Injecting code inside MapleStory using a DLL proxy

[br1337]

Hi everyone.

This is a method to inject your code inside MapleStory and other applications by implementing a proxy dynamic link library. MapleStory has a few dependencies for some Windows DLL like dinput9.dll, kernel32.dll, etc. Using this approach there's no need to inject the dll inside the game, because the dll will be injected as a original MapleStory DLL and delegate the calls to the original DLL that we replaced.
The method I will describe should work for any version of MapleStory.
The DLL that i will create the proxy is the nmconew.DLL.

First of all we setup some variables to hold our address:

DWORD NMCO_CallNMFunc_addy;
DWORD NMCO_CallNMFunc2_addy;
DWORD NMCO_MemoryFree_addy;

Then we initialize the address by loading the original DLL to retrieve the original adresss of the functions we want to hook:

void initializeMapleHook(){ HMODULE hModule = LoadLibraryA("nmconew2.dll");
NMCO_CallNMFunc_addy = (DWORD) GetProcAddress(hModule, "NMCO_CallNMFunc");
NMCO_CallNMFunc2_addy = (DWORD) GetProcAddress(hModule, "NMCO_CallNMFunc2");
NMCO_MemoryFree_addy = (DWORD) GetProcAddress(hModule, "NMCO_MemoryFree");

}

Then we need to expose the original methods in our DLL that will proxy the original calls and delgate to the original methods:

extern "C" __declspec(dllexport) __declspec(naked) void NMCO_CallNMFunc(){
__asm{
jmp NMCO_CallNMFunc_addy
}
}


extern "C" __declspec(dllexport) __declspec(naked) void NMCO_CallNMFunc2(){
__asm{
jmp NMCO_CallNMFunc2_addy
}
}


extern "C" __declspec(dllexport) __declspec(naked) void NMCO_MemoryFree(){
__asm{
jmp NMCO_MemoryFree
}
}

Sometimes its needed to keep the original ordinal export of the DLL. You can check it by using a tool like PEexplorer or process hacker.

Our dll main would be like this:

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved) {
switch ( dwReason ) {
case DLL_PROCESS_ATTACH:
initializeMapleHook();
LoadLibraryA("br1337.dll");//Loads another library.
AllocConsole();
printf("BR1337 DLL Injector\n");
DisableThreadLibraryCalls(hModule);
break;
case DLL_PROCESS_DETACH:
ExitProcess(0);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

By using this method the DLL will be injected automatically without relying on other injectctor software.

Of course you could allocate some space in the memory, write the path of the dll and then call CreateRemoteThread, but you would need another executable just to inject your code.


I use this method in NeoMS in order to patch some memory spots of v90 client.
Example: Not close the game when receiving open page packet.

I might also say that this method is not exclusive to MapleStory, you could inject code in Google Chrome and other software as well.


The method described above using the nmconew.dll current works for GMS version 175.


How nexon can prevent this?

Calculate a CRC for each DLL before loading and then validating against the crc of the original DLL.

 

[Eric]

Nothing new indeed. There's a lot of cool things you can do with this though <3

..but this is nothing close to a C++/pe code injecting/client manipulating section. lol

 

[br1337]

Nothing new indeed. There's a lot of cool things you can do with this though <3

..but this is nothing close to a C++/pe code injecting/client manipulating section. lol

Inject code inside a PE executable is not a trivial task.
Editing some parts might br, but injection of entire functions aren't.
At least with this way you can code in c++ and inject inside ms

 

[Hilia]

Name the thing dinput8.dll and you can skip the hook.

 

[br1337]

Name the thing dinput8.dll and you can skip the hook.

You would need to hook FindFirstFile because MapleStory detects it and you would also need to hook one function of dinput8.dll in order to make the game load properly.

This method works with other DLL as well and you could even edit with a hex editor the DLL name inside the import section of the executable.

 

[learningjava]

Do you know where to learn this online?

 

[br1337]

Do you know where to learn this online?

You must be registered to see links

Life of Binaries.
X86 Assembly.

 

[anhtanh95]

holy..... i have finding something like this on the internet for along time, but i found notthing. there is not have any tut or detail guide, especially for Maple. thank you so muchhhh.
One question: can HackShield detect this?

 

[br1337]

holy..... i have finding something like this on the internet for along time, but i found notthing. there is not have any tut or detail guide, especially for Maple. thank you so muchhhh.
One question: can HackShield detect this?

Generally hackshield won't detect/do anything about injected DLLS inside the client.

I know that If you replace the dinput8.dll and try to use this approach it will be detected by the client.

Which is really easy to bypass by renaming the entry dinput8.dll to dinpu8.dll in the Import Address Table of the unpacked client.

 

[anhtanh95]

Generally hackshield won't detect/do anything about injected DLLS inside the client.

I know that If you replace the dinput8.dll and try to use this approach it will be detected by the client.

Which is really easy to bypass by renaming the entry dinput8.dll to dinpu8.dll in the Import Address Table of the unpacked client.

how about packed client (i mean the clean client from nexon), is there any way to bypass that check?

 

[br1337]

how about packed client (i mean the clean client from nexon), is there any way to bypass that check?

Check the libraries Nexon uses, you can use this approach on other libraries as well.

 

[anhtanh95]

Check the libraries Nexon uses, you can use this approach on other libraries as well.

like the "nmconew.DLL" you have used on this thread, right?
And i have a question about this:

void initializeMapleHook(){ HMODULE hModule = LoadLibraryA("[B]nmconew2.dll[/B]");

nmconew2.dll is the origin .dll file that you callback on your new .dll?

 

[Kyber]

You would need to hook FindFirstFile because MapleStory detects it and you would also need to hook one function of dinput8.dll in order to make the game load properly.

This method works with other DLL as well and you could even edit with a hex editor the DLL name inside the import section of the executable.

Can anyone help me pls, what the function do we need to hook in dinput8.dll? how can i find it?
edit: nvm, i found it by myself, the method we need to hook in dinput8.dll is Direct8InputCreate. There is some tool on the internet can help to find all export function in .dll file. And there is a tool to automatic generate proxy dll called "ProxyDLLMaker"