Log in

View Full Version : DLL modification

chemist
March 25th, 2005, 21:37
Hi everyone I am just wondering how you update the contents of a compressed DLL file that is called from an executable.

I have been using Olly and usually when it comes to patching an executable you just go "copy to executable...etc" after you have made your ASM changes.

The program i am working has an executable. It calls a DLL and the serial registration routine is in there. If you open the DLL directly, it says it is compressed, encrypted or whatever and says it may not open properly. The crack is easy, simply changing a JE to a JNZ and i can do this in OLLY however there is no way to save the changes to the DLL file.

So, how do you make such a change permanent???

Regards
evlncrn8
March 26th, 2005, 01:14
add in some code in the executable, changing the entrypoint to your code that then patches the import table of the executable rerouting the LoadLibraryA api to your own code which simply calls the LoadLibraryA, then you'll have the base address of the dll, add on the displacment to the area you want to patch, VirtualProtect it to make it read/write, apply your patch, VirtualProtect it back to read/execute (or whatever it was previously), and return, once you've applied that detour from the import, simply jmp to the original entrypoint, easiest method, cos otherwise you have to deal with unpacking the dll, fixing up relocs (which the packer probably trashed) and other madness
goggles99
March 26th, 2005, 21:28
By compressed, my guess is that you mean it is packed with something. Well just unpack it and patch it, then replace the original compressed/packed one with your "fixed up" one,

another thing you can do is find the point in the dll's DllMain where the code is finished being decompressed and place a jump there to a code cave that patches the memory address "JE to a JNZ" then jumps back.

If the dll is not loaded dynamically (using loadlibrary) it's address in memory should be static and you can create a loader to patch it on the fly.
SiGiNT
March 26th, 2005, 21:59
I know I'm pointing out what seems to be the obvious but it wasn't mentioned in the other posts, you can easily patch it sometimes even without unpacking, with a hex editor - Winhex, Hview, Hiew, etc:.
JNZ=75 xx JZ=74 xx

SiGiNT