Author Topic: loadlibrary question  (Read 952 times)

0 Members and 1 Guest are viewing this topic.

Samuele.

  • Intentional Cheater
  • **
  • Posts: 26
    • View Profile
loadlibrary question
« on: February 05, 2006, 05:12:59 am »
About debugging, and in particular about ollydbg, what's the meaning of loadlibrary call without a filename?

I mean:

007CD3AE  |. 68 A0398D00    PUSH myprog.007D49A0                       ; /FileName = "user32.dll"
007CD3B3  |. FF15 E8218D00  CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA

call the user32.dll,
but what this?:

007A0341  |. 52             PUSH EDX                                 ; /FileName
007A0342  |. FF15 E8218D00  CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA


If i'd want replace the dll called in last disassembled code with another , have i to code an injector by myself in C++ (or other) or is it sufficient to change something (what?Register?memory address?) with ollydbg?

Thanks.

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
loadlibrary question
« Reply #1 on: February 05, 2006, 03:02:21 pm »
Check what EDX contains (pointer -> some sort of a filename probably).

If you want to push a filename instead just write somethine like in the line above PUSH myprog.007D49A0 ; /FileName = "user32.dll" .

You'll probably also need to create a code cave (=injection) through c++ or a trainermaker. Also check if the line calls multiple files, you surely want them to be called as usual too.
Heckling is an art, and game hacking a science.

Samuele.

  • Intentional Cheater
  • **
  • Posts: 26
    • View Profile
loadlibrary question
« Reply #2 on: February 05, 2006, 03:37:18 pm »
It's just 2 days i use a debugger and assemble, so i don't know many thing, but i like learn and i understand your concept.

Can i make a code cave without high level programming but using the assembler? It's seems the simplest way:
I mean,
1)Find a place in exe for my code (how? With Nop spaces)?
2) substitute the CALL DWORD with a JMP to my function
3)At the end of my function, re-jump to last point
?
Eventualy,can u make an assembler code example which load a dll (loadlibray filename).

Do u know microsoft detours? Do u think it could be another way to do this?

And if for some reason, i can't change the size of exe? Have i to write my own hook with C++ (or others)? There are so many hook code example, what can i use and what modify,conceptually talking?

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
loadlibrary question
« Reply #3 on: February 05, 2006, 04:36:06 pm »
Yes you can use both high-level lang and asm. I would prefer ASM for this though.

1 To find a code-cave you'll "need" a tool. (Can be found on gamehacking.com)
2, 3 yes

Im not sure about the parameters for the loadlibrary function but probably you create a string at some location, load it to a register and pass it to the function. You could also push the string directly but then you need to specify that it's a string u pass. I don't remember the Operations you do for that but you could always ask the people on gamehacking.com (there's always someone there who knows every question).

No idea about microsoft detours.

You won't need to change the size of the .exe . I'm not quite sure what you want to do but yes you can hook the Loadlibrary function. Then I guess you got to code one from scratch. I've only seen ready D3D hooks.
Heckling is an art, and game hacking a science.

Samuele.

  • Intentional Cheater
  • **
  • Posts: 26
    • View Profile
loadlibrary question
« Reply #4 on: February 06, 2006, 12:10:47 am »
thanks,i've solved.
As u said, simpoly i pushed another value instead of edx, and where i needed, a jump to my function.