How to modify a function in a compiled DLL

c++ windows dll reverse-engineering disassembly
Herno picture Herno · Feb 25, 2013 · Viewed 20.6k times · Source

I want to know if it is possible to "edit" the code inside an already compiled DLL.

I.E. imagine that there is a function called sum(a,b) inside Math.dll which adds the two numbers a and b

Let's say i've lost the source code of my DLL. So the only thing i have is the binary DLL file. Is there a way i could open that binary file, locate where my function resides and replace the sum(a,b) routine with, for example, another routine that returns the multiplication of a and b (instead of the sum)?

In Summary, is it posible to edit Binary code files?

maybe using reverse engineering tools like ollydbg?

Answer

Freedom_Ben picture Freedom_Ben · Feb 25, 2013

Yes it is definitely possible (as long as the DLL isn't cryptographically signed), but it is challenging. You can do it with a simple Hex editor, though depending on the size of the DLL you may have to update a lot of sections. Don't try to read the raw binary, but rather run it through a disassembler.

Inside the compiled binary you will see a bunch of esoteric bytes. All of the opcodes that are normally written in assembly as instructions like "call," "jmp," etc. will be translated to the machine architecture dependent byte equivalent. If you use a disassembler, the disassembler will replace these binary values with assembly instructions so that it is much easier to understand what is happening.

Inside the compiled binary you will also see a lot of references to hard coded locations. For example, instead of seeing "call add()" it will be "call 0xFFFFF." The value here is typically a reference to an instruction sitting at a particular offset in the file. Usually this is the first instruction belonging to the function being called. Other times it is stack setup/cleanup code. This varies by compiler.

As long as the instructions you replace are the exact same size as the original instructions, your offsets will still be correct and you won't need to update the rest of the file. However if you change the size of the instructions you replace, you'll need to manually update all references to locations (this is really tedious btw).

Hint: If the instructions you're adding are smaller than what you replaced, you can pad the rest with NOPs to keep the locations from getting off.

Hope that helps, and happy hacking :-)

Related questions

REGSVR32: the module "xxxxx.dll" failed to load ... dependent assembly could not be found

I'm having an issue with regards to registering a *.dll under Windows 7 x64. I've tried placing the *.dll in both, C:/Windows/System32 and C:/Windows/SysWOW64 and attempting to register with "regsvr32 xxxxx.dll" under an elevated command prompt. …

Read More
__cdecl or __stdcall on Windows?

I'm currently developing a C++ library for Windows which will be distributed as a DLL. My goal is to maximize binary interoperability; more precisely, the functions in my DLL must be usable from code compiled with multiple versions of MSVC++ …

Read More
What's the differences between .dll , .lib, .h files?

Why in a project should I include some *.lib, .h or some other files? And what are these things used for?

Read More