Need help calling an imported function from within the DLL.

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 288
Joined: Mon May 08, 2017 4:08 am
Reputation: 33
Contact:

Need help calling an imported function from within the DLL.

Post by gir489 » Fri Jan 19, 2018 3:06 pm

So, I'm trying to call GetKeyState inside the DLL, since it's part of the import address table at FC3_d3d11.dll+1AA43DD.

I assembled a CALL ds:11AA43DD instruction with IDA's assembler, and it looks fine, but when I load it up with Cheat Engine, it gets a random offset each time.

I noticed that other locations that call it, usually have FF 15 00000000, with the 4 0s populated by the location of the IAT function during instantiation. FF 15 is a call exact.

So how can I get my injected code cave to update the address when the DLL is loaded? I'm basically doing this so I don't have to load Cheat Engine every time I play FC3, because I just want my code to be there already when I start the game.

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 41
Contact:

Re: Need help calling an imported function from within the DLL.

Post by Blayde » Fri Jan 19, 2018 7:26 pm


User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 288
Joined: Mon May 08, 2017 4:08 am
Reputation: 33
Contact:

Re: Need help calling an imported function from within the DLL.

Post by gir489 » Fri Jan 19, 2018 7:36 pm

That's for C++. I need ASM, and it's internalized to the same DLL. I'm guessing the IAT also has a location of a bunch of places in memory it needs to update the DLL for with the new FF15 XXXXXXXX locations. That article is just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
Last edited by gir489 on Fri Jan 19, 2018 7:50 pm, edited 1 time in total.

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 41
Contact:

Re: Need help calling an imported function from within the DLL.

Post by Blayde » Fri Jan 19, 2018 7:46 pm

gir489 wrote:
Fri Jan 19, 2018 7:36 pm
.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation

User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 288
Joined: Mon May 08, 2017 4:08 am
Reputation: 33
Contact:

Re: Need help calling an imported function from within the DLL.

Post by gir489 » Fri Jan 19, 2018 7:52 pm

Blayde wrote:
Fri Jan 19, 2018 7:46 pm
gir489 wrote:
Fri Jan 19, 2018 7:36 pm
.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation
I'm making a codecave inside the same DLL. So, FC3_d3d11.dll already imports GetKeyState, and I want to call it. If I just put CALL GetKeyState in to the Assembler, it crashes, because it needs an absolute address to do a call far. To fix this, Microsoft introduced the Import Address Table, so the runtime figures out where GetKeyState is going to be in memory, and puts that in to a pointer, which is at FC3_d3d11.dll+1AA43DD. My problem is, when I do a CALL DWORD PTR [FC3_d3d11.dll+1AA3DD], it works for only that runtime. When I load it up again, that address is invalid. I need to make it so that my code cave address is always valid.

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 41
Contact:

Re: Need help calling an imported function from within the DLL.

Post by Blayde » Fri Jan 19, 2018 8:01 pm

For example purposes only: If you're loading a dll dynamically and calling something from it, the function you're calling will have no entry in your module's IAT. It will however be present in its own DLL's EAT.

Edit:
I'm not sure, but what about aob (inside your code) to find the address/pointer, register symbol etc?

User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 288
Joined: Mon May 08, 2017 4:08 am
Reputation: 33
Contact:

Re: Need help calling an imported function from within the DLL.

Post by gir489 » Fri Jan 19, 2018 9:31 pm

I figured out I could abuse EIP as a landing point to figure out where to get the IAT address.

Here's the code cave:

Code: Select all

FC3_d3d11.dll+130F3CA - 81 FF 00000010        - cmp edi,FC3_d3d11.RunGame+2FB300 { [2C0D8311] }
FC3_d3d11.dll+130F3D0 - 7E 3B                 - jle FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3D2 - 81 FF 00000020        - cmp edi,20000000 { 536870912 }
FC3_d3d11.dll+130F3D8 - 7D 33                 - jnl FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DA - 83 FB 01              - cmp ebx,01 { 1 }
FC3_d3d11.dll+130F3DD - 74 2E                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DF - 52                    - push edx
FC3_d3d11.dll+130F3E0 - 50                    - push eax
FC3_d3d11.dll+130F3E1 - 6A 06                 - push 06 { 6 }
FC3_d3d11.dll+130F3E3 - E8 30000000           - call FC3_d3d11.dll+130F418
FC3_d3d11.dll+130F3E8 - FF 92 F4B31900        - call dword ptr [edx+0019B3F4]
FC3_d3d11.dll+130F3EE - 66 C1 E8 0F           - shr ax,0F { 15 }
FC3_d3d11.dll+130F3F2 - 66 3D 0100            - cmp ax,0001 { 1 }
FC3_d3d11.dll+130F3F6 - 58                    - pop eax
FC3_d3d11.dll+130F3F7 - 5A                    - pop edx
FC3_d3d11.dll+130F3F8 - 74 13                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3FA - 83 B8 CC000000 01     - cmp dword ptr [eax+000000CC],01 { 1 }
FC3_d3d11.dll+130F401 - 7F 0A                 - jg FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F403 - C7 80 CC000000 01000000 - mov [eax+000000CC],00000001 { 1 }
FC3_d3d11.dll+130F40D - 8B 80 CC000000        - mov eax,[eax+000000CC]
FC3_d3d11.dll+130F413 - E9 8E6110FF           - jmp FC3_d3d11.RunGame+4108A6
FC3_d3d11.dll+130F418 - 8B 14 24              - mov edx,[esp]
FC3_d3d11.dll+130F41B - C3                    - ret 

User avatar
FreeER
RCE Fanatics
RCE Fanatics
Posts: 142
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 14
Contact:

Re: Need help calling an imported function from within the DLL.

Post by FreeER » Sat Jan 20, 2018 5:14 am

Hm, perhaps this would be, or have been, useful info https://guidedhacking.com/showthread.ph ... -Explained (of course instead of patching it you'd just copy the address to call it)

Post Reply

Who is online

Users browsing this forum: No registered users