I am trying to load a certain dll from inside a certain .exe of which I don't have the source code.
So I tried to do it with a code cave which seemed like a good option, but I am experiencing some trouble.
This is what I have so far:
I first load the .exe in ollydebugger then I select the exe module with ALT + E.
then I make sure I have at least 5 bytes of free space somewhere in the stack, in this case I did that by replacing the following asm commands with NOP's:
004BF23B 8BF2 MOV ESI,EDX 004BF23D 8BD8 MOV EBX,EAX 004BF23F 94 XCHG EAX,ESP
After that I go to the bottom to find some free space and add this code:
0052152A 90 NOP 0052152B 68 87155200 PUSH some.00521587 ; ASCII "some.dll" 00521530 E8 42349B76 CALL kernel32.LoadLibraryA 00521535 90 NOP ..... 8BF2 MOV ESI,EDX ..... 8BD8 MOV EBX,EAX ..... 94 XCHG EAX,ESP 00521536 68 FDF04B00 PUSH <some.codecave.Return> 0052153B C3 RETN
I declared the ASCII somewhere above this code in the stack, also in some free space. The "codecave.Return" label is attached to the command right below the free space I made, so it would normally come after "XCHG EAX, ESP".
Finally I replaced the 5 bytes of free space with this command:
004BF23B E9 E7220600 JMP <some.codecave.MyCodeCave>
which makes it jump straight to the beginning of the code you see in the second code window.
then I right click and do "copy all modifications to executable", when another window which shows the selection of what I modified appears, I right click again and do "save" and I enter another name than the original.
So when I have the dll in the same folder as the edited executable it still doesnt load it, the executable doesnt even start.
I hope someone can tell me what I did wrong.
Thanks alot in advance!
Edited by Falcon22, 29 January 2014 - 02:53 PM.