[ASM] Loading a DLL
In this tutorial i will explain howto load a dll file via ASM.Download OllyDBG before you start, extract it, run it and open up your client exe.
OK now when you loaded up OllyDBG it's time we should find a point where we can stick the main JMP, ill be using the client's exe in this tutorial.
Let's say that we want to load the dll when the client is loading effect data, open up the exe in olly. Right click go to *view* and select the module of the exe. My exe is called: Play RCKO.exe so my module is: Play RCK.
http://i50.tinypic.com/2nshmf.png
Now we would have to find the right ASCII, right click again and hover over *search for* and click on All referenced text strings.
Resized to 99% (was 510 x 334) - Click image to enlargehttp://i45.tinypic.com/20qxr48.png Now a list of all text strings should popup, search for *Loading*.
Once thats done there should come up 2 strings:<BR>0047C051 MOV EDI,Play_RCK.006D4718 ASCII "Loading Effect Data... %d %%"<BR>0047C061 PUSH Play_RCK.006D4718ASCII "Loading Effect Data... %d %%"<BR>The PUSH is the one we want to use, highlight the line and press enter.
Now you should automatically jump to its address, open up notepad and copy that line and the 1 below it.0047C061 68 18476D00 PUSH Play_RCK.006D4718
0047C066 8D4C24 48 LEA ECX,DWORD PTR SS:Replace the code so it looks like:0047C061 E9 3CA22100 JMP Play_RCK.006962A2 // Jump to the first Codecave.
0047C066|. 8D4C24 48 LEA ECX,DWORD PTR SS: The next step is to find some unused addresses that we can use, mostly INT3's.
We're going to have to make alot of JMP's to make this work due to limited space.
Before we start making the call we should Push the name of our DLL onto the stack, we have to create a ASCII string somewhere.
I chose the location at 00696202.
Press CTRL+G type in 00696202 and press enter.
Select the first line until the last INT3 and hit CTRL+E.
Tick Keep-size (if our name is too large we won't accidentally overwrite the other bytes).
Resized to 57% (was 891 x 361) - Click image to enlargehttp://i48.tinypic.com/28choiv.png
Click on the first box and type in your DLL name mine is: AntiCheat.dll.
Important: once you typed the name click the last box and replace the last 2 numbers with 00.
http://i47.tinypic.com/2cmmzc4.png
Once you done that all click OK, you should see some red lines now, hit CTRL+A and there is our ASCII string.
Resized to 70% (was 720 x 11) - Click image to enlargehttp://i45.tinypic.com/2vt6pl2.png
Note that if your DLL name is large then theres a chance it wont fit in this spot.
The first Codecave is located at 006962A2.
Press CTRL+G type in 006962A2 and press enter.
Codecave #1
~ Push the name of the DLL onto the stack and JMP to Codecave #2.
006962A2 68 02626900 PUSH Play_RCK.00696202 // PUSH the dll name.
006962A7 E8 1AE9A574 CALL kernel32.LoadLibraryA // Call LoadLibraryA.
006962AC EB 14 JMP SHORT Play_RCK.006962C2 // Jump to Codecave #2.
The second Codecave is located at 006962C2.
Press CTRL+G type in 006962C2 and press enter.
Codecave #2
~ Check if the dll is loaded, if not crash else continue..
006962C2 83F8 00 CMP EAX,0 //if we failed to load the DLL.
006962C5 0F84 359D96FFJE 00000000 //Jump to an unknown address == crash.
006962CB EB 15 JMP SHORT Play_RCK.006962E2 // Jmp to Codecave #3. The next thing we should do is PUSH the loading effect data on the stack (we replaced it with a JMP to Codecave #1), otherwise the application would crash.
Then we have to JMP to the offset after the offset where loading effect data was.
Loading effect data offset: 0047C061.
Offset we should jump to: 0047C066.
It would be foolish to jump to the first offset, then it would keep loading the dll all the time >.<.
The third Codecave is located at 006962E2.
Press CTRL+G type in 006962E2 and press enter.
Codecave #3
~ PUSH loading effect data on the stack and resume the application.006962E2 68 18476D00 PUSH Play_RCK.006D4718
006962E7 ^E9 7A5DDEFF JMP Play_RCK.0047C066That's about it, now the exe will load your DLL once it loads the effect data, this isn't a good place to load a dll but i'm sure there are alot more. Make sure that you carefully choose the location of the JMP, we dont want the dll to get loaded multiple times.
About the guide:
There could be some flaws in here and please do correct me, spend some time writing this guide, say thanks if your going to follow it.
The orginal article address:http://snoxd.net/index.php?/topic/59471-asm-loading-a-dll/ 這是寫有關登錄器加載dll檔的文章嗎? 雖然不懂 還是推一把~~~ 谁能翻译下.我看不懂 加载一个DLL干嘛?检测外挂? 我晕!进来看了一下就扣了我两钱。 這是寫有關登錄器加載dll檔的文章嗎? 雖然不懂 還是推一把~~~
leonjaykai 发表于 2010-5-14 11:44 http://www.kofans.cn/bbs/static/image/common/back.gif
通用知识,EXE加载DLL都可以用上 9# ctgwglzc
看不明白
页:
[1]
2