Cut and Paste [i]XTREME![/i] :P

[csolar]

Heh, ok, I am working on a project and I have 1 function inside a dll that I need changed. I have located the function in the dll and I can block off the entire stretch of code in either a nice hex editor or PE Explorer.
I have another function that was built with the same libraries as the first dll, and I want to insert this function into the space the first function uses.

Basically I need to take one function I have in assembly code and transport it into another dll, replacing the current function inside. Heres some code:

  		Align	16
 SUB_L24010C40:
  		fld	dword ptr [esp+08h]
  		sub	esp,00000034h
  		fcom	qword ptr [L24242930]
  		push	esi
  		mov	esi,ecx
  		fnstsw	ax
  		test	ah,41h
  		jnz	L24010C61
  		fstp	ST(0)
  		fld	dword ptr [L242426B8]
  		jmp	L24010C76
 L24010C61:
  		fcom	qword ptr [L24242A60]
  		fnstsw	ax
  		test	ah,05h
  		jpe	L24010C76
  		fstp	ST(0)
  		fld	dword ptr [L24242430]
 L24010C76:
  		mov	eax,[L242DE108]
  		fld	dword ptr [eax+28h]
  		mov	ecx,[L242DE150]
  		fld	dword ptr [ecx+28h]
  		fsub	ST,ST(1)
  		fmul	ST,ST(2)
  		fadd	ST,ST(1)
  		fstp	dword ptr [esp+0Ch]
  		fstp	ST(0)
  		fstp	ST(0)
  		fld	dword ptr [esp+0Ch]
  		fabs
  		fmul	qword ptr [L24243220]
  		fstp	dword ptr [esp+04h]
  		fld	dword ptr [L242426B8]
  		fsub	dword ptr [esp+04h]
  		fstp	dword ptr [esp+08h]
  		jmp	L24010CC0
 L24010CB5:
  		fstp	ST(0)
  		jmp	L24010CC0
  		Align	8
 L24010CC0:
  		mov	ecx,[L242F1EA4]
  		mov	edx,[ecx]
  		push	3F800000h
  		push	BF800000h
  		call	[edx+04h]
  		fmul	dword ptr [esp+04h]
  		mov	ecx,[L242F1EA4]
  		mov	eax,[ecx]
  		push	3F800000h
  		fstp	dword ptr [esp+44h]
  		push	BF800000h
  		call	[eax+04h]
  		fmul	dword ptr [esp+08h]
  		mov	ecx,[L242F1EA4]
  		mov	edx,[ecx]
  		fadd	dword ptr [esp+40h]
  		push	3F800000h
  		push	BF800000h
  		fstp	dword ptr [esp+48h]
  		call	[edx+04h]
  		fmul	dword ptr [esp+04h]
  		mov	ecx,[L242F1EA4]
  		mov	eax,[ecx]
  		push	3F800000h
  		push	BF800000h
  		fstp	dword ptr [esp+18h]
  		call	[eax+04h]
  		fmul	dword ptr [esp+08h]
  		fadd	dword ptr [esp+10h]
  		fld	dword ptr [esp+0Ch]
  		fcomp	dword ptr [L24242430]
  		fnstsw	ax
  		test	ah,05h
  		jpe	L24010D8B
  		fld	dword ptr [esp+40h]
  		fcomp	dword ptr [L24242430]
