 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
01-24-2012, 02:50 PM
|
|||
|
|||
How to jump into a freshly injected dll?
Hi,
I am reversing a program in which the .exe injects 'general.dll' into a game. However, what I want to reverse is in this .dll. I therefore cannot reverse this dll alone. However, when I follow in OllyDBG the inject function (which is succesfully executed), I cannot 'jump' to the dll in question. Nite that the dll is NOT packed or else. I have already tried this: Quote:
What else can I do? Shannou06. 
|
|
#2
01-24-2012, 05:07 PM
|
|||
|
|||
|
You could start by NOT cross-posting from Tuts4you. (http://forum.tuts4you.com/topic/2818...-injected-dll/)
 Having said that, check out these Google searches: https://www.google.com/search?q=olly+inject+dll https://www.google.com/search?q=olly+break+on+new+dll I count at least a dozen of discussions dealing with the same problem as you.
|
|
#3
01-24-2012, 06:06 PM
|
|||
|
|||
|
Hi Kao,
I know I should not, but I thought that I should ask someone else.. Thanks for the searches, although I have done them (believe me), you second link was the good one. However, the dll needs to be injected by the .exe, otherwise it won't work. So when I start reversing, I get an error.. How can I find a remedy to this?
|
|
#4
01-25-2012, 05:09 AM
|
|||
|
|||
|
Ok, here's my rough plan how I'd approach it:
1) Load injector.exe in Olly, put breakpoints on CreateProcessXXX, WriteProcessMemory, NtWriteVirtualMemory, CreateRemoteThread, SetThreadContext functions. These are the most commonly used functions for DLL injection. 2) Run injector.exe, Olly should stop on some breakpoints. Write down which functions were called and with what arguments, it might be useful later. 3) First injector.exe will create game.exe process, then it will write something to that process memory. When this write happens, use 2nd Olly to attach to game.exe process. Set it to break on new DLLs and resume execution of game.exe (F9 in Olly). 4) Resume execution of injector.exe. It will create new thread in game.exe or use SetThreadContext to manipulate existing thread. In any case, injected.dll should get loaded in game.exe process and your 2nd Olly should be able to catch it. p.s. If you can, use hardware breakpoints in Olly. They are saved between sessions, stay active even if DLL is not loaded in memory yet and are much more reliable than software breakpoints.
|
|
#5
01-27-2012, 05:15 PM
|
|||
|
|||
|
Kao,
Thanks for your answer, sorry if I took time to answer, but I'm in some exams periods.. The problem I have with your 'technique' is that the main.exe opens itself game.exe (for bypassing security of game.exe). So when I want to, at least, attach Olly to game.exe, the work is already done... I still do not understand why olly does not want to break (even hardware bp) on an external module. Last edited by Shannou06 : 01-27-2012 at 05:28 PM.
|
Linear Mode
