net/ghack-tut/164-guide-theories-methods-code-caves.html Theories and methods of Code-caves
|This computing article is a stub. You can help Wikipedia by expanding it.|