  		fld	dword ptr [esp+40h]
  		fnstsw	ax
  		test	ah,01h
  		jnz	L24010D66
  		fsubr	qword ptr [L24242930]
  		jmp	L24010D6C
 L24010D66:
  		fsubr	qword ptr [L242439B0]
 L24010D6C:
  		fstp	dword ptr [esp+40h]
  		fcom	dword ptr [L24242430]
  		fnstsw	ax
  		test	ah,01h
  		jnz	L24010D85
  		fsubr	qword ptr [L24242930]
  		jmp	L24010D8B
 L24010D85:
  		fsubr	qword ptr [L242439B0]
 L24010D8B:
  		fld	ST(0)
  		fmul	ST,ST(1)
  		fld	dword ptr [esp+40h]
  		fmul	dword ptr [esp+40h]
  		faddp	ST(1),ST
  		fcomp	dword ptr [L242426B8]
  		fnstsw	ax
  		test	ah,41h
  		jz 	L24010CB5
  		mov	eax,[esp+3Ch]
  		fmul	dword ptr [eax+04h]
  		fld	ST(0)
  		fmul	dword ptr [esi+18h]
  		fstp	dword ptr [esp+14h]
  		mov	ecx,[esp+14h]
  		mov	[esp+2Ch],ecx
  		fld	ST(0)
  		fmul	dword ptr [esi+1Ch]
  		fstp	dword ptr [esp+18h]
  		mov	edx,[esp+18h]
  		mov	[esp+30h],edx
  		fmul	dword ptr [esi+20h]
  		fstp	dword ptr [esp+1Ch]
  		mov	ecx,[esp+1Ch]
  		fld	dword ptr [esp+40h]
  		mov	[esp+34h],ecx
  		fmul	dword ptr [eax]
  		fld	ST(0)
  		fmul	dword ptr [esi+0Ch]
  		fstp	dword ptr [esp+14h]
  		mov	edx,[esp+14h]
  		mov	[esp+20h],edx
  		fld	ST(0)
  		fmul	dword ptr [esi+10h]
  		fstp	dword ptr [esp+18h]
  		mov	eax,[esp+18h]
  		mov	[esp+24h],eax
  		fmul	dword ptr [esi+14h]
  		fstp	dword ptr [esp+1Ch]
  		mov	ecx,[esp+1Ch]
  		fld	dword ptr [esp+20h]
  		mov	[esp+28h],ecx
  		fadd	dword ptr [esi]
  		fstp	dword ptr [esp+14h]
  		mov	edx,[esp+14h]
  		fld	dword ptr [esp+24h]
  		mov	[esp+20h],edx
  		fadd	dword ptr [esi+04h]
  		fstp	dword ptr [esp+18h]
  		mov	eax,[esp+18h]
  		fld	dword ptr [esp+28h]
  		mov	[esp+24h],eax
  		fadd	dword ptr [esi+08h]
  		fstp	dword ptr [esp+1Ch]
  		mov	ecx,[esp+1Ch]
  		fld	dword ptr [esp+2Ch]
  		mov	[esp+28h],ecx
  		fadd	dword ptr [esp+20h]
  		fstp	dword ptr [esp+14h]
  		mov	edx,[esp+14h]
  		fld	dword ptr [esp+30h]
  		mov	[esp+2Ch],edx
  		fadd	dword ptr [esp+24h]
  		mov	[esi+24h],edx
  		fstp	dword ptr [esp+18h]
  		mov	eax,[esp+18h]
  		fld	dword ptr [esp+34h]
  		mov	[esp+30h],eax
  		fadd	dword ptr [esp+28h]
  		lea	eax,[esi+24h]
  		pop	esi
  		fstp	dword ptr [esp+18h]
  		mov	ecx,[esp+18h]
  		mov	[esp+30h],ecx
  		mov	ecx,[esp+2Ch]
  		mov	edx,[esp+30h]
  		mov	[eax+04h],ecx
  		mov	[eax+08h],edx
  		add	esp,00000034h
  		retn	0008h

Thats the function I am going to replace with this one:

  		Align	16
 SUB_L24010C60:
  		sub	esp,0000003Ch
  		push	esi
  		mov	esi,ecx
  		mov	ecx,[L242F1EA4]
  		mov	eax,[ecx]
  		push	3F800000h
  		push	00000000h
  		call	[eax+04h]
  		fstp	dword ptr [esp+0Ch]
  		mov	ecx,[L242F1EA4]
  		mov	edx,[ecx]
  		push	40C90FDBh
  		push	00000000h
  		call	[edx+04h]
  		fstp	dword ptr [esp+18h]
  		lea	eax,[esp+04h]
  		lea	ecx,[esp+08h]
  		mov	[esp+14h],eax
  		mov	[esp+10h],ecx
  		fld	dword ptr [esp+18h]
  		fsincos
  		mov	edx,[esp+14h]
  		mov	eax,[esp+10h]
  		fstp	dword ptr [edx]
  		fstp	dword ptr [eax]
  		fld	dword ptr [esp+04h]
  		fmul	dword ptr [esp+0Ch]
  		mov	eax,[esp+44h]
  		fmul	dword ptr [eax+04h]
  		fld	ST(0)
  		fmul	dword ptr [esi+18h]
  		fstp	dword ptr [esp+1Ch]
  		mov	edx,[esp+1Ch]
  		mov	[esp+34h],edx
  		fld	ST(0)
  		fmul	dword ptr [esi+1Ch]
  		fstp	dword ptr [esp+20h]
  		mov	ecx,[esp+20h]
  		mov	[esp+38h],ecx
  		fmul	dword ptr [esi+20h]
  		fstp	dword ptr [esp+24h]
  		mov	edx,[esp+24h]
  		fld	dword ptr [esp+08h]
  		mov	[esp+3Ch],edx
  		fmul	dword ptr [esp+0Ch]
  		fmul	dword ptr [eax]
  		fld	ST(0)
  		fmul	dword ptr [esi+0Ch]
  		fstp	dword ptr [esp+1Ch]
  		mov	eax,[esp+1Ch]
  		mov	[esp+28h],eax
  		fld	ST(0)
  		fmul	dword ptr [esi+10h]
  		fstp	dword ptr [esp+20h]
  		mov	ecx,[esp+20h]
  		mov	[esp+2Ch],ecx
  		fmul	dword ptr [esi+14h]
  		fstp	dword ptr [esp+24h]
  		mov	edx,[esp+24h]
  		fld	dword ptr [esp+28h]
  		mov	[esp+30h],edx
  		fadd	dword ptr [esi]
  		fstp	dword ptr [esp+1Ch]
  		mov	eax,[esp+1Ch]
  		fld	dword ptr [esp+2Ch]
  		mov	[esp+28h],eax
  		fadd	dword ptr [esi+04h]
  		fstp	dword ptr [esp+20h]
  		mov	ecx,[esp+20h]
  		fld	dword ptr [esp+30h]
  		mov	[esp+2Ch],ecx
  		fadd	dword ptr [esi+08h]
  		fstp	dword ptr [esp+24h]
  		mov	edx,[esp+24h]
  		fld	dword ptr [esp+34h]
  		mov	[esp+30h],edx
  		fadd	dword ptr [esp+28h]
  		fstp	dword ptr [esp+1Ch]
  		mov	eax,[esp+1Ch]
  		fld	dword ptr [esp+38h]
  		fadd	dword ptr [esp+2Ch]
  		fstp	dword ptr [esp+20h]
  		fld	dword ptr [esp+3Ch]
  		fadd	dword ptr [esp+30h]
  		fstp	dword ptr [esp+24h]
  		mov	ecx,[esp+20h]
  		mov	edx,[esp+24h]
  		mov	[esp+38h],ecx
  		mov	[esp+34h],eax
  		mov	ecx,[esp+34h]
  		lea	eax,[esi+24h]
  		mov	[esp+3Ch],edx
  		mov	edx,[esp+38h]
  		mov	[eax],ecx
  		mov	ecx,[esp+3Ch]
  		mov	[eax+04h],edx
  		mov	[eax+08h],ecx
  		pop	esi
  		add	esp,0000003Ch
  		retn	0008h

My problem is that when I just do a straight move I end up with a dll where it has no clue what is going on in that address space. Basically PE Explorer just prints out the ascii characters denoted by each command.

What I do to just straight copy function2 to function1 is zero out all the space for function1 in the dll then copy my new function into the zero space, since function2 is smaller then function1 I am left with a bunch of zeros, but the dll remains sizeably correct and the dll is still useable.

Thank you for any tips or support!

 

[zeitghost]

I assume that you lack the source code for the dll?

 

[cpjust]

Are you practicing to write a virus or something?

 

[csolar]

No, I am making a mod. The two functions are different ways to apply shot distribution.

 

[Salem]

> My problem is that when I just do a straight move I end up with a dll where it has no
> clue what is going on in that address space.
Well you also need to do some major hacking to the section information, relocation tables and probably some other stuff as well.

If you study the PE header format in detail, you'll see that the code is far more than just an array of bytes loaded directly into memory, there's stuff like relocation which happens when the file is loaded into memory.

So, why can't your exe depend on two DLL's rather than just the one?

--

 

[csolar]

I do not have access to have the exe load two dlls, but what you suggest is what I was thinking I was going to have to do...

The dll is created using an sdk so I what I have been doing is modifing the sdk with the code I want, opening the new dll created by the sdk in pe explorer and copying the code I changed into the old dll that I am trying to mod. What I am going to have to do I guess is have 3 pe explorer's open, one display the old dll, one displaying the new dll with my new code, and one displaying the new dll with the old code. That way I can look at the adresses in both the new dll's and edit the old dll so that none of the required addresses change.

Atleast, I *think* thats what I need to do

 

[csolar]

Well you also need to do some major hacking to the section information, relocation tables and probably some other stuff as well.

If you study the PE header format in detail, you'll see that the code is far more than just an array of bytes loaded directly into memory, there's stuff like relocation which happens when the file is loaded into memory.

So, why can't your exe depend on two DLL's rather than just the one?

Thanks for the information, I just tried the solution I refered to above and it still doesn't work. The thing is, whenever I change the code that I *know* does shot distribution, I save the dll and load up the game and the shot's don't change whatsoever.. THis is the code that does the new shot distro:

	// get circular gaussian spread
	float x, y;
	float r, theta;
	float sinTheta, cosTheta;

	// Generate a random polar coordinate
	r = random->RandomFloat (0,1);
	theta = random->RandomFloat (0, DEG2RAD(360));

	// ---------------------------------------------------------------------------------
	// Note - this polar coordinate we created does not create a random point spread
	// inside the unit circle.  The key is the radius (R) randomization.  Half of
	// our random radius points will lie between 0.0 and 0.5, and the other half
	// from 0.5 to 1.0.  So half of our shots will lie in the inner half of the circle, 
	// and the other half on the outer half.  But since the area of the outer half is
	// larger than the inner half, we'll end up with a greater spread.
	// For a good writeup on randomness in circles (or lack of randomness), check
	// out [URL unfurl="true"]http://mathworld.wolfram.com/DiskPointPicking.html[/URL]
	// ---------------------------------------------------------------------------------

	// Convert to cartesian (X/Y) coordinates
	SinCos (theta, &sinTheta, &cosTheta);
	x = r * sinTheta;
	y = r * cosTheta;

	m_vecResult = m_vecShotDirection + x * vecSpread.x * m_vecRight + y * vecSpread.y * m_vecUp;

	return m_vecResult;

And if you look at the second set of assembler instructions I post firstly, the code matches. So I have no clue where this game is pulling out the regular shot distribution, because after I edit it it turns into random garbage in pe explorer, so I assume the game doesn't load it very well...

But anyway, how would I go about editing the section information and relocation tables? I can see the options in pe explorer, but I cant do much.

What really made me confused was, I used pe explorer to completly remove the relocation information, in a random attempt to get it to work, and the game still loaded the dll ok and I could still play the game with everything like normal...

 

[csolar]

Also, could anyone tell me what would cause PE Explorer to report an "Except Line At:" in the problems and messages box? I noticed that some of my new function shows up in the address space, but when it reverts back to random ascii characters PE explorer reports that there is an except line on that point..