PDA

View Full Version : Hooking .exe without .dll injection, the simple way :D



kung foo man
30th March 2016, 07:12
This is harder than a simple LD_PRELOAD, but still quite easy. Tested on VMWare with Windows XP Pro SP3.

Goal: start libcod.dll before WinMain() of libcod2_1_3.exe is called. We basically just gonna do three things:
- PUSH "libcod.dll"
- CALL LoadLibraryA
- Set the string "libcod.dll" in memory of the start-function

Pictures!

At first we open libcod2_1_3.exe (just a renamed CoD2MP.exe, so we don't overwrite original stuff) in OllyDBG.

It will jump directly to the program entry point, just what we need:

1049

We double click on the "PUSH 60", to overwrite it with our opcode:

1050

Same with the second opcode, just enter CALL LoadLibraryA. Now we need to write the string libcod.dll\0 into memory, use Rightclick -> Binary -> Edit:

1051

Type "libcod.dll" in ASCII, then append 00 in HEX view (important C string terminator):

1052

Now we see the address 0x0057DB5E, which is basically a (char *), lets point our PUSH 12345 to it.

1053

Just like that:

1054

Now patch the binary by saving our changes:

1055

Which is quite cumbersome in OllyDBG, first close this window, then you need to press like 5 times yes:

1057

Now we are done with the OllyDBG, now we need to copy the original opcodes of a normal CoD2MP.exe:

1056

Just press CTRL+C, do some Notepad++ multi line edit magic, and come up with this (basically Code::Blocks DLL example with https://github.com/M-itch/libcod_win/blob/master/libcod_win/src/cracking.cpp):

We basically just reset the overwritten parts of our program entry point and then jump to the entry-point with inline asm:



#include "main.h"
#include <stdio.h>
#include "cracking.h"

// a sample exported function
void DLL_EXPORT SomeFunction(const LPCSTR sometext)
{
MessageBoxA(0, sometext, "DLL Message", MB_OK | MB_ICONINFORMATION);
}

extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "Hello KILLTUBE!", "Starting libcod.dll from libcod_1_3.exe!", MB_ICONINFORMATION);

cracking_write_hex(0x0057DB54, (char *)"6A60"); // PUSH 60
cracking_write_hex(0x0057DB56, (char *)"68D8925900"); // PUSH original.005992D8
cracking_write_hex(0x0057DB5B, (char *)"E8443F0000"); // CALL original.00581AA4
cracking_write_hex(0x0057DB60, (char *)"BF94000000"); // MOV EDI,94
cracking_write_hex(0x0057DB65, (char *)"8BC7"); // MOV EAX,EDI
cracking_write_hex(0x0057DB67, (char *)"E8C4880000"); // CALL original.00586430
asm("jmp *%0"::"r"(0x0057DB54):);
// attach to process
// return FALSE to fail DLL load
break;

case DLL_PROCESS_DETACH:
// detach from process
break;

case DLL_THREAD_ATTACH:
// attach to thread
break;

case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // successfull
}




Start libcod2_1_3.exe

1058

Press OK:

1059


Done. :D

I was always pissed of by the .dll injection process, making the reverse engineering so demotivating. Now this should feel pretty native.

Started with this, because I wanted to hook CreateWindow() to allow non-fullscreen and resizeable windows and maybe debug why DX9 starts up so slow.

I guess this works for .dll's as well, but not tested yet.

Basically it's now simple as fuck to extend any .exe with a custom .dll, kinda what I always wanted and missed for Windows. Looking forward what ya gonn do with this.

php
30th March 2016, 14:25
Nice, except it's quite cumbersome to manually patch every offset if you have different versions/patches (1.0/1.1/1.2/1.3). You could also fix this ofcourse in OllyDbg but it's again harder to do, but there are programs that'll automate this. One of the programs I use myself is http://www.ntcore.com/exsuite.php (Import Adder), it's not a guarantee it'll work on any exe, if that's the case manually do the dll loading in olly for instance.

yctn
25th April 2023, 07:03
does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.

kung foo man
25th April 2023, 09:22
does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.

I had the same issue switching from XP to newer Win versions, they probably do a bunch of checking or other kinds of initialisations... I never looked into it, but you could try to play around a bit in OllyDBG step-by-step what is going on