Hi everyone.
This is a method to inject your code inside MapleStory and other applications by implementing a proxy dynamic link library. MapleStory has a few dependencies for some Windows DLL like dinput9.dll, kernel32.dll, etc. Using this approach there's no need to inject the dll inside the game, because the dll will be injected as a original MapleStory DLL and delegate the calls to the original DLL that we replaced.
The method I will describe should work for any version of MapleStory.
The DLL that i will create the proxy is the nmconew.DLL.
First of all we setup some variables to hold our address:
Then we initialize the address by loading the original DLL to retrieve the original adresss of the functions we want to hook:
Then we need to expose the original methods in our DLL that will proxy the original calls and delgate to the original methods:
Sometimes its needed to keep the original ordinal export of the DLL. You can check it by using a tool like PEexplorer or process hacker.
Our dll main would be like this:
By using this method the DLL will be injected automatically without relying on other injectctor software.
Of course you could allocate some space in the memory, write the path of the dll and then call CreateRemoteThread, but you would need another executable just to inject your code.
I use this method in NeoMS in order to patch some memory spots of v90 client.
Example: Not close the game when receiving open page packet.
I might also say that this method is not exclusive to MapleStory, you could inject code in Google Chrome and other software as well.
The method described above using the nmconew.dll current works for GMS version 175.
How nexon can prevent this?
Calculate a CRC for each DLL before loading and then validating against the crc of the original DLL.
This is a method to inject your code inside MapleStory and other applications by implementing a proxy dynamic link library. MapleStory has a few dependencies for some Windows DLL like dinput9.dll, kernel32.dll, etc. Using this approach there's no need to inject the dll inside the game, because the dll will be injected as a original MapleStory DLL and delegate the calls to the original DLL that we replaced.
The method I will describe should work for any version of MapleStory.
The DLL that i will create the proxy is the nmconew.DLL.
First of all we setup some variables to hold our address:
DWORD NMCO_CallNMFunc_addy;
DWORD NMCO_CallNMFunc2_addy;
DWORD NMCO_MemoryFree_addy;
Then we initialize the address by loading the original DLL to retrieve the original adresss of the functions we want to hook:
void initializeMapleHook(){ HMODULE hModule = LoadLibraryA("nmconew2.dll");
NMCO_CallNMFunc_addy = (DWORD) GetProcAddress(hModule, "NMCO_CallNMFunc");
NMCO_CallNMFunc2_addy = (DWORD) GetProcAddress(hModule, "NMCO_CallNMFunc2");
NMCO_MemoryFree_addy = (DWORD) GetProcAddress(hModule, "NMCO_MemoryFree");
}
Then we need to expose the original methods in our DLL that will proxy the original calls and delgate to the original methods:
extern "C" __declspec(dllexport) __declspec(naked) void NMCO_CallNMFunc(){
__asm{
jmp NMCO_CallNMFunc_addy
}
}
extern "C" __declspec(dllexport) __declspec(naked) void NMCO_CallNMFunc2(){
__asm{
jmp NMCO_CallNMFunc2_addy
}
}
extern "C" __declspec(dllexport) __declspec(naked) void NMCO_MemoryFree(){
__asm{
jmp NMCO_MemoryFree
}
}
Sometimes its needed to keep the original ordinal export of the DLL. You can check it by using a tool like PEexplorer or process hacker.
Our dll main would be like this:
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved) {
switch ( dwReason ) {
case DLL_PROCESS_ATTACH:
initializeMapleHook();
LoadLibraryA("br1337.dll");//Loads another library.
AllocConsole();
printf("BR1337 DLL Injector\n");
DisableThreadLibraryCalls(hModule);
break;
case DLL_PROCESS_DETACH:
ExitProcess(0);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
By using this method the DLL will be injected automatically without relying on other injectctor software.
Of course you could allocate some space in the memory, write the path of the dll and then call CreateRemoteThread, but you would need another executable just to inject your code.
I use this method in NeoMS in order to patch some memory spots of v90 client.
Example: Not close the game when receiving open page packet.
I might also say that this method is not exclusive to MapleStory, you could inject code in Google Chrome and other software as well.
The method described above using the nmconew.dll current works for GMS version 175.
How nexon can prevent this?
Calculate a CRC for each DLL before loading and then validating against the crc of the original DLL.