| View previous topic :: View next topic |
| Author |
Message |
mitch92
How do I cheat?
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 2
|
 Posted: Sat Dec 10, 2016 11:48 pm Post subject: Overwriting a function? |
 |
|
Hi! I am really noob about all these hacking stuffs. There is a program I wanna try to hack. The program uses a dll library to execute one of the function and I am hoping to "overwrite" the function with my own. I cannot just create another dummy dll with my own function to overwrite his because the program detects if the dll file is modified in any way before loading it.
The function I want to replace takes in a string parameter and then outputs a string as the result. I want to modify the string output with mine.
I tried creating my own function in a dll, inject the dll, overwrite the first line of the subroutine of the original function with a call to the "fake function". And second line of the original subroutine to the a ret to prevent loading the original function at all. However, it does not work.
|
|
| Back to top |
|
 |
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Sun Dec 11, 2016 4:22 am Post subject: |
|
|
The string is an HWID ?
Have you tried loading the dll in ollydbg, hooking the function which your program calls and hook it to a memory page with space already present in your dll, write your stuff here, then return the code to the usual execution flow, save modified DLL.
That's how i proceded, i'd be very surprised if that didn't work.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Dec 11, 2016 8:25 pm Post subject: |
|
|
There are a few methods you could use to get around this.
1. Determine how the parent application detects changes to the DLL and bypass that. Would be the easier method if the detection is weak and easily bypassed.
2. Inject a new DLL and hook the original DLLs functions. You can do this a number of ways to ensure that your hook is working and being handled properly.
If you have issues hooking at the right time, simply hook the parent application instead. Either find and hook where the DLLs function is called, or hook LoadLibrary and monitor for when the DLL is loaded. When it is being loaded, allow it to load normally, then load and run your own code as needed after it loads the original DLL.
_________________
- Retired. |
|
| Back to top |
|
|
mitch92
How do I cheat?
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 2
|
| Posted: Wed Dec 14, 2016 6:12 am Post subject: |
|
|
Hi! Thanks for the reply! Sorry I am still not getting it, currently what I did is
I coded my own dll with a function that passes in a String and returns another String that I wanted.
I then inject the dll to the process and intercept the calls to the original function like this in auto assemble.
| Code: |
OrginalDll.OrginalFunc:
call MyOwnDll.MyOwnFunc
ret
|
Is this hooking already? And nope it is not HWID string.
I tried doing this but I THINK(not for sure), I cannot seem to get it to pass in the string parameter into my function.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 960
|
| Posted: Wed Dec 14, 2016 7:38 am Post subject: |
|
|
"The function I want to replace takes in a string parameter and then outputs a string as the result. I want to modify the string output with mine. "
"replace" or hijack(?) the output?
In hijack case
| Code: |
(input parameters)=> original function => eax/rax of out string
your function: modify the content of eax/rax point to
|
May be this in CE AA if not misunderstood:
(64bit case will be more complex, this is 32bit)
| Code: |
OrginalDll.OrginalFunc:
jmp YourCave // this will be 5+some or zero bytes
nop.... // to be copy by readmem
returnHere:
...
YourCave:
xchg ebp,[esp]
xchg ebp,[esp+0c]
xchg ebp,[esp+08] // this depend on how many parameters in stack.
xchg ebp,[esp+04] // this is in case of 3 input parameter on stack
xchg ebp,[esp]
push @f
readmem(OrginalDll.OrginalFunc,5+??)
jmp returnHere
@@:
xchg ebp,[esp] // not need in callee clean up
xchg ebp,[esp+04]
xchg ebp,[esp+08]
xchg ebp,[esp+0c] // restore stack in caller clean up
xchg ebp,[esp]
push eax // input parameter is output of original function???
call MyOwnDll.MyOwnFunc
ret
|
basically manipulate the stack before enter the original function so that it will jump to your function after original function return.
Should not work for recursive function. (or that has closure capture?)
bye~
_________________
- Retarded. |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Dec 14, 2016 6:08 pm Post subject: |
|
|
| mitch92 wrote: | Hi! Thanks for the reply! Sorry I am still not getting it, currently what I did is
I coded my own dll with a function that passes in a String and returns another String that I wanted.
I then inject the dll to the process and intercept the calls to the original function like this in auto assemble.
| Code: |
OrginalDll.OrginalFunc:
call MyOwnDll.MyOwnFunc
ret
|
Is this hooking already? And nope it is not HWID string.
I tried doing this but I THINK(not for sure), I cannot seem to get it to pass in the string parameter into my function. |
In a way yes but it's not the best way to go about things. Something you need to keep in mind is when you force another function to call soemthing else, you are accountable for ensuring the stack is properly aligned and things are being returned properly to prevent over/underflows or misalignments.
Rather than use Cheat Engine to place a call/jump, just do it all in your personal DLL. There are many freely available hooking libraries out there to help with this exact purpose. You can use something well known such as Detours from Microsoft or an open source library called minhook, or use any of the hundreds of other iterations of basically the same code.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
