Hi folks,


so I was recently editing executable to load my own dll library and all I typed in Ollydbg to load library was "CALL LoadLibraryA".

In ollydbg it is translated to kernel32.LoadLibraryA and everything works great BUT! It's somehow a temporary solution - when OS is rebooted executable won't run anymore, it will just crash.

I'm pretty sure typing CALL LoadLibraryA is just making it somehow temporal address made by ollydbg and as far as it goes without restarting OS it works like charm.



I had to do "SUB ESP, 4" to make stack "uncorrupted" for later calls where I've added JMP to my part of code (located in codecave somewhere) but it doesn't matter since everything works fine, dll is loaded and everything seems to be cool until next system reboot - executable won't load anymore (wrong LoadLibraryA addr to call).

Any ideas guys?

I you add imported functions to a module, you need to do it correctly via the Import Address Table, this allows the system loader to correctly adjust the address when the module is loaded, preventing thing like ASLR "breaking" stuff.

These days there is no point in doing it the hard way however, just use something like LordPE to add the import automagically ;)
from there you need only call the address stored in the IAT, which will always be correct. (just make sure your target doesn't already have LoadLibrary or GetModuleHandle in its IAT already)

btw, if you are curious as to why it works with olly, thats cause olly performs the work the system loader would do by adjusting the relative call that you are making to LoadLibraryA.

Pretty sure I didn't get all from your message so I will just ask:

How to read functions and their address if they are in executable's IAT? If not, should LordPE allow me to add those functions to executable's IAT?

It's kind of cool working with Ollydbg and It would be essential to avoid such problems in the future

How to read functions and their address if they are in executable's IAT? If not, should LordPE allow me to add those functions to executable's IAT?

It's kind of cool working with Ollydbg and It would be essential to avoid such problems in the future

when once you've added the function to the IAT, you can use olly to get its address (via ctrl + n, if you have the default shortcuts), then you call that address, which will look something like:


//Your code:
CALL 12345

//IAT entry:
12345: JMP DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]

alternatively you can do a direct call via:
CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]

the <&KERNEL32.LoadLibraryA> part represents the address stored in the IAT that gets fixed up by the windows loader (it gets a nice looking name thanks to olly scanning the IAT and 'recognising' the imports).

Awesome, LoadLibraryA was already in IAT (ctrl +n) as awell as few others I needed (obviously):

Names in Eloadlib, item 252
Address = 0055B200
Section = .rdata
Type = Import
Name = &KERNEL32.LoadLibraryA
Comments =

CALL DWORD PTR DS:[0055B200]

Names in Eloadlib, item 257
Address=0055B4D4
Section=.rdata
Type=Import (Known)
Name=USER32.MessageBoxA

CALL DWORD PTR DS:[0055B4D4]

Names in Eloadlib, item 82
Address=0055B118
Section=.rdata
Type=Import (Known)
Name=KERNEL32.ExitProcess

CALL DWORD PTR DS:[0055B118]


Thank you, I really appreciate your help