Load a dll using ASM edits to the runnable.

[mikethemak]

Been meaning to look into this for awhile, just never really had the chance. I know it's possible, but I don't exactly know how to do it. I have an old guide i found on my HD (from god knows how long ago), but i dont really understand how it declares the name of the dll to load in asm.


I'm not very good at asm, but i know "CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]" has something to do with loading the dll (for obvious reasons). But some more help and guidance with this would be nice. If you don't want it public, please pm me with help.

Code:

Part1.

PUSH 005E50FE
CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]
CMP EAX,0
JE 00000000
JMP 00574255
MOV DWORD PTR SS:[5E5178],EAX
MOV DWORD PTR SS:[5E517C],EDX
MOV DWORD PTR SS:[5E5180],ECX
CMP EAX,0
JNZ SHORT 005E515A(must be same line MOV EAX,DWORD PTR DS:[5E5178] is on the second 1)
MOV EAX,DWORD PTR DS:[5E5178]
MOV EDX,DWORD PTR SS:[5E517C]
MOV ECX,DWORD PTR SS:[5E5180]
SUB ESP,4
RETN 4
MOV EAX,DWORD PTR DS:[5E5178]
MOV EDX,DWORD PTR SS:[5E517C]
MOV ECX,DWORD PTR SS:[5E5180]
SUB ESP,248
JMP 0042A306
 
Part2.
go to:
0042A300

JMP 005E5123 (same line as first MOV DWORD PTR SS:[5E5178],EAX is on)
NOP
MOV EAX,DWORD PTR DS:[6569F0]

Thanks in advance,
~Mike

[MentaL]

[randy1234]

i needed that also.. :p

[monckey100]

this is something i have also been wording, i looked it up and i had similar results to what you have posted.

[Linear88]

This will not work on Vista.

[Mark]

Code:

PUSH 005E50FE
CALL DWORD PTR DS:[5E6168]
CMP EAX,0
JE 00000000
JMP 00574255

To do this, your client's entrypoint should be modified to the address where PUSH 005E50FE is located.

PUSH 005E50FE - This line is the line that "lets you choose the name of the dll". At 005E50FE, right click, choose Binary>Edit. Then in the ASCII box, type the name of your DLL. After that, go to the bottom box with the hex, and add a 00 to the end.

CALL DWORD PTR DS:[5E6168] - This loads the dll. (Shows as CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>])

CMP EAX,0 - If EAX is 0, the dll hasn't been loaded, so...

JE 00000000 - if it is 0, then jump to 00000000, which will cause a crash.

JMP 00574255 - At last, jump back to the old entrypoint.

I'm not sure about the vista compatibility, but I've tested it on one of my laptops (Which uses Vista) and it worked fine.

[mikethemak]

Code:

PUSH 005E50FE
CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]
CMP EAX,0
JE 00000000
JMP 00574255

To do this, your client's entrypoint should be modified to the address where PUSH 005E50FE is located.

PUSH 005E50FE - This line is the line that "lets you choose the name of the dll". At 005E50FE, right click, choose Binary>Edit. Then in the ASCII box, type the name of your DLL. After that, go to the bottom box with the hex, and add a 00 to the end.

CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] - This loads the dll.

CMP EAX,0 - If EAX is 0, the dll hasn't been loaded, so...

JE 00000000 - if it is 0, then jump to 00000000, which will cause a crash.

JMP 00574255 - At last, jump back to the old entrypoint.

I'm not sure about the vista compatibility, but I've tested it on one of my laptops (Which uses Vista) and it worked fine.

To be honest, I'm really bad with asm stuff. Entrypoint, how exactly do i go about modifying that, and what is it? And will it effect anything else in the runnable?

CMP thing, does it need to be something different? Or should it remain that way?

JE it will only crash if the dll doesnt load?

JMP again with entry points :\.

[monckey100]

Code:

PUSH 005E50FE
CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]
CMP EAX,0
JE 00000000
JMP 00574255

To do this, your client's entrypoint should be modified to the address where PUSH 005E50FE is located.

