Easy DLL injection
Posted: Sun Feb 09, 2014 2:55 pm
After a little talk with flocke, I went over my old notes. Here's how I inject code into trek.exe:
Once the DLL loads, you can then dynamically patch Trek.exe from DllMain.
The only caveat is that you can't overwrite some code in trek.exe's WinMain function, since that's where we load the DLL from (Main_CheckCD actually).
Here's how the patch works in case you're wondering:
First overwrite the NoCD string (5760D0 / 0x173ed0) with the DLL name: "injected.dll\0". The CD-checking code is overwritten with this:
There's plenty of room in that subroutine to inject even more DLLs, but it doubt it would be necessary.
- Make a DLL called "injected.dll". It doesn't need any exported functions, just DllMain.
- Then use this trek.exe patch:
Code: Select all
NAME: DLL Injection
DESC: Injects a DLL named "injected.dll".
AUTHOR: QuasarDonkey
# DLL name (injected.dll)
>> 0x173ed0 43 61 6e 6e 6f 74 20 66 69 6e 64 20 74
<< 0x173ed0 69 6e 6a 65 63 74 65 64 2e 64 6c 6c 00
# Overwrite CD check code with code to load DLL.
>> 0x0480 53 51 52 56 57 55 81 EC 00 06 00 00 68
<< 0x0480 68 D0 60 57 00 E8 4C 21 17 00 33 C0 C3
# Make sure No-CD patch doesn't disable this DLL code:
>> 0x1362 E8 19 F1 FF FF
<< 0x1362 E8 19 F1 FF FF
The only caveat is that you can't overwrite some code in trek.exe's WinMain function, since that's where we load the DLL from (Main_CheckCD actually).
Here's how the patch works in case you're wondering:
First overwrite the NoCD string (5760D0 / 0x173ed0) with the DLL name: "injected.dll\0". The CD-checking code is overwritten with this:
Code: Select all
00401080 68 D0605700 PUSH trek.005760D0 ; "injected.dll"
00401085 E8 4C211700 CALL <JMP.&KERNEL32.LoadLibraryA>
0040108A 33C0 XOR EAX,EAX
0040108C C3 RETN