[Guide] C++ DLL injection for Main Server

BakaBug · 04-03-2008, 10:05 AM

Quote: Originally Posted by DeathArt

Well, the CCastle::SetWarRemainSecondTime don't work :-) Tested it allready.

Making memory pointers to methods is ofcource a option, and rather simple,
but I somehow like to attempt a raw ASM workaround first. Because I really don't like pointers.

And yeah, ASM is simple, say if we define a simple function, like this

PHP Code:


			
function MyFunction(int arg1,int arg2)
{
__fastcall would be in asm:[/size]
    // function here
}

Then the ASM to call it is the following:
(Yes, parameters in revered order, that's how it's surposed to be)

PHP Code:


			
DWORD myFunction = 0x000000; // memory address

int arg1 = 1;
int arg2 = 2;

__asm {
    push arg2
    push arg1
    call myFunction
}

than I hope for you don't fuck-up the stack .. but don't care

when you really want to use asm .. why don't use macros

PHP Code:


			
#define Call2Par(x, a, b) __asm{push b; push a; mov edx,x; call edx;}
...
...
Call2Par(0x0000555,Para1,Para2); //would automatical generate your asm ~.~
//should .. I am not sure.. didn't use macros for a long time..

Should work too .. :P ...
It's fast and easy to write some asm codes..
But you wont know what the compiler does before it
and after it..

there are many functiosn types like:
__stdcall
__cdcdel (<-i think it's thisway written)
__fastcall
__thiscall

__stdcall would be in asm:

PHP Code:


			
push para3
push para2
push para1
call function

in c++ it would be:

PHP Code:


			
typedef int (* TFunctionType(int,int,int);

__cdcdel would be in asm:

PHP Code:


			
push para3
push para2
push para1
call function
add esp,0x0C //i think esp need to get moved..

in c++ it would be:

PHP Code:


			
typedef int (__cdcdel* TFunctionType(int,int,int);

__fastcall would be in asm:

PHP Code:


			
push para3
push para2
push para1
mov ecx,classe //most time used ECX
mov edx,classe //also able to use, maybe ebx i am not sure xD
call function

in c++ it would be:

PHP Code:


			
typedef int (__fastcall* TFunctionType(int myECX,int myEDX, int,int,int);

__thiscall.. would be like __fastcall

And the functions in MainSvr are ..yeah most of functions of classes..
mean you need to use "__fastcall" otherwise the function wont know whos the owner..

This also means you first need to steal the owner.. or better get a pointer to the owner.. or you can't use the function right !

Like this:
sampel:

PHP Code:


			
//i onyl suse this to show basic the parametrs of the functiosn aren't right !!!
void CustomMob()
{
  DWORD MyMOB=CMob_Create(...); //you will get a pointer to a class .. this function is i belive a __stdcall
  CMob_Spawn(MyMOB,NULL,...); //this function would be a __fastcall 
   //it's the same like using MyMob->Spawn .. but since we can't use it..
  CMob_Delete(MyMOB,NULL); //again __fastcall or the function wont know whos the owner !!
}

/*
 I don't know if this functions are existing 
or you use these so..
I only wanted to show why it's important to use __fastcall xD
At these functions.. 
*/

SYNT3X · 04-03-2008, 12:20 PM

is there a way to merge the injects with KOCP?

DeathArt · 04-03-2008, 01:02 PM

Quote:

when you really want to use asm .. why don't use macros

Because macro's, and also typedefintions in some cases, is creating extremly messy code, and totaly destroying readability.
For me it's important to create easy-to-read and easy-to-scale code. Something iknow you don't care much about.

I do wonder why you find fastcall so important? Are you doing a external hook?
When the hook is done by overriding a existing DLL, it should allready be in the right thread, and thus have the right owner.

From the looks of it, most of the kalonline functions are actually defined static, due to the horrible threading system of C++, and thus no real issues using stdcall.

