Mar 13
adminCurrent projects, Game Development Axiom 3D, AxiomGameDesigner
It’s a time that I began to work on a SceneDesigner for Axiom 3D game engine. This project is an Open Source one and will be kept OpenSource for ever. My intention is to keep it portable to Mono to be usable under Linux and Mac Osx too but if it decreases the ability and performance of the program maybe ignore this concept.
The project is hosted in CodePlex under the address of http://agd.codeplex.com/. At first it will be based on TerrainSceneManager and after getting the acceptable output, the PagingLandscapeSceneManager will be added too.
For more info take a look at the project’s page.
Aug 29
adminProgramming code injection, LoadLibrary, static dll injection
I’m not really sure if that topic is right for what I’m going to talk about, however I saw some where referring to this concept as “Static DLL Injection”.
What we want to do?
I had a request from a costumer which asked me to have a license process for one of his programs. As he did not exactly know what he wanted to do, I examined the program which was written by someone else and neither me nor the costumer himself was able to contact the original writer of program in order to ask him rewrite it to contain the license process.
So we started to think about the ways to contain the program securely and reproduce it in place where licensing returned OK. After a while, I recognized that the shortest way to do so was to inject some code in the original file to control the license using the Code Cave method. But we had a new problem: not enough space. Yes, there were not enough caves to enter all of my license code to the original program. So I had to inject a dll and call a function from it. The dll which contains all of licensing procedure.
Code Injection
I’m not going to reinvent the wheel. If you don’t know about simple code cave injection method simply refer to here. There you can find a very well written example of that method.
After you had some experience with Ollydb and code cave method described in the above link, continue reading and keep in mind that all changes here are done using Ollydbg.
What I want to describe here is loading a dll and calling a function from inside using the above method.
My dll name was “Project2.dll”. A win32 dll written in Delphi and my function was named “DllMessage”. So I started to change the program entry point to jump to my selected cave. Just before the cave I entered two ascii strings: the name of dll and the name of function:
005D6818 00 DB 00
005D6819 . 50 72 6F 6A 65> ASCII "Project2.dll",0
005D6826 00 DB 00
005D6827 . 44 6C 6C 4D 65> ASCII "DllMessage",0
005D6832 00 DB 00
005D6833 00 DB 00
Now at the beginning of the cave I want to call the LoadLibrary to load my dll. If you refer to Microsoft’s manual, this function requires one parameter which is the dll’s name. So PUSH dll’s name and call the LoadLibrary:
005D6845 > 68 19685D00 PUSH sanjagha.005D6819 ; /FileName = "Project2.dll"
005D684A . E8 28B5227C CALL kernel32.LoadLibraryA ; \LoadLibraryA
We have to keep the returned value:
005D684F . 8BD8 MOV EBX,EAX
And check if the dll was found, otherwise we go to program’s exit point:
005D6851 . 83FB 20 CMP EBX,20
005D6854 .^0F82 5806F2FF JB sanjagha.004F6EB2
The address of the exit point (here 004F6EB2) differs for every program and you have to find it exprimentary or by reading the assembly of the program. Sometimes also Ollydbg finds it:
Now we have to get the procedure (or function) from dll, PUSHing it’s name and calling the GetProcAddress:
005D685A . 68 27685D00 PUSH sanjagha.005D6827 ; /ProcNameOrOrdinal = "DllMessage"
005D685F . 53 PUSH EBX ; |hModule
005D6860 . E8 3B45237C CALL kernel32.GetProcAddress ; \GetProcAddress
Again saving the returned value and checking for the right value (Check if the procedure is found):
005D6865 . 8BF8 MOV EDI,EAX
005D6867 . 8BF7 MOV ESI,EDI
005D6869 . 85FF TEST EDI,EDI
005D686B .^0F82 4106F2FF JB sanjagha.004F6EB2
And now, we call the procedure from dll:
005D6871 . FFD6 CALL ESI
In this point we have ran our procedure and finished with the whole job, but we have to release the resources used by our dll, so we call FreeLibrary:
005D6873 . 53 PUSH EBX ; /hLibModule
005D6874 . E8 6543237C CALL kernel32.FreeLibrary ; \FreeLibrary
The whole code looks like:
And do not forget to put everything you removed from the code start point back and contain a JMP back to where the program continues.
Conclusion
The real job was somehow more complicated, I searched for some assembly code calling the function from a dll and I found almost nothing so I used some reverse engineering methods and found what I wanted. Thanks God its now here and everyone can use it!
