First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.
Sorry for the images. They will be visible as soon as I get premium subscription or 20 posts, I guess.
1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.
2. Requirements
OllyDbg 1.10
PE Explorer (trial)
3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:
The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.
1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point
4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.
You will need to copy it somewhere (ex: some text file).
For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:
Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:
I've selected
Code:
00497F7A 0000 ADD BYTE PTR DS:[EAX],AL
Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:
Now what we have to do is to write a little a little codecave which will load our dll.
Code:
push <dllNameAddr> call LoadLibraryA jmp <oep>
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).
When you are done, everything should look like this:
Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).
Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).
And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.
Update: Added a youtube video.
If you still got any questions, feel free to contact me.
Skype: hedgehock94