P.S. It's named __cdcall , and afaik it's a Visual C++ only method.

Quote:

is there a way to merge the injects with KOCP?

You should be able to override any DLL, allowing you to have multiple injectors.
However, you could easy end up with some really fucked memory handling, causing the world to implode.

(Also, I assume you meant KOSP? C = Client, S = Server).

SYNT3X · 04-03-2008, 01:18 PM

yes ... my fault
I mean KOSP (the Serverside version), because KOSP already inject stuff into the MainSvr :x sooo ..

is there a work around?!

BakaBug · 04-03-2008, 04:03 PM

Quote: Originally Posted by DeathArt

I do wonder why you find fastcall so important? Are you doing a external hook?
When the hook is done by overriding a existing DLL, it should allready be in the right thread, and thus have the right owner.

From the looks of it, most of the kalonline functions are actually defined static, due to the horrible threading system of C++, and thus no real issues using stdcall.

Hmm I don't think they are static..
is there a way to make class functiosn static ? Mean I don't know..

When Inix does:

PHP Code:


			
  CMob* MyMob = new CMob();
  MyMob->Spawn();
  MyMob->Move();

whatever we would need to do (with fastcall)

PHP Code:


			
  //some how get MyMob
  CMob_spawn(MyMob,NULL,...);
  CMob_move(MyMob,NULL,...);

hmhm.. But aslong as it works for you . .everything is fine ? or ? :P

DeathArt · 04-03-2008, 11:14 PM

So far , static calls on the CCastle methods worked fine.

Example on static function

PHP Code:


			

namespace MyNamespace
{
    class MyClass
    {
        public:
            static void DoStuff(int arg1);
    }
}

namespace MyNamespace
{
    MyClass::DoStuff(int arg1)
    {
        // do stuff
    }
}

and example on use

PHP Code:


			
#include "MyClass.h"

using namespace MyNamespace;

int Main()
{
    MyClass::DoStuff();
}

cristy_abaddon · 04-14-2008, 11:09 PM

Quote: Originally Posted by BjornVH

---------------------------
MainSvrT.exe - Entrypoint not found
---------------------------
Can't find entrypoint from GetUserNameA in DLL-file KalHooks.dll.
---------------------------
OK
---------------------------

same error like you,
KalHooks - 0 error(s), 1 warning(s)
========== Rebuild All: 1 succeeded, 0 failed, 0 skipped ==========
dllmain.cpp(11) : warning C4273: 'GetUserNameA' : inconsistent dll linkage

anyone know how to solve this please?
googled it,lots of solution,none worked =/

DeathArt · 04-15-2008, 07:29 AM

Exports.def is VERY important, and as said, you cannot use the Express version of Visual Studio for this !

cristy_abaddon · 04-15-2008, 09:24 AM

aha thank you very much ;)
look at atachament (visual studio express)

DeathArt · 04-17-2008, 06:29 AM

It's not a resource file, and you still cannot use the Express version.

cristy_abaddon · 04-17-2008, 11:34 AM

i know,installed the full version and it work like a charm ;)

BakaBug · 04-19-2008, 02:52 PM

Quote: Originally Posted by DeathArt

It's not a resource file, and you still cannot use the Express version.

don't talk shit ..

sure it's possible it's linker option /def:file-path..

you can change it in the linker-settings or add it yourself

Bloodfreak913 · 04-19-2008, 03:32 PM

i'm using Express version :P 2008 :] and all works fine ;)

DeathArt · 04-19-2008, 03:35 PM

Quote: Originally Posted by BakaBug

don't talk shit ..

sure it's possible it's linker option /def:file-path..

you can change it in the linker-settings or add it yourself

And you could use MING or GCC for the same code as well *sigh*

Doesn't change that Express do not support Definition files out of the box.
End of story.

BakaBug · 04-19-2008, 05:35 PM

Quote: Originally Posted by DeathArt

Express do not support Definition files

Express supports !

