[Tutorial(C++)]How to call functions within another process

[radnomguywfq3]

Calling another processes functions
By : [MPGH] Jetamay\ Jeremy

Requirements
A debugger(Ollydbg)
Target Application(Download in attachments)
A C++ Compiler

Requested knowledge
Some debugging knowledge
How to program in asm(Basics of the Basics)
C++ (Quite familiar with the language)
InjecTOR
familiar with how DLLs work, and what they are.

Locating the function

Well, since we have the source-code to this target application, where going to use a string search, just so you know for the future, avoid string searching as much as possible. As you do not want to begin to lean on the strings for the answers.

So first lets take a look at the source code of our target(C++) :

#include "stdafx.h"
#include <iostream.h>
#include "dos.h"
void Write()
{
cout<<"You called a function n";
}

int main(int argc, char* argv[])
{
while(true);
return 0;
}

Quite simple. Now we have to locate the Write function in the debugger. How could we do this? Well its quite obvious as the function contains the string "You called a function \n". So there's out first clue. And probably the only one we need. So lets open it in a debugger. Lets perform a quick ASCII string search through the HEX dump for
"You called a function". You should find it at 00408040 Select the whole sentence, and press Find References to that address. Just as I thought, theres only one result at 00401000 . Now obviously thats the function. So what we need to do now is call 00401000.


Calling The Function

This is where your C++ knowledge comes in. What we need to do is program a DLL to go into our target and call the function at 00401000 . I will now explain to you what __asm is, and what its for.

__asm
{
mov eax,eax
}

Theres a really simple example of what it does, basically is executes any asm commands.

Lets take a look at this DLL.

#include "stdafx.h"
#include "dos.h"
void MainLoop()
{
void *addyres = (void*)0x00401000;
MessageBox(0,"About to call the function..","Calling",MB_OK);
__asm
{
call [addyres]
}
return;

}


BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
CreateThread(NULL, 0, (unsigned long(__stdcall*)(void*))MainLoop, NULL, 0, NULL);
}
return TRUE;
}

Then inject the DLL. I'll do one one calling functions with parameters later -_-

By examining that, you should be able to understand how the whole process works, however I am writing this tutorial over remote assist, and its really inconvenient for me.

[angerist]

c:\documents and settings\julianana\my documents\visual studio 2008\projects\test hackk\test hackk\source.cpp(1) : fatal error C1083: Cannot open include file: 'stdafx.h': No such file or directory

[radnomguywfq3]

Try removing that line =X Your probably don't have a precompiled header

[angerist]

=X It works in vs6 lol.

Nothing happens when I inject it to MapleStory.exe. Im using this addy 0x0046EC10.

[boom342]

Why not.

[php]
typedef void(__cdecl* ChatOutputFunc)();
ChatOutputFunc ChatOutput = (ChatOutputFunc)0x00401000;[/php]

Then call it like this.

[php]ChatOutput();[/php]


so it would look like.

[php]#include "stdafx.h"
#include "dos.h"

typedef void(__cdecl* ChatOutputFunc)();
ChatOutputFunc ChatOutput = (ChatOutputFunc)0x00401000;

void MainLoop()
{
ChatOutput();
return;

}


BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
CreateThread(NULL, 0, (unsigned long(__stdcall*)(void*))MainLoop, NULL, 0, NULL);
}
return TRUE;
} [/php]