In this tutorial i will explain howto load a dll file via ASM.

Download OllyDBG before you start, extract it, run it and open up your client exe.

OK now when you loaded up OllyDBG it's time we should find a point where we can stick the main JMP, ill be using the client's exe in this tutorial.

Let's say that we want to load the dll when the client is loading effect data, open up the exe in olly. Right click go to *view* and select the module of the exe. My exe is called: Play RCKO.exe so my module is: Play RCK.



Now we would have to find the right ASCII, right click again and hover over *search for* and click on All referenced text strings.

Resized to 99% (was 510 x 334) - Click image to enlarge

Now a list of all text strings should popup, search for *Loading*.
Once thats done there should come up 2 strings:

1. <BR>0047C051 MOV EDI,Play_RCK.006D4718 ASCII "Loading Effect Data... %d %%"<BR>0047C061 PUSH Play_RCK.006D4718  ASCII "Loading Effect Data... %d %%"<BR>

复制代码

The PUSH is the one we want to use, highlight the line and press enter.
Now you should automatically jump to its address, open up notepad and copy that line and the 1 below it.

1. 0047C061   68 18476D00          PUSH Play_RCK.006D4718
   
2. 0047C066   8D4C24 48            LEA ECX,DWORD PTR SS:[ESP+48]

复制代码

Replace the code so it looks like:

1. 0047C061        E9 3CA22100     JMP Play_RCK.006962A2 // Jump to the first Codecave.
   
2. 0047C066  |. 8D4C24 48          LEA ECX,DWORD PTR SS:[ESP+48]

复制代码

The next step is to find some unused addresses that we can use, mostly INT3's.
We're going to have to make alot of JMP's to make this work due to limited space.

Before we start making the call we should Push the name of our DLL onto the stack, we have to create a ASCII string somewhere.
I chose the location at 00696202.
Press CTRL+G type in 00696202 and press enter.
Select the first line until the last INT3 and hit CTRL+E.
Tick Keep-size (if our name is too large we won't accidentally overwrite the other bytes).
Resized to 57% (was 891 x 361) - Click image to enlarge

Click on the first box and type in your DLL name mine is: AntiCheat.dll.
Important: once you typed the name click the last box and replace the last 2 numbers with 00.

Once you done that all click OK, you should see some red lines now, hit CTRL+A and there is our ASCII string.
Resized to 70% (was 720 x 11) - Click image to enlarge


Note that if your DLL name is large then theres a chance it wont fit in this spot.

The first Codecave is located at 006962A2.
Press CTRL+G type in 006962A2 and press enter.

Codecave #1
~ Push the name of the DLL onto the stack and JMP to Codecave #2.

1. 006962A2        68 02626900     PUSH Play_RCK.00696202 // PUSH the dll name.
   
2. 006962A7        E8 1AE9A574     CALL kernel32.LoadLibraryA // Call LoadLibraryA.
   
3. 006962AC        EB 14           JMP SHORT Play_RCK.006962C2 // Jump to Codecave #2.

复制代码

The second Codecave is located at 006962C2.
Press CTRL+G type in 006962C2 and press enter.

Codecave #2
~ Check if the dll is loaded, if not crash else continue..

1. 006962C2        83F8 00         CMP EAX,0 //if we failed to load the DLL.
   
2. 006962C5        0F84 359D96FF  JE 00000000 //Jump to an unknown address == crash.
   
3. 006962CB        EB 15           JMP SHORT Play_RCK.006962E2 // Jmp to Codecave #3.

复制代码

The next thing we should do is PUSH the loading effect data on the stack (we replaced it with a JMP to Codecave #1), otherwise the application would crash.
Then we have to JMP to the offset after the offset where loading effect data was.
Loading effect data offset: 0047C061.
Offset we should jump to: 0047C066.
It would be foolish to jump to the first offset, then it would keep loading the dll all the time >.<.

The third Codecave is located at 006962E2.
Press CTRL+G type in 006962E2 and press enter.

Codecave #3
~ PUSH loading effect data on the stack and resume the application.

1. 006962E2        68 18476D00     PUSH Play_RCK.006D4718
   
2. 006962E7        ^E9 7A5DDEFF    JMP Play_RCK.0047C066

复制代码

That's about it, now the exe will load your DLL once it loads the effect data, this isn't a good place to load a dll but i'm sure there are alot more. Make sure that you carefully choose the location of the JMP, we dont want the dll to get loaded multiple times.

About the guide:

There could be some flaws in here and please do correct me, spend some time writing this guide, say thanks if your going to follow it.
The orginal article address:http://snoxd.net/index.php?/topic/59471-asm-loading-a-dll/

這是寫有關登錄器加載dll檔的文章嗎?   雖然不懂   還是推一把~~~

谁能翻译下.我看不懂

加载一个DLL干嘛？检测外挂？

我晕！进来看了一下就扣了我两钱。

這是寫有關登錄器加載dll檔的文章嗎?   雖然不懂   還是推一把~~~
leonjaykai 发表于 2010-5-14 11:44

通用知识，EXE加载DLL都可以用上

9# ctgwglzc


看不明白