Results 1 to 4 of 4

Thread: Hooking .exe without .dll injection, the simple way :D

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts

    Hooking .exe without .dll injection, the simple way :D

    This is harder than a simple LD_PRELOAD, but still quite easy. Tested on VMWare with Windows XP Pro SP3.

    Goal: start libcod.dll before WinMain() of libcod2_1_3.exe is called. We basically just gonna do three things:
    - PUSH "libcod.dll"
    - CALL LoadLibraryA
    - Set the string "libcod.dll" in memory of the start-function

    Pictures!

    At first we open libcod2_1_3.exe (just a renamed CoD2MP.exe, so we don't overwrite original stuff) in OllyDBG.

    It will jump directly to the program entry point, just what we need:

    Click image for larger version. 

Name:	1.png 
Views:	159 
Size:	58.6 KB 
ID:	1049

    We double click on the "PUSH 60", to overwrite it with our opcode:

    Click image for larger version. 

Name:	2.png 
Views:	137 
Size:	62.1 KB 
ID:	1050

    Same with the second opcode, just enter CALL LoadLibraryA. Now we need to write the string libcod.dll\0 into memory, use Rightclick -> Binary -> Edit:

    Click image for larger version. 

Name:	3.png 
Views:	128 
Size:	58.5 KB 
ID:	1051

    Type "libcod.dll" in ASCII, then append 00 in HEX view (important C string terminator):

    Click image for larger version. 

Name:	4.png 
Views:	124 
Size:	8.0 KB 
ID:	1052

    Now we see the address 0x0057DB5E, which is basically a (char *), lets point our PUSH 12345 to it.

    Click image for larger version. 

Name:	5.png 
Views:	126 
Size:	60.2 KB 
ID:	1053

    Just like that:

    Click image for larger version. 

Name:	6.png 
Views:	117 
Size:	63.5 KB 
ID:	1054

    Now patch the binary by saving our changes:

    Click image for larger version. 

Name:	7.png 
Views:	115 
Size:	63.1 KB 
ID:	1055

    Which is quite cumbersome in OllyDBG, first close this window, then you need to press like 5 times yes:

    Click image for larger version. 

Name:	9.png 
Views:	112 
Size:	63.0 KB 
ID:	1057

    Now we are done with the OllyDBG, now we need to copy the original opcodes of a normal CoD2MP.exe:

    Click image for larger version. 

Name:	8.png 
Views:	118 
Size:	59.7 KB 
ID:	1056

    Just press CTRL+C, do some Notepad++ multi line edit magic, and come up with this (basically Code::Blocks DLL example with https://github.com/M-itch/libcod_win...c/cracking.cpp):

    We basically just reset the overwritten parts of our program entry point and then jump to the entry-point with inline asm:

    PHP Code:
    #include "main.h"
    #include <stdio.h>
    #include "cracking.h"

    // a sample exported function
    void DLL_EXPORT SomeFunction(const LPCSTR sometext)
    {
        
    MessageBoxA(0sometext"DLL Message"MB_OK MB_ICONINFORMATION);
    }

    extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLLDWORD fdwReasonLPVOID lpvReserved)
    {
        switch (
    fdwReason)
        {
            case 
    DLL_PROCESS_ATTACH:
                
    MessageBoxA(NULL"Hello KILLTUBE!""Starting libcod.dll from libcod_1_3.exe!"MB_ICONINFORMATION);

                
    cracking_write_hex(0x0057DB54, (char *)"6A60"); // PUSH 60
                
    cracking_write_hex(0x0057DB56, (char *)"68D8925900"); // PUSH original.005992D8
                
    cracking_write_hex(0x0057DB5B, (char *)"E8443F0000"); // CALL original.00581AA4
                
    cracking_write_hex(0x0057DB60, (char *)"BF94000000"); // MOV EDI,94
                
    cracking_write_hex(0x0057DB65, (char *)"8BC7"); // MOV EAX,EDI
                
    cracking_write_hex(0x0057DB67, (char *)"E8C4880000"); // CALL original.00586430
                
    asm("jmp *%0"::"r"(0x0057DB54):);
                
    // attach to process
                // return FALSE to fail DLL load
                
    break;

            case 
    DLL_PROCESS_DETACH:
                
    // detach from process
                
    break;

            case 
    DLL_THREAD_ATTACH:
                
    // attach to thread
                
    break;

            case 
    DLL_THREAD_DETACH:
                
    // detach from thread
                
    break;
        }
        return 
    TRUE// successfull

    Start libcod2_1_3.exe

    Click image for larger version. 

Name:	10.png 
Views:	125 
Size:	8.9 KB 
ID:	1058

    Press OK:

    Click image for larger version. 

Name:	11.png 
Views:	124 
Size:	60.1 KB 
ID:	1059


    Done.

    I was always pissed of by the .dll injection process, making the reverse engineering so demotivating. Now this should feel pretty native.

    Started with this, because I wanted to hook CreateWindow() to allow non-fullscreen and resizeable windows and maybe debug why DX9 starts up so slow.

    I guess this works for .dll's as well, but not tested yet.

    Basically it's now simple as fuck to extend any .exe with a custom .dll, kinda what I always wanted and missed for Windows. Looking forward what ya gonn do with this.
    timescale 0.01

  2. The Following 5 Users Say Thank You to kung foo man For This Useful Post:

    Mitch (30th March 2016),php (31st March 2016),serthy (30th March 2016),voron00 (30th March 2016),YuriJurek (30th March 2016)

  3. #2
    Private First Class php's Avatar
    Join Date
    Nov 2012
    Posts
    142
    Thanks
    28
    Thanked 116 Times in 59 Posts
    Nice, except it's quite cumbersome to manually patch every offset if you have different versions/patches (1.0/1.1/1.2/1.3). You could also fix this ofcourse in OllyDbg but it's again harder to do, but there are programs that'll automate this. One of the programs I use myself is http://www.ntcore.com/exsuite.php (Import Adder), it's not a guarantee it'll work on any exe, if that's the case manually do the dll loading in olly for instance.
    Last edited by php; 30th March 2016 at 14:37.

  4. The Following 3 Users Say Thank You to php For This Useful Post:

    kung foo man (31st March 2016),serthy (30th March 2016),voron00 (31st March 2016)

  5. #3
    ... connecting
    Join Date
    Apr 2020
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.

  6. #4
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts
    Quote Originally Posted by yctn View Post
    does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.
    I had the same issue switching from XP to newer Win versions, they probably do a bunch of checking or other kinds of initialisations... I never looked into it, but you could try to play around a bit in OllyDBG step-by-step what is going on
    timescale 0.01

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •