| View previous topic :: View next topic |
| Author |
Message |
h4c0r-BG
Master Cheater
 Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
 Posted: Tue Jun 17, 2008 4:38 pm Post subject: [Delphi] Help -> dll handle & patch byte @ specific o |
 |
|
So i am creating a dll in Delphi which should do the following:
1. It will be injected manualy in a process
2. It will get a handle of a specific dll allready loaded in the process
3. Will patch some bytes in the dll victim
How can I get a handle of the victim dll and patch byte in a specific offset?
I could simply do the following......
Start new project >> select to be a dll file
between begin/end. insert the following line:
| Code: | begin
asm
mov byte ptr [$10001234],$90 // i've just noped something
end;
end. |
And when i inject it in the process if the victim dll has started with base address "1000" i will succeed the patching.
My problem is that the victim dll in the process starts allways at different position in the memory (for example "00F51234") how can i get a handle of it then?
Thank all of you!
_________________
|
|
| Back to top |
|
 |
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
|
| Back to top |
|
|
h4c0r-BG
Master Cheater
Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
| Posted: Tue Jun 17, 2008 5:08 pm Post subject: |
|
|
Thank you lurc, this gave me a big hint!
Later i should search for something like your example in delphi.
But here comes another question. Even if i get "where" was loaded "this time" the victim dll how can i write my "special byte" ?
I think i will not be able to use asm, or I am wrong?
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Tue Jun 17, 2008 5:40 pm Post subject: |
|
|
If you inject a DLL into the process containing the module you will be able to use inline asm, else you'll have to use an API like WriteProcessMemory
_________________
|
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Tue Jun 17, 2008 6:03 pm Post subject: |
|
|
Once you get where it was loaded, you could do
(BYTE*)(modulebaseaddy+theoffset) = Whatyouwantthebytetobe;
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25871
Location: The netherlands
|
| Posted: Tue Jun 17, 2008 6:40 pm Post subject: |
|
|
don't forget virtualprotect to make the memory writable
also, I think it should be this:
(BYTE*)(modulebaseaddy+theoffset)^ := Whatyouwantthebytetobe;
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Tue Jun 17, 2008 6:54 pm Post subject: |
|
|
the ^ would XOR it. In c++, atleast.
_________________
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Jun 17, 2008 7:56 pm Post subject: |
|
|
| HalfPrime wrote: | | the ^ would XOR it. In c++, atleast. |
That's C++; we're talking Delphi.
In Delphi, ^ is pointer stuff, I believe. Though, wouldn't it be
| Code: |
(PBYTE)(base + offset)^ := whatever
|
or
| Code: |
(BYTE^)(base + offset)^ := whatever
|
?
I'm a bit rusty, so forgive me if I'm off.
_________________
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Tue Jun 17, 2008 8:49 pm Post subject: |
|
|
Just do it in C++. Delphi isn't good with this kind of stuff.
| Code: |
*(BYTE *)(dwModuleAddy + dwOffset) = 0x90
|
Change "DWORD *" to whatever your size is and make appropriate changes to "0x90." |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25871
Location: The netherlands
|
| Posted: Tue Jun 17, 2008 9:25 pm Post subject: |
|
|
Yes, read it wrong, this is the best way:
PBYTE(base + offset)^ := whatever;
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Jun 18, 2008 2:33 am Post subject: |
|
|
To get the module base address of the victim dll:
GetModuleHandle("NameOfDll.dll")
If you don't know the name of the dll, then do what lurc said. |
|
| Back to top |
|
|
h4c0r-BG
Master Cheater
Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
| Posted: Wed Jun 18, 2008 8:23 am Post subject: |
|
|
So far 50% of the entire job is done. I've got the following source:
| Quote: | library Project2;
uses
// SysUtils,
// Classes,
windows;
{$R *.res}
var
i : integer;
begin
i := 0;
messagebox(0,'injecting dll...','blahahaha',0);
GetModuleHandle('victim.dll');
i := GetModuleHandle('victim.dll');
if i = 0 then
begin
messagebox(0,'seems that he handle of (victim.dll) was not made...','blahahaha',0)
end
else
begin
messagebox(0,'WOOOHOOOO ..... GOT HANDLE OF THE DLL!  ','blahahaha',0);
// here i need the code to write the byte '$90' to offset '$1234' in my "victim.dll"
end;
end. |
I've tryed the following line and it obviously did not work:
mov byte ptr [$1234],$90
==========================
I've looked for your sujestions and started looking for the following text in google: "PBYTE(base + offset)^ delphi"
I've seen some examples but they were not very helpful to me... seems that i am missing some knowledge.