BakaBug · 04-19-2008, 05:50 PM

PHP Code:


			
//ADD DEF-FILE:

#pragma comment(linker, "/DEF:EXPORTS.def")



//CONTINUE CODE

#include "stdafx.h"

#include "KalHook.h"



HMODULE libraryHandle;



/// 

/// Implementation of the WINBASE.H method GetUserNameA().

/// Required for proxying the ADVAPI32.dll library.

/// 

_declspec(dllexport) BOOL WINAPI GetUserNameA(LPSTR input, LPDWORD buffer)

{

    typedef BOOL (WINAPI* CFunction)(LPSTR input,LPDWORD buffer);

    CFunction getUserName = (CFunction)GetProcAddress(libraryHandle, "GetUserNameA");

    return getUserName(input, buffer);

}



/// 

/// Initialize and attach the KalHooks class to the DLL loading

/// allowing us to do inline assembler and memory editing.

/// 

BOOL WINAPI DllMain(HMODULE module,DWORD action,LPVOID reserved)

{

    libraryHandle = LoadLibraryA("ADVAPI32.dll");

    

    Sword::KalHook *hook = new Sword::KalHook();

    switch(action)

    {

        case DLL_PROCESS_ATTACH:

            hook->Attach();

        break;

        case DLL_THREAD_ATTACH:

            hook->Detach();

        break;

    }

    return true;

}

Here you go.. works on EXPRESS so don't tell me doesn't work

DeathArt · 04-19-2008, 06:23 PM

No, still no.

We're talking about what the IDE supports. Not what the Visual C++ compiler supports.
What you can do in C++ is rather irrelevant for the discussion.

Bloodfreak913 · 05-05-2008, 11:51 PM

hmm any one have made what? oO? im bored lol idk what i can do maybe some one a idea?

CioNide · 06-16-2008, 08:02 AM

Wow, that was.... just amazing. Thanks for the great guide.

hero322 · 06-29-2008, 07:40 PM

angry old people fighting over lollipops... "codes"

shouldnt this be in the guide section...

1. oh and DA, did you ever figure out how to close castle wars?

2. When you start your castle wars, it starts without server having to shutdown and reopen right?

DeathArt · 07-08-2008, 01:33 AM

Quote:

1. oh and DA, did you ever figure out how to close castle wars?

No

Quote:

2. When you start your castle wars, it starts without server having to shutdown and reopen right?

Yes

But alot of the attemps were really buggy, most likely because the code *did* manage to screw up the stack :p

mejniok · 07-08-2008, 07:05 AM

yyhmm.. I releasing it a lil too late, but i dont had internet connection long time. Nvm. Discussion is about C++ DLL Injection for MSvrT, but i want to present a lil implementation, in Delphi Environment. Maybe for someone will be usefull :)

Code:

library MyAdvAPI;

uses
  Windows;

        //Import GetUserNameA from ADVAPI32.DLL...
        function GetUserNameA(input: LPSTR; buffer: LPDWORD): Boolean; external 'advapi32.dll';

        //Lets export "our's GetUserNameA" to be visible for MainSvrT...
        exports
                GetUserNameA;

  //Here's our core :)
  procedure DllEntryPoint(dwReason: DWord);
  begin
        case dwReason of
              DLL_PROCESS_ATTACH:
                                  begin
                                  //OnLibaryLoad;
                                  {Make shit there}
                                  end;

              DLL_PROCESS_DETACH:
                                  begin
                                  //OnLibaryUnload;
                                  {Make shit there}
                                  end;
              end;

  end;

  //Here everything starts :)
  begin
  DllProc:=@DllEntryPoint;
  DllEntryPoint(DLL_PROCESS_ATTACH);
  end.

dalatnam · 07-10-2008, 10:48 PM

:s anyone know a good C++ dll. injector please reply back ^_^

dalatnam · 07-10-2008, 10:49 PM

better yet a C++ sql injector :s