PUSH 005E50FE - This line is the line that "lets you choose the name of the dll". At 005E50FE, right click, choose Binary>Edit. Then in the ASCII box, type the name of your DLL. After that, go to the bottom box with the hex, and add a 00 to the end.

CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] - This loads the dll.

CMP EAX,0 - If EAX is 0, the dll hasn't been loaded, so...

JE 00000000 - if it is 0, then jump to 00000000, which will cause a crash.

JMP 00574255 - At last, jump back to the old entrypoint.

I'm not sure about the vista compatibility, but I've tested it on one of my laptops (Which uses Vista) and it worked fine.

Thanks mate this totally helped.
if any one needs any help on what he said feel free to email me XD

[mikethemak]

Thanks mate this totally helped.
if any one needs any help on what he said feel free to email me XD

Pm'd you.

[mikethemak]

Bump. I get syntrax error when imputting

Code:

CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]

Why?

[Mark]

Ah - That should be CALL DWORD PTR DS:[5E6168] - Ill edit my above post.

[mikethemak]

Ok I got everything done, the only thing I don't know how to do is modify the entrypoint. Can you please explain that? Sorry for asking so many questions :\. I tried finding some help on google, but without much luck.



Edit:


I just went to test it. I can log in fine, create a room, do whatever. But the gravity/speed mod does not work (probably cause I dont know how to change the entrypoint), and when I press enter in the lobby (to talk) the client crashes (idk why.)

[wowus]

Use CFF Explorer:
http://www.ntcore.com/exsuite.php

1. Make sure your dll is exporting a function. Just make a function called "Arglebargle" with the dllexport declspec, and you should be good to go.

2. Click "Import Adder" after opening up gunz.exe with it. Click "Add", select the dll you want to import.

3. Select your exported function and click "Import by ordinal".

4. Click "Rebuild Import Table".

5. Save and close.

6. Test it out!

[mikethemak]

Use CFF Explorer:
http://www.ntcore.com/exsuite.php

1. Make sure your dll is exporting a function. Just make a function called "Arglebargle" with the dllexport declspec, and you should be good to go.

2. Click "Import Adder" after opening up gunz.exe with it. Click "Add", select the dll you want to import.

3. Select your exported function and click "Import by ordinal".

4. Click "Rebuild Import Table".

5. Save and close.

6. Test it out!

Hoping to do it through asm, but I tried this anyways. I'm using a premade gravity dll, and when I try to import it, it says there no export table. I'm not much of a c++/c# coder, so I can't do much about that :\

[Mark]

Ok I got everything done, the only thing I don't know how to do is modify the entrypoint. Can you please explain that? Sorry for asking so many questions :\. I tried finding some help on google, but without much luck.



Edit:


I just went to test it. I can log in fine, create a room, do whatever. But the gravity/speed mod does not work (probably cause I dont know how to change the entrypoint), and when I press enter in the lobby (to talk) the client crashes (idk why.)

You can use PE Explorer to change the EP or use a hex editor, if you want to do it manually.

[mikethemak]

You can use PE Explorer to change the EP or use a hex editor, if you want to do it manually.

I have both, but I'm not exactly sure on how to do it. I will try to find a guide on google, but if you could, could you post more detail? Sorry for asking so many questions lol, trying to learn :x

[wowus]

Hoping to do it through asm, but I tried this anyways. I'm using a premade gravity dll, and when I try to import it, it says there no export table. I'm not much of a c++/c# coder, so I can't do much about that :\

Learn to step 1.

[mikethemak]

Hoping to do it through asm, but I tried this anyways. I'm using a premade gravity dll, and when I try to import it, it says there no export table. I'm not much of a c++/c# coder, so I can't do much about that :\

Learn to step 1.

Hence why I'm trying to do it in asm.

[wowus]

Hence why I'm trying to do it in asm.

AHAHA

CFF Explorer just does the asm for you. You want to do it the hard way, fine.

Add your dll to the IAT. That's how to do it. Hell if I can give you more detailed instructions. Google it.

[mikethemak]

I think i figured it out already. But the server i test on is down, so i cant test it.