[Guide] Injecting DLL into silkroad exes without loader

[Hedgehock]

Injecting a DLL into windows x86 PE on startup without using external injector.

First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.

Sorry for the images. They will be visible as soon as I get premium subscription or 20 posts, I guess.

1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.

2. Requirements
OllyDbg 1.10
PE Explorer (trial)



3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:



The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.

1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point

4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.



You will need to copy it somewhere (ex: some text file).

For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:



Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:



I've selected

Code:

00497F7A   0000             ADD BYTE PTR DS:[EAX],AL

Since 0x00497FFE (section end) - 0x00497F7A (our code start address) = 84 bytes, which should be totally enough for both dll name ascii string and dll loading code itself. Now we have to put our dll name somewhere near the code (remember, it will take some space... so move it after or before expected code position for ~ 20 - 30 bytes at least). This can be done by selecting multiple lines (should be enough space for your dll name string) and pressing pressing CTRL + E. Entering your dll name into ASCII field and pressing OK button. I've chosen address starting from 0x0049F96. When we will do push to stack, we will need to specify that one.



Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:



Now what we have to do is to write a little a little codecave which will load our dll.

Code:

push <dllNameAddr>
call LoadLibraryA
jmp <oep>

<dllNameAddr> = 00497F96
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).

When you are done, everything should look like this:



Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).

Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).

And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.


Update: Added a youtube video.

If you still got any questions, feel free to contact me.

Skype: hedgehock94

[Devsome]

Quote:

Originally Posted by ​Exo

ugay

When you are quoting him only for the pictures, nice comment.



@B2T: This tutorial will hopefully help other players :3

[AceSpace]

I find this way too hard to understand lol.. Doing it by urself by trying would be have been better also it won't work. You cannot select many lines for the binary.. (Result: Dll won't be detected due to wrong name)

[Konami$]

way hard lol but thanks for your time!

[Hedgehock]

Youtube video added.

[Timlock]

This is basically the same as what drew (pushedx) posted in 2011... with more pictures

Good job though.

[pushipu]

Can we call 2 *.dll like that?
If yes, jmp 1st to second and 2nd to OEP or w/e is called?

[Hedgehock]

You are completely right, pushipu. Yes, you can load multiple dlls. It would look something like this:

Code:

push <dllNameAddr1>
call LoadLibraryA
push <dllNameAddr2>
call LoadLibraryA
jmp <oep>

[SnapPop]

dam, all that time i use ollydbg to change OEP while another easier solution is existing xP
btw i wonder is this the way that increase the executable's size ?
for ex: hyperfilter injecting their dlls into sro exes , increasing their default size
at last nice generic guide Hedgehock

[​Exo]

Quote:

Originally Posted by SnapPop

dam, all that time i use ollydbg to change OEP while another easier solution is existing xP
btw i wonder is this the way that increase the executable's size ?
for ex: hyperfilter injecting their dlls into sro exes , increasing their default size
at last nice generic guide Hedgehock

Injecting dlls has nothing to do with the binary size. The point of injecting dlls instead of using any external tools is that a dll will share the same memory of its host so it'll be much easier to access the memory anytime you want once injected. That's all.

[Hedgehock]

SnapPop. What you are talking about is called binding. Yes, you can put your dll code directly into the target executable. It's pretty hard doing it by hand, but well... there are some pretty good binders available on the internet. Check

[atahan457]

Quote:

Originally Posted by Hedgehock

SnapPop. What you are talking about is called binding. Yes, you can put your dll code directly into the target executable. It's pretty hard doing it by hand, but well... there are some pretty good binders available on the internet. Check

Hello , can you help me .

[Hedgehock]

Feel free to request more guides.

Skype: live:cherno0x33

[athena1410]

I injected my dll in your way. It worked (hwid sent to my server) but when i copied (sro_client and dll) to sro folder in other computer. it not worked ( hwid not sent to server )

[DjAlejo]

lol you are very funny