Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-24-2012, 02:50 PM
Shannou06 Shannou06 is offline
Junior Member
 
Join Date: Aug 2011
Posts: 4
Default How to jump into a freshly injected dll?

Hi,

I am reversing a program in which the .exe injects 'general.dll' into a game. However, what I want to reverse is in this .dll. I therefore cannot reverse this dll alone. However, when I follow in OllyDBG the inject function (which is succesfully executed), I cannot 'jump' to the dll in question. Nite that the dll is NOT packed or else.

I have already tried this:

Quote:
you can also tell olly to keep breakpoints in external modules, load the dll once, double clikc on it in the "modules" window and set some breakpoints on important functions. Next time olly loads the dll, it will break there.
Breakpointing APIs might also be a solution to break in the dll.
I also found a 2004 post talking about modyfing registry, but since then, windows' structure changed and I'm not sure I want to take the risk to modify something 'randomly'...

What else can I do?

Shannou06.
Reply With Quote
  #2  
Old 01-24-2012, 05:07 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

You could start by NOT cross-posting from Tuts4you. (http://forum.tuts4you.com/topic/2818...-injected-dll/)

Having said that, check out these Google searches:
https://www.google.com/search?q=olly+inject+dll
https://www.google.com/search?q=olly+break+on+new+dll
I count at least a dozen of discussions dealing with the same problem as you.
Reply With Quote
  #3  
Old 01-24-2012, 06:06 PM
Shannou06 Shannou06 is offline
Junior Member
 
Join Date: Aug 2011
Posts: 4
Default

Hi Kao,

I know I should not, but I thought that I should ask someone else..
Thanks for the searches, although I have done them (believe me), you second link was the good one.
However, the dll needs to be injected by the .exe, otherwise it won't work. So when I start reversing, I get an error.. How can I find a remedy to this?
Reply With Quote
  #4  
Old 01-25-2012, 05:09 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Ok, here's my rough plan how I'd approach it:

1) Load injector.exe in Olly, put breakpoints on CreateProcessXXX, WriteProcessMemory, NtWriteVirtualMemory, CreateRemoteThread, SetThreadContext functions.
These are the most commonly used functions for DLL injection.

2) Run injector.exe, Olly should stop on some breakpoints. Write down which functions were called and with what arguments, it might be useful later.

3) First injector.exe will create game.exe process, then it will write something to that process memory. When this write happens, use 2nd Olly to attach to game.exe process. Set it to break on new DLLs and resume execution of game.exe (F9 in Olly).

4) Resume execution of injector.exe. It will create new thread in game.exe or use SetThreadContext to manipulate existing thread. In any case, injected.dll should get loaded in game.exe process and your 2nd Olly should be able to catch it.

p.s. If you can, use hardware breakpoints in Olly. They are saved between sessions, stay active even if DLL is not loaded in memory yet and are much more reliable than software breakpoints.
Reply With Quote
  #5  
Old 01-27-2012, 05:15 PM
Shannou06 Shannou06 is offline
Junior Member
 
Join Date: Aug 2011
Posts: 4
Default

Kao,

Thanks for your answer, sorry if I took time to answer, but I'm in some exams periods..

The problem I have with your 'technique' is that the main.exe opens itself game.exe (for bypassing security of game.exe). So when I want to, at least, attach Olly to game.exe, the work is already done... I still do not understand why olly does not want to break (even hardware bp) on an external module.

Last edited by Shannou06 : 01-27-2012 at 05:28 PM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.