Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to call a function located in an executable from a loaded DLL?

Tags:

c

executable

ollydbg

I have located a function inside an executable which I'd like to call from my DLL. The address of it would be 0x0090DE00 according to OllyDbg. I've tried to call it directly:

luaL__openlib *f = ((luaL__openlib*)(module_handle  + 0x0090DE00));

but also with adding the base of the module handle to it as suggested here:

uint8_t * module_handle = (uint8_t *)GetModuleHandle(L"ForgedAlliance1.exe");

luaL__openlib *f = ((luaL__openlib*)(module_handle  + 0x0090DE00));

It appears that this is not working as I get access violation exceptions - it appears that the pointer is not valid.

So: How can I call this function by using its address?

I just inserted a simple RET instruction at 0x00C0B530. My code does now look as follows:

typedef void (*test) ();

EXTERN_DLL_EXPORT void initialize(lua_State *L)
{
    // Adding this should not be necessary. I get 0x00C0B530 from 
    // OllyDbg where the offset 0x00401000 is included
    uint8_t * module_handle = (uint8_t *)GetModuleHandle(L"ForgedAlliance1.exe");

    test *f = NULL;

    f = ((test*)(0x00C0B530));

    (*f)(); // Crashing 
}

What I don't quite understand is why I get a different address in the exception message:

Exception thrown at 0x909090C3 in ForgedAlliance1.exe: 0xC0000005: Access violation executing location 0x909090C3.

UPDATE: I just realized that 0x909090C3 is not just a pointer here, it is the code itself

90 | NOP
90 | NOP
90 | NOP
C3 | RETN

Seems I am messing something up with pointers. Why does it try to execute "location" 0x909090C3. That's not the location.

like image 949
Stefan Falk Avatar asked Oct 30 '22 15:10

Stefan Falk

1 Answers

Alright, it was just a pointer mess-up. Sorry for that - did not write in C for quite a while. I did it right, basically, but the problem with

f = ((test*)(0x00C0B530));
(*f)();

is, that (*f) is 0x909090C3 - the instructions inside the executable - and this is the address the program tries to jump to which is of course invalid.

So the trick was:

int test_addr = 0x00C0B530
f = ((test*)(&test_addr ));
(*f)();

I am sure this can be done a bit simpler but this is working now.

like image 57
Stefan Falk Avatar answered Nov 15 '22 06:11

Stefan Falk
Sign in to Comment

Related questions

Encryption Program That Works With NodeJs and mbedtls
Is using realloc() on a dynamically allocated 2D array a good idea?
Fast 2D Convolution in C
Is a repeated macro invocation via token concatenation unspecified behavior?
Applying portable bit masks and flags in C [closed]
Debugging linkage warning "type of symbol does not match original declaration"
Skipping "test for zero" checks in IEEE 754
How to define the task.json to compile C/C++ code in vscode by using the cl.exe on windows?
sysconf(_SC_CLK_TCK) vs. CLOCKS_PER_SEC
STM Nucleo I2C not sending all data
Function as parameter to function [duplicate]
Why global variables are stored in .data rather than in the heap of a process image?
How does this min() function work?
Encoding RGB frames using x264 and AVCodec in C
Does rewind and fsetpos can also intervene the C file append mode subsequent writes?
GCC generates redundant code for repeated XOR of an array element
How the glibc strlen() implementation works [duplicate]
Clang Error - stddef file not found?
Why does gcc allow extern declarations of type void (non-pointer)?
What is the difference between an SDL physical key code and an SDL virtual key code?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!