Easy DLL injection

General Modding Information/Questions; support/discussion/questions

Moderator: thunderchero

Forum rules
:idea: Please search before starting new topic. :idea:
There is a good chance it has already been asked.
Post Reply
User avatar
QuasarDonkey
Code Analyst
Code Analyst
Posts: 433
Joined: Tue Jul 26, 2011 8:29 pm
Location: Ireland

Easy DLL injection

Post by QuasarDonkey »

After a little talk with flocke, I went over my old notes. Here's how I inject code into trek.exe:
  • Make a DLL called "injected.dll". It doesn't need any exported functions, just DllMain.
  • Then use this trek.exe patch:

Code: Select all

NAME: DLL Injection
DESC: Injects a DLL named "injected.dll".
AUTHOR: QuasarDonkey
# DLL name (injected.dll)
>> 0x173ed0  43 61 6e 6e 6f 74 20 66 69 6e 64 20 74
<< 0x173ed0  69 6e 6a 65 63 74 65 64 2e 64 6c 6c 00
# Overwrite CD check code with code to load DLL.
>> 0x0480  53 51 52 56 57 55 81 EC 00 06 00 00 68
<< 0x0480  68 D0 60 57 00 E8 4C 21 17 00 33 C0 C3
# Make sure No-CD patch doesn't disable this DLL code:
>> 0x1362  E8 19 F1 FF FF
<< 0x1362  E8 19 F1 FF FF
Once the DLL loads, you can then dynamically patch Trek.exe from DllMain.

The only caveat is that you can't overwrite some code in trek.exe's WinMain function, since that's where we load the DLL from (Main_CheckCD actually).

Here's how the patch works in case you're wondering:

First overwrite the NoCD string (5760D0 / 0x173ed0) with the DLL name: "injected.dll\0". The CD-checking code is overwritten with this:

Code: Select all

00401080     68 D0605700    PUSH trek.005760D0    ; "injected.dll"
00401085     E8 4C211700    CALL <JMP.&KERNEL32.LoadLibraryA>
0040108A     33C0           XOR EAX,EAX
0040108C     C3             RETN
There's plenty of room in that subroutine to inject even more DLLs, but it doubt it would be necessary.
Post Reply

Return to “General Modding Information/Questions”