Hooking .exe without .dll injection, the simple way :D

**kung foo man** · 30th March 2016, 07:12

This is harder than a simple LD_PRELOAD, but still quite easy. Tested on VMWare with Windows XP Pro SP3.

Goal: start libcod.dll before WinMain() of libcod2_1_3.exe is called. We basically just gonna do three things:
- PUSH "libcod.dll"
- CALL LoadLibraryA
- Set the string "libcod.dll" in memory of the start-function

Pictures!

At first we open libcod2_1_3.exe (just a renamed CoD2MP.exe, so we don't overwrite original stuff) in OllyDBG.

It will jump directly to the program entry point, just what we need:

Click image for larger version.

Name: 1.png
Views: 162
Size: 58.6 KB
ID: 1049

We double click on the "PUSH 60", to overwrite it with our opcode:

Click image for larger version.

Name: 2.png
Views: 138
Size: 62.1 KB
ID: 1050

Same with the second opcode, just enter CALL LoadLibraryA. Now we need to write the string libcod.dll\0 into memory, use Rightclick -> Binary -> Edit:

Click image for larger version.

Name: 3.png
Views: 129
Size: 58.5 KB
ID: 1051

Type "libcod.dll" in ASCII, then append 00 in HEX view (important C string terminator):

Click image for larger version.

Name: 4.png
Views: 125
Size: 8.0 KB
ID: 1052

Now we see the address 0x0057DB5E, which is basically a (char *), lets point our PUSH 12345 to it.

Click image for larger version.

Name: 5.png
Views: 127
Size: 60.2 KB
ID: 1053

Just like that:

Click image for larger version.

Name: 6.png
Views: 118
Size: 63.5 KB
ID: 1054

Now patch the binary by saving our changes:

Click image for larger version.

Name: 7.png
Views: 116
Size: 63.1 KB
ID: 1055

Which is quite cumbersome in OllyDBG, first close this window, then you need to press like 5 times yes:

Click image for larger version.

Name: 9.png
Views: 113
Size: 63.0 KB
ID: 1057

Now we are done with the OllyDBG, now we need to copy the original opcodes of a normal CoD2MP.exe:

Click image for larger version.

Name: 8.png
Views: 119
Size: 59.7 KB
ID: 1056

Just press CTRL+C, do some Notepad++ multi line edit magic, and come up with this (basically Code::Blocks DLL example with https://github.com/M-itch/libcod_win...c/cracking.cpp):

We basically just reset the overwritten parts of our program entry point and then jump to the entry-point with inline asm:

PHP Code:


#include "main.h"
#include <stdio.h>
#include "cracking.h"

// a sample exported function
void DLL_EXPORT SomeFunction(const LPCSTR sometext)
{
    MessageBoxA(0, sometext, "DLL Message", MB_OK | MB_ICONINFORMATION);
}

extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            MessageBoxA(NULL, "Hello KILLTUBE!", "Starting libcod.dll from libcod_1_3.exe!", MB_ICONINFORMATION);

            cracking_write_hex(0x0057DB54, (char *)"6A60"); // PUSH 60
            cracking_write_hex(0x0057DB56, (char *)"68D8925900"); // PUSH original.005992D8
            cracking_write_hex(0x0057DB5B, (char *)"E8443F0000"); // CALL original.00581AA4
            cracking_write_hex(0x0057DB60, (char *)"BF94000000"); // MOV EDI,94
            cracking_write_hex(0x0057DB65, (char *)"8BC7"); // MOV EAX,EDI
            cracking_write_hex(0x0057DB67, (char *)"E8C4880000"); // CALL original.00586430
            asm("jmp *%0"::"r"(0x0057DB54):);
            // attach to process
            // return FALSE to fail DLL load
            break;

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // successfull
}

Start libcod2_1_3.exe

Click image for larger version.

Name: 10.png
Views: 125
Size: 8.9 KB
ID: 1058

Press OK:

Click image for larger version.

Name: 11.png
Views: 124
Size: 60.1 KB
ID: 1059

Done.

I was always pissed of by the .dll injection process, making the reverse engineering so demotivating. Now this should feel pretty native.

Started with this, because I wanted to hook CreateWindow() to allow non-fullscreen and resizeable windows and maybe debug why DX9 starts up so slow.

I guess this works for .dll's as well, but not tested yet.

Basically it's now simple as fuck to extend any .exe with a custom .dll, kinda what I always wanted and missed for Windows. Looking forward what ya gonn do with this.

**php** · 30th March 2016, 14:25

Nice, except it's quite cumbersome to manually patch every offset if you have different versions/patches (1.0/1.1/1.2/1.3). You could also fix this ofcourse in OllyDbg but it's again harder to do, but there are programs that'll automate this. One of the programs I use myself is http://www.ntcore.com/exsuite.php (Import Adder), it's not a guarantee it'll work on any exe, if that's the case manually do the dll loading in olly for instance.

**yctn** · 25th April 2023, 07:03

does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.

**kung foo man** · 25th April 2023, 09:22

Originally Posted by yctn

does this work on win 10 i am unable to get it to work on my end. the exe is sinple crashing/not responding.

I had the same issue switching from XP to newer Win versions, they probably do a bunch of checking or other kinds of initialisations... I never looked into it, but you could try to play around a bit in OllyDBG step-by-step what is going on

Thread: Hooking .exe without .dll injection, the simple way :D

Thread Tools

Search Thread

Display

Hooking .exe without .dll injection, the simple way :D

The Following 5 Users Say Thank You to kung foo man For This Useful Post:

The Following 3 Users Say Thank You to php For This Useful Post:

Posting Permissions