Need help calling an imported function from within the DLL.

[gir489]

So, I'm trying to call GetKeyState inside the DLL, since it's part of the import address table at FC3_d3d11.dll+1AA43DD.

I assembled a CALL ds:11AA43DD instruction with IDA's assembler, and it looks fine, but when I load it up with Cheat Engine, it gets a random offset each time.

I noticed that other locations that call it, usually have FF 15 00000000, with the 4 0s populated by the location of the IAT function during instantiation. FF 15 is a call exact.

So how can I get my injected code cave to update the address when the DLL is loaded? I'm basically doing this so I don't have to load Cheat Engine every time I play FC3, because I just want my code to be there already when I start the game.

[Blayde]

Maybe? [Link]

[gir489]

That's for C++. I need ASM, and it's internalized to the same DLL. I'm guessing the IAT also has a location of a bunch of places in memory it needs to update the DLL for with the new FF15 XXXXXXXX locations. That article is just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.

[Blayde]

.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.

Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation

[gir489]

.....I'm guessing the IAT also has a location of a bunch of places in memory .....
It's just abusing GetProcAddress, which if I could call that from User32, I'd just call GetKeyState instead and there'd be no problem.

Still learning, but what you need is EAT instead of IAT.
Sorry for the bad explanation

I'm making a codecave inside the same DLL. So, FC3_d3d11.dll already imports GetKeyState, and I want to call it. If I just put CALL GetKeyState in to the Assembler, it crashes, because it needs an absolute address to do a call far. To fix this, Microsoft introduced the Import Address Table, so the runtime figures out where GetKeyState is going to be in memory, and puts that in to a pointer, which is at FC3_d3d11.dll+1AA43DD. My problem is, when I do a CALL DWORD PTR [FC3_d3d11.dll+1AA3DD], it works for only that runtime. When I load it up again, that address is invalid. I need to make it so that my code cave address is always valid.

[Blayde]

For example purposes only: If you're loading a dll dynamically and calling something from it, the function you're calling will have no entry in your module's IAT. It will however be present in its own DLL's EAT.

Edit:
I'm not sure, but what about aob (inside your code) to find the address/pointer, register symbol etc?

[gir489]

I figured out I could abuse EIP as a landing point to figure out where to get the IAT address.

Here's the code cave:

Code: Select all

FC3_d3d11.dll+130F3CA - 81 FF 00000010        - cmp edi,FC3_d3d11.RunGame+2FB300 { [2C0D8311] }
FC3_d3d11.dll+130F3D0 - 7E 3B                 - jle FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3D2 - 81 FF 00000020        - cmp edi,20000000 { 536870912 }
FC3_d3d11.dll+130F3D8 - 7D 33                 - jnl FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DA - 83 FB 01              - cmp ebx,01 { 1 }
FC3_d3d11.dll+130F3DD - 74 2E                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3DF - 52                    - push edx
FC3_d3d11.dll+130F3E0 - 50                    - push eax
FC3_d3d11.dll+130F3E1 - 6A 06                 - push 06 { 6 }
FC3_d3d11.dll+130F3E3 - E8 30000000           - call FC3_d3d11.dll+130F418
FC3_d3d11.dll+130F3E8 - FF 92 F4B31900        - call dword ptr [edx+0019B3F4]
FC3_d3d11.dll+130F3EE - 66 C1 E8 0F           - shr ax,0F { 15 }
FC3_d3d11.dll+130F3F2 - 66 3D 0100            - cmp ax,0001 { 1 }
FC3_d3d11.dll+130F3F6 - 58                    - pop eax
FC3_d3d11.dll+130F3F7 - 5A                    - pop edx
FC3_d3d11.dll+130F3F8 - 74 13                 - je FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F3FA - 83 B8 CC000000 01     - cmp dword ptr [eax+000000CC],01 { 1 }
FC3_d3d11.dll+130F401 - 7F 0A                 - jg FC3_d3d11.dll+130F40D
FC3_d3d11.dll+130F403 - C7 80 CC000000 01000000 - mov [eax+000000CC],00000001 { 1 }
FC3_d3d11.dll+130F40D - 8B 80 CC000000        - mov eax,[eax+000000CC]
FC3_d3d11.dll+130F413 - E9 8E6110FF           - jmp FC3_d3d11.RunGame+4108A6
FC3_d3d11.dll+130F418 - 8B 14 24              - mov edx,[esp]
FC3_d3d11.dll+130F41B - C3                    - ret 

[FreeER]

Hm, perhaps this would be, or have been, useful info https://fearlessrevolution.com/showthread.ph ... -Explained (of course instead of patching it you'd just copy the address to call it)