Home/ Questions/Q 9125299
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T06:46:23+00:00

I was reading up on various things on CodeProject and I found this article:

  • 0

I was reading up on various things on CodeProject and I found this article: http://www.codeproject.com/Articles/29527/Reverse-Engineering-and-Function-Calling-by-Addres

So what I did was I created an injector and a DLL, and grabbed the sample executable file. It basically outputs this when you press F11:
https://i.stack.imgur.com/YIygV.jpg

So I followed the entire tutorial, but the thing is that the address used in the DLL is always changing. This one to be specific:

pFunctionAddress pMySecretFunction = (pFunctionAddress)(0x004113C0);

In his tutorial the address for the function is 0x004113C0. In mine it is something else, and I take the one I have and use it. It works perfectly, but when I close the executable and open it, it won’t work anymore, and OllyDbg shows that the address is a totally new one.

So I researched a bit and I started adding breakpoints with OllyDbg. I found out that the address is always going to be:

main + 4C

Where I guess “main” is the main module of these executable. How can I find this address to the function always? Because it changes all the time and I am clueless at this point. In this article I read it doesn’t go through what happens when the executable is re-opened, and I’ve spent 5 hours trying to find a solution.

Thanks in advance!

EDIT:

Huge thanks to everyone. Thanks to mfc especially, I have finally figured it out! What I ended up doing was whenever I hit DLL_PROCESS_ATTACH, I set a global HMODULE to the address of the executable, like this:

HMODULE g_hExeModule;
g_hExeModule = GetModuleHandle(L"TutExample.exe");

And after a few tests it seems like the function address is always the address of the executable + 0x11014, so in the call I just do:

pFunctionAddress pMySecretFunction = (pFunctionAddress)((DWORD)g_hExeModule + 0x11014);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I cannot edit my post nor add any remark, so I have to post this as a new answer.

    Your result:

    Exe loaded at: 00000000 (wrong, probably: 00BE0000 and offset is: 00001005)
Target function at: 00BE1005
Exe loaded at: 00000000 (wrong, probably: 01230000 and offset is: 00001005)
Target function at: 01231005
Exe loaded at: 00000000 (wrong, probably: 012A0000 and offset is: 00001005)
Target function at: 012A1005

    Please check the name of your compiled exe, is it “TutExample.exe” ? if not, change it to the exact name in the call to GetModuleHandle.

    The value of “00000000” indicates that the GetModuleHandle fails because the name “TutExample.exe” is not found in the current memory space.

    The address of target function seems ok. Just minus this address with the address of loaded exe and you will get the offset inside the exe memory layout.

    You can do this same math inside your injected dll to alway tracks the target function address correctly no matter how the os loads the exe.

    • 0