Need help calling an imported function from within the DLL.

gir489

RCE Fanatics
Talents
May 8, 2017
194
13
18
#1
So, I'm trying to call GetKeyState inside the DLL, since it's part of the import address table at FC3_d3d11.dll+1AA43DD.

I assembled a CALL ds:11AA43DD instruction with IDA's assembler, and it looks fine, but when I load it up with Cheat Engine, it gets a random offset each time.

I noticed that other locations that call it, usually have FF 15 00000000, with the 4 0s populated by the location of the IAT function during instantiation. FF 15 is a call exact.

So how can I get my injected code cave to update the address when the DLL is loaded? I'm basically doing this so I don't have to load Cheat Engine every time I play FC3, because I just want my code to be there already when I start the game.
 

Blayde

Expert Cheater
Aug 25, 2017
229
1
16
#2
Maybe? https://www.codeproject.com/Tips/139349/Getting-the-address-of-a-function-in-a-DLL-loaded
 

gir489

RCE Fanatics
Talents
May 8, 2017
194
13
18
#3
That's for C++. I need ASM, and it's internalized to the same DLL. I'm guessing the IAT also has a location of a bunch of places in memory it needs to update the DLL for with the new FF15 XXXXXXXX locations. That article is just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
 

Blayde

Expert Cheater
Aug 25, 2017
229
1
16
#4
gir489 post_id=30294 time=1516390572 user_id=3979 said:
.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation
 

gir489

RCE Fanatics
Talents
May 8, 2017
194
13
18
#5
Blayde post_id=30295 time=1516391192 user_id=8084 said:
gir489 post_id=30294 time=1516390572 user_id=3979 said:
.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.
Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation
I'm making a codecave inside the same DLL. So, FC3_d3d11.dll already imports GetKeyState, and I want to call it. If I just put CALL GetKeyState in to the Assembler, it crashes, because it needs an absolute address to do a call far. To fix this, Microsoft introduced the Import Address Table, so the runtime figures out where GetKeyState is going to be in memory, and puts that in to a pointer, which is at FC3_d3d11.dll+1AA43DD. My problem is, when I do a CALL DWORD PTR [FC3_d3d11.dll+1AA3DD], it works for only that runtime. When I load it up again, that address is invalid. I need to make it so that my code cave address is always valid.
 

Blayde

Expert Cheater
Aug 25, 2017
229
1
16
#6
For example purposes only: If you're loading a dll dynamically and calling something from it, the function you're calling will have no entry in your module's IAT. It will however be present in its own DLL's EAT.

Edit:
I'm not sure, but what about aob (inside your code) to find the address/pointer, register symbol etc?
 

gir489

RCE Fanatics
Talents
May 8, 2017
194
13
18
#7
Blayde post_id=30297 time=1516392082 user_id=8084 said:
For example purposes only: If you're loading a dll dynamically and calling something from it, the function you're calling will have no entry in your module's IAT. It will however be present in its own DLL's EAT.

Edit:
I'm not sure, but what about aob (inside your code) to find the address/pointer, register symbol etc?
I don't think you're understanding what I'm doing, but it's fine. I figured out I could just use EIP as a general purpose landing point, and offset my call from there to the IAT.
Code:
call [eip+19B3F8]
works great.
 

gir489

RCE Fanatics
Talents
May 8, 2017
194
13
18
#8
I figured out I could abuse EIP as a landing point to figure out where to get the IAT address.

Here's the code cave:
Code:
FC3_d3d11.dll+130F3CA - 81 FF 00000010        - cmp edi,FC3_d3d11.RunGame+2FB300 { [2C0D8311] }
FC3_d3d11.dll+130F3D0 - 7E 3B                 - jle FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3D2 - 81 FF 00000020        - cmp edi,20000000 { 536870912 }
FC3_d3d11.dll+130F3D8 - 7D 33                 - jnl FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DA - 83 FB 01              - cmp ebx,01 { 1 }
FC3_d3d11.dll+130F3DD - 74 2E                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DF - 52                    - push edx
FC3_d3d11.dll+130F3E0 - 50                    - push eax
FC3_d3d11.dll+130F3E1 - 6A 06                 - push 06 { 6 }
FC3_d3d11.dll+130F3E3 - E8 30000000           - call FC3_d3d11.dll+130F418
FC3_d3d11.dll+130F3E8 - FF 92 F4B31900        - call dword ptr [edx+0019B3F4]
FC3_d3d11.dll+130F3EE - 66 C1 E8 0F           - shr ax,0F { 15 }
FC3_d3d11.dll+130F3F2 - 66 3D 0100            - cmp ax,0001 { 1 }
FC3_d3d11.dll+130F3F6 - 58                    - pop eax
FC3_d3d11.dll+130F3F7 - 5A                    - pop edx
FC3_d3d11.dll+130F3F8 - 74 13                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3FA - 83 B8 CC000000 01     - cmp dword ptr [eax+000000CC],01 { 1 }
FC3_d3d11.dll+130F401 - 7F 0A                 - jg FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F403 - C7 80 CC000000 01000000 - mov [eax+000000CC],00000001 { 1 }
FC3_d3d11.dll+130F40D - 8B 80 CC000000        - mov eax,[eax+000000CC]
FC3_d3d11.dll+130F413 - E9 8E6110FF           - jmp FC3_d3d11.RunGame+4108A6
FC3_d3d11.dll+130F418 - 8B 14 24              - mov edx,[esp]
FC3_d3d11.dll+130F41B - C3                    - ret
 

FreeER

RCE Fanatics
Talents
Mar 10, 2017
92
4
8
#9
Hm, perhaps this would be, or have been, useful info https://guidedhacking.com/showthread.php?4244-IAT-hook-Import-Address-Table-Hooking-Explained (of course instead of patching it you'd just copy the address to call it)
 
Top Bottom