At least i've stopped at the following website:
http://www.delphihelp.org/catch_dll_functions_calling.html
There is the following example:
| Quote: | function MakePtr(base: Dword; Offset: DWORD): Pointer;
begin
Result := Pointer(Base + Offset);
end; |
And i am still wondering how to use this method which I searched in google. Seems i need a raw example (copy/pasteable) so I could understand it to it's full.
_________________
|
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Wed Jun 18, 2008 10:44 am Post subject: |
|
|
baseaddy += 1234;
mov byte ptr [$baseaddy],$90
_________________
|
|
| Back to top |
|
|
h4c0r-BG
Master Cheater
Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
| Posted: Wed Jun 18, 2008 1:20 pm Post subject: |
|
|
Well i think i am 80% ready now. I just need the rights to write memory. Because VirtualProtectEx returns false and i get the following error when the dll tries to write the patched memory...
The source:
| Quote: | library Project2;
uses
// SysUtils,
// Classes,
windows;
{$R *.res}
var
i : integer;
u : bool;
dwModuleHandle : dword;
hProcess : THandle;
//ProcessID:cardinal;
rights : dword;
const
PatchAddy1 = $00474A42;
begin
i := 0;
messagebox(0,'injecting dll...','blahahaha',0);
GetModuleHandle('opengl32.dll');
i := GetModuleHandle('opengl32.dll');
if i = 0 then
begin
messagebox(0,'seems that he handle of (opengl32.dll) was not made...','blahahaha',0)
end
else
begin
messagebox(0,'WOOOHOOOO ..... GOT HANDLE OF THE DLL!','blahahaha',0);
dwModuleHandle := GetModuleHandle('opengl32.dll');
hProcess := OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwModuleHandle);
VirtualProtectEx(hProcess, ptr(dwModuleHandle + ($1279)),sizeof(Patchaddy1),PAGE_EXECUTE_READWRITE,@Rights);
u := VirtualProtectEx(hProcess, ptr(dwModuleHandle + ($1279)),sizeof(Patchaddy1),PAGE_EXECUTE_READWRITE,@Rights);
if u = false then messagebox(0,'VirtualProtectEx did not succeed..','blahahaha',0);
PBYTE(dwModuleHandle + ($1279))^ := $90;
end;
end. |
Where is my mistake? 
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25871
Location: The netherlands
|
| Posted: Wed Jun 18, 2008 1:43 pm Post subject: |
|
|
remove this line, it's causing a horrible bug in your code
| Code: |
hProcess := OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwModuleHandle);
|
(and not only because hProcess is fed a boolean, I wonder why it even compiled)
Remove the Ex from VirtualProtectEx and remove the hProcess
this code will work:
| Code: |
dwModuleHandle := GetModuleHandle('opengl32.dll');
u:=VirtualProtect(PBYTE(dwModuleHandle + $1279), 1,PAGE_EXECUTE_READWRITE, Rights);
if not u then messagebox(0,'VirtualProtectEx did not succeed..','blahahaha',0);
PBYTE(dwModuleHandle + $1279)^ := $90;
VirtualProtect(PBYTE(dwModuleHandle + $1279), 1,Rights, Rights);
|
And are you sure about offset $1279 ?
----------------------------
Or your whole code written in a more readable state:
| Code: |
var
address: pbyte;
u: boolean;
dwModuleHandle: dword;
Rights: dword;
begin
dwModuleHandle := GetModuleHandle('opengl32.dll');
if dwModuleHandle<>nil then
begin
address:=PBYTE(dwModuleHandle + $1279);
u:=VirtualProtect(address, 1,PAGE_EXECUTE_READWRITE, Rights);
if not u then messagebox(0,'VirtualProtect did not succeed..','blahahaha',0);
address^ := $90;
VirtualProtect(address, 1,Rights, Rights);
end else messagebox(0,'seems that he handle of (opengl32.dll) was not made...','blahahaha',0)
end;
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Wed Jun 18, 2008 4:19 pm; edited 1 time in total |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
