I have located a function inside an executable which I'd like to call from my DLL. The address of it would be 0x0090DE00 according to OllyDbg. I've tried to call it directly:
luaL__openlib *f = ((luaL__openlib*)(module_handle + 0x0090DE00));
but also with adding the base of the module handle to it as suggested here:
uint8_t * module_handle = (uint8_t *)GetModuleHandle(L"ForgedAlliance1.exe");
luaL__openlib *f = ((luaL__openlib*)(module_handle + 0x0090DE00));
It appears that this is not working as I get access violation exceptions - it appears that the pointer is not valid.
So: How can I call this function by using its address?
I just inserted a simple RET instruction at 0x00C0B530. My code does now look as follows:
typedef void (*test) ();
EXTERN_DLL_EXPORT void initialize(lua_State *L)
{
// Adding this should not be necessary. I get 0x00C0B530 from
// OllyDbg where the offset 0x00401000 is included
uint8_t * module_handle = (uint8_t *)GetModuleHandle(L"ForgedAlliance1.exe");
test *f = NULL;
f = ((test*)(0x00C0B530));
(*f)(); // Crashing
}
What I don't quite understand is why I get a different address in the exception message:
Exception thrown at
0x909090C3in ForgedAlliance1.exe:0xC0000005: Access violation executing location0x909090C3.
UPDATE: I just realized that 0x909090C3 is not just a pointer here, it is the code itself
90 | NOP
90 | NOP
90 | NOP
C3 | RETN
Seems I am messing something up with pointers. Why does it try to execute "location" 0x909090C3. That's not the location.
Alright, it was just a pointer mess-up. Sorry for that - did not write in C for quite a while. I did it right, basically, but the problem with
f = ((test*)(0x00C0B530));
(*f)();
is, that (*f) is 0x909090C3 - the instructions inside the executable - and this is the address the program tries to jump to which is of course invalid.
So the trick was:
int test_addr = 0x00C0B530
f = ((test*)(&test_addr ));
(*f)();
I am sure this can be done a bit simpler but this is working now.