• Welcome to Valhalla Legends Archive.
 

calling a function via dllname and ordianal number using dll injection

Started by thetempest, December 01, 2003, 07:37 PM

Previous topic - Next topic

thetempest

Hi,

i'm writing a patcher to load a dll into SC's address space.  The problem is each time SC reloads, my dll has different entry addresses for all of its functions and SC crashes and burns because it can't call the dll fucntion.  I'm using direct calling address.  IE.  call 0x00a00202

so my question is, in ASM i want to do this:
call test.dll@2  (call ordinal 2 outta the dll)

Thanks in advance

Skywing

Quote from: thetempest on December 01, 2003, 07:37 PM
Hi,

i'm writing a patcher to load a dll into SC's address space.  The problem is each time SC reloads, my dll has different entry addresses for all of its functions and SC crashes and burns because it can't call the dll fucntion.  I'm using direct calling address.  IE.  call 0x00a00202

so my question is, in ASM i want to do this:
call test.dll@2  (call ordinal 2 outta the dll)

Thanks in advance
Rebase your DLL so that it doesn't conflict with something else.  The default base address 0x10000000 is likely to force you to get rebased.

Try calling GetProcAddress (a documented, named export of Kernel32.dll) or writing your own PE header parser to grab the exported function address.

Without more detailed information, I can't give you more precise advice.

thetempest

hey,

well here is the deal, how do i set my own address?  that would be GREAT, base addy for my DLL i mean.  2ndly i want my patcher to be able to right a call blahblah in ASM to handle the variables.

anyways, i'm still intrested in calling my functions via dllname@ordinalNumber...

thanks

Skywing

Quote from: thetempest on December 01, 2003, 08:35 PM
hey,

well here is the deal, how do i set my own address?  that would be GREAT, base addy for my DLL i mean.  2ndly i want my patcher to be able to right a call blahblah in ASM to handle the variables.

anyways, i'm still intrested in calling my functions via dllname@ordinalNumber...

thanks
The base address for your dll is the first argument to your DllMain function.

thetempest

hummm???

what do you mean, ya hModuel is the 1st arguemt, but how do i "set" that?

ok, another idea i had was this (but yours is FAR easier)

i want to store the addy of the function into static memory :)
EDIT:

call [004e5400] //function @1
call [004e5404] //function @2


my only questions are:
1) How to do this using GetProcAddress() which returns a _cdelc or something (i need a DWORD)...
2) Storing the DWORD into memory

PROBLEM:
I know ASM, but MSVC++ is giving me SHIT!!!



//globals
__declspec( dllexport ) void _stdcall dontDropMe();
typedef void (*MYPROC)(void);
fstream file;

file.open("test.log",ios::in | ios:: out);

//inside function to store dynamic values in static address
HINSTANCE hwnd = GetModuelHandle("test2.dll");
dontdropme = (MYPROC) GetProcAddress(hwnd,"?dontDropMe@@YGXXZ");
file << dontdropme << "\n" << flush;
//this outputs 0x00a0020F (which is what i want to store into memory)

_asm
{
      mov dword ptr [004e5400],dontdropme
}




ERRORS:

1) it needs a 0x inside the [] for MSVC++ to regonize address
2) it says that the "ptr" is invalid
3) it says the [] are invalid
4) it says dontdropme is invalid datatype (i've even tried casting it to DWORD) no avail, i've even tried puting DWORD into EAX,EBX and doing [eax],address STILL doesn't work

any ideas please
thx

Skywing

You're running into a known MASM limitation.  Try this...


__asm {
mov eax, 0x004e5400
mov dword ptr [eax], OFFSET dontdropme
}

thetempest

Quote

__asm {
mov eax, 0x004e5400
mov dword ptr [eax], OFFSET dontdropme
}



"mov dword ptr [eax], OFFSET dontdropme" generates an error:
"improper operand type"

Skywing

Quote from: thetempest on December 01, 2003, 09:03 PM
Quote

__asm {
mov eax, 0x004e5400
mov dword ptr [eax], OFFSET dontdropme
}



"mov dword ptr [eax], OFFSET dontdropme" generates an error:
"improper operand type"
If it's a stack variable, you need to do something like..

__asm {
; include code from above except the last line...
mov ecx, dontdropme
mov dword ptr [eax], ecx
}

This is because a reference to dontdropme will implicitly require referencing a value stored on esp or ebp, and you can't do mov dword ptr [eax], dword ptr [esp+something].

thetempest


thetempest

ack,

runtime problem:

when the game executes the:

mov dword ptr [eax],ecx


it generates an NT_ACCESS_VIOLATION.

i've even tried suspending the thread, virtualallocex with page mem commit and rewrite and execute and then resuming...

nothing?

any ideas skywing?

Skywing

Quote from: thetempest on December 01, 2003, 09:33 PM
ack,

runtime problem:

when the game executes the:

mov dword ptr [eax],ecx


it generates an NT_ACCESS_VIOLATION.

i've even tried suspending the thread, virtualallocex with page mem commit and rewrite and execute and then resuming...

nothing?

any ideas skywing?
If you are writing to a code address you will have to VirtualProtect(Ex) it to something that grants write access (it'll probably be PAGE_EXECUTE_READONLY by default).  VirtualAlloc(Ex)'ing over it will not work.

thetempest

great,

thanks.  I just copy/pasted didn't even think about the ProtectEx()...

thanks again

Adron

But instead of

//inside function to store dynamic values in static address
HINSTANCE hwnd = GetModuelHandle("test2.dll");
dontdropme = (MYPROC) GetProcAddress(hwnd,"?dontDropMe@@YGXXZ");
file << dontdropme << "\n" << flush;
//this outputs 0x00a0020F (which is what i want to store into memory)

_asm
{
     mov dword ptr [004e5400],dontdropme
}


use


//inside function to store dynamic values in static address
HINSTANCE hwnd = GetModuelHandle("test2.dll");
dontdropme = (MYPROC) GetProcAddress(hwnd,"?dontDropMe@@YGXXZ");
file << dontdropme << "\n" << flush;
//this outputs 0x00a0020F (which is what i want to store into memory)

*(MYPROC*)0x4e5400 = dontdropme;



You don't need assembler to write to a pointer in C/C++!

Kp

Quote from: thetempest on December 01, 2003, 08:35 PM
well here is the deal, how do i set my own address?  that would be GREAT, base addy for my DLL i mean.  2ndly i want my patcher to be able to right a call blahblah in ASM to handle the variables.

anyways, i'm still intrested in calling my functions via dllname@ordinalNumber...

There's two ways to set your address.  The first is to do it at link time with a switch to your linker.  If you're using VC6, go to Project->Settings->Link tab.  Category: Output.  Base address: set this to the base you want.  Note that the lowermost bits will need to be zero to work right (the linker should catch it if you try to set them nonzero, but it'll likely complain at you if you try it).

The second way to do this is to use rebase.exe, which comes with VC.  Rebase can change the disk image of a DLL to have a new base after you've built it; although I've never tried, I suspect you could rebase other people's DLLs without the source, as long as the DLL relocation information was still embedded (and without the relocation info, a load will simply fail if the DLL is assigned to an in-use address).
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Adron

Yes, you can rebase other people's dlls without source. You can do that yourself for dlls in your system directory.