Sorry for English, I see this part of e*PvP is mainly in German, but my German sucks badly (although I spent 5 years trying to learn it with little success).
My question is not related that much to game hacking/coding and such, but code injection in general.
Here is the background - we have a core system client, which is basically a big GUI framework over plain telnet screens. Client also has a built-in OLE and DDE servers, which we are using to extract data from system in most simple cases.
Now comes the reason for my headache - if there is more than one client (quite possible since we have many environments to connect to) I cannot give user an option which one to use.
1. Client is written in VB6 and DOES NOT register its OLE server in ROT (RunningObjectsTable), thus I cannot select appropriate instance from there.
2. It has a launcher, which basically checks for updates, prepares environment stuff (like client-host negotiation protocol and stuff) and only then launches actual client. Actual client does not have *.exe, but *._ extension, so I cannot choose the right one using DDE either ([exe name without *.exe].[process ID])
The frigging piece of software is copyrighted and installed on like 500 workstations, thus I just cannot crack it to use at least DDE technique.
So I came to conclusion that the only option is to MAKE client register itself in ROT (client controlling with pure Windows API have been turned down for now, since it would be an overkill).
Can anyone help me at pointing out what steps I should take and how? For now guess in general it should be:
1. Write my own app in VB6 with OLE server which registers in ROT.
2. Inspect it with Olly to see registration dump.
3. Make an amended copy of client and inject the OLE registration into executable. Run and test, see if it works.
4. Make my own app which injects and executes server registration in ROT into victim.
Now, although I am not too experienced with Olly, guess I will manage with steps 1-3, but not so sure about 4, never done it before. Can you guys help me with that part? Like:
1. Writing function to inject.
2. Getting OLE handle from victim in that function.
3. Injecting function in victim and executing it.
Just a theory - how to, what should be done and what shouldn't to avoid access violation or the visit of General Protection.
Basically I want to make changes I could inject into executable to be a run-time function without modifying original file.
 |
