I have a gs 1.00.18 and I want to hook two .dll with procedure, how to do that?
Greetings .-
I have a gs 1.00.18 and I want to hook two .dll with procedure, how to do that?
Greetings .-
you simply jump to the second hook instead of entrypoint on the first hook.
I do not understand, could you give me an example .-
Tnx ..
push dll1
some code here
jmp offset of push dll2
push dll2
some code here
jmp entry point
Originally Posted by duracel
Thanks, but ..
Now works. dll 2, one does not work, how is that?
Greetings .-
Because of the structures within and the protocol, if both dlls have protocol hooking they will not work.
Ok .
The method used to hook the DLL1 is:
PUSH (offset dll)
LoadLibraryA
OR eax, eax
JE (EntryPoint)
PUSH (offset dll function)
PUSH EAX
GetProcAddress
CALL EAX
JMP (EntryPoint)
Then I open the PE Explorer and enter PUSH DLL ok.
Now to hook the dll 2, I have to do?
Greetings, thank you very much!
Change JMP (EntryPoint) to Jmp offset PUSH (offset dll2)
and dll2 will be like this
PUSH (offset dll2)
LoadLibraryA
OR eax, eax
JE (EntryPoint)
PUSH (offset dll function)
PUSH EAX
GetProcAddress
CALL EAX
JMP (EntryPoint)
Code:008F3C60 . 43 75 73 74 6F>ASCII "CustomsAddon.dll" 008F3C70 . 00 ASCII 0 008F3C71 00 DB 00 008F3C72 00 DB 00 008F3C73 00 DB 00 008F3C74 00 DB 00 008F3C75 00 DB 00 008F3C76 00 DB 00 008F3C77 00 DB 00 008F3C78 > 68 603C8F00 PUSH main.008F3C60 ; /FileName = "CustomsAddon.dll" 008F3C7D . FF15 18428F00 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA 008F3C83 . 55 PUSH EBP 008F3C84 . 8BEC MOV EBP,ESP 008F3C86 . 6A FF PUSH -1 008F3C88 . EB 22 JMP SHORT main.008F3CAC 008F3C8A 00 DD 00 008F3C8E 00 DB 00 008F3C8F 00 DB 00 008F3C90 00 DB 00 008F3C91 00 DB 00 008F3C92 00 DB 00 008F3C93 00 DB 00 008F3C94 00 DB 00 008F3C95 00 DB 00 008F3C96 00 DB 00 008F3C97 00 DB 00 008F3C98 00 DB 00 008F3C99 00 DB 00 008F3C9A 00 DB 00 008F3C9B 00 DB 00 008F3C9C 00 DB 00 008F3C9D 00 DB 00 008F3C9E . 33 64 2E 64 6C>ASCII "3d.dll",0 008F3CA5 00 DB 00 008F3CA6 00 DB 00 008F3CA7 00 DB 00 008F3CA8 00 DB 00 008F3CA9 00 DB 00 008F3CAA 00 DB 00 008F3CAB 00 DB 00 008F3CAC > 68 9E3C8F00 PUSH main.008F3C9E ; /FileName = "3d.dll" 008F3CB1 . FF15 18428F00 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA 008F3CB7 .^E9 957DFDFF JMP main.008CBA51
This is an example.
Last edited by duracel; 19-04-11 at 11:53 PM.
I can not make it work-_-
Can not be there I leave the source to look at it .-
Code:005E5D29 00 DB 00 005E5D2A 00 DB 00 005E5D2B 00 DB 00 005E5D2C 00 DB 00 005E5D2D . 4D 4D 54 2E 64>ASCII "MMT.dll",0 005E5D35 00 DB 00 005E5D36 00 DB 00 005E5D37 00 DB 00 005E5D38 00 DB 00 005E5D39 00 DB 00 005E5D3A 00 DB 00 005E5D3B 00 DB 00 005E5D3C 00 DB 00 005E5D3D . 49 6E 69 63 69>ASCII "Inicio",0 005E5D44 00 DB 00 005E5D45 00 DB 00 005E5D46 00 DB 00 005E5D47 00 DB 00 005E5D48 00 DB 00 005E5D49 00 DB 00 005E5D4A 00 DB 00 005E5D4B 00 DB 00 005E5D4C 00 DB 00 005E5D4D > $ 68 2D5D5E00 PUSH GameServ.005E5D2D ; /FileName = "MMT.dll" 005E5D52 . FF15 F4BC8C0C CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA 005E5D58 . 09C0 OR EAX,EAX 005E5D5A .^0F84 3552FBFF JE GameServ.0059AF95 005E5D60 . 68 3D5D5E00 PUSH GameServ.005E5D3D ; /ProcNameOrOrdinal = "Inicio" 005E5D65 . 50 PUSH EAX ; |hModule 005E5D66 . FF15 F0BC8C0C CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress 005E5D6C . FFD0 CALL EAX 005E5D6E . EB 28 JMP SHORT GameServ.005E5D98 005E5D70 90 NOP 005E5D71 90 NOP 005E5D72 90 NOP 005E5D73 00 DB 00 005E5D74 00 DB 00 005E5D75 00 DB 00 005E5D76 00 DB 00 005E5D77 00 DB 00 005E5D78 00 DB 00 005E5D79 00 DB 00 005E5D7A 00 DB 00 005E5D7B 00 DB 00 005E5D7C . 43 75 73 74 6F>ASCII "Custom.dll",0 005E5D87 00 DB 00 005E5D88 00 DB 00 005E5D89 00 DB 00 005E5D8A 00 DB 00 005E5D8B . 63 61 72 67 61>ASCII "cargadll",0 005E5D94 00 DB 00 005E5D95 00 DB 00 005E5D96 00 DB 00 005E5D97 00 DB 00 005E5D98 > 68 7C5D5E00 PUSH GameServ.005E5D7C ; /FileName = "Custom.dll" 005E5D9D . FF15 F4BC8C0C CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA 005E5DA3 . 09C0 OR EAX,EAX 005E5DA5 .^0F84 EA51FBFF JE GameServ.0059AF95 005E5DAB . 68 8B5D5E00 PUSH GameServ.005E5D8B ; /ProcNameOrOrdinal = "cargadll" 005E5DB0 . 50 PUSH EAX ; |hModule 005E5DB1 . FF15 F0BC8C0C CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress 005E5DB7 . FFD0 CALL EAX 005E5DB9 .^E9 D751FBFF JMP GameServ.0059AF95 005E5DBE 00 DB 00 005E5DBF 00 DB 00 005E5DC0 00 DB 00 005E5DC1 00 DB 00 005E5DC2 00 DB 00 005E5DC3 00 DB 00 005E5DC4 00 DB 00 005E5DC5 00 DB 00
PD: Once hooked the. dll I have to pass the PE Explorer?
If so ... With the offset of that dll, the 1 or 2?
Thanks, sorry for my language
try make dll2 like this:
Code:PUSH GameServ.005E5D7C ; /FileName = "Custom.dll" CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA PUSH GameServ.005E5D8B ; /ProcNameOrOrdinal = "cargadll" PUSH EAX ; |hModule CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress CALL EAX JMP GameServ.0059AF95
Ok, thanks, there to finish it. (and does not work T_T)
We must change the Entrypoint of the DLL2 PEEXPLORER ? Or should we leave it to the DLL1?
Leave it to dll1.
Ok duracel thanks for everything!
