Jump to content
Tuts 4 You

5Byte detour ideas

D3ADB33F

By D3ADB33F
in Programming and Coding

Recommended Posts

D3ADB33F

D3ADB33F

Posted
Posted

Hi, 


 


I am just wondering if something like this will work; 


 


static short(__stdcall*_GetAsyncKeyState)(int vKey);

_GetAsyncKeyState = (short(__stdcall*)(int))((DWORD)GetAsyncKeyState + 0x5);

 

if( GetAsyncKeyState(VK_XBUTTON1) )

{

RelevantFunction();

Sleep(50);

}

}
evlncrn8

evlncrn8

Posted
Posted

depends if the first instruction really is 5 bytes total or more doesnt it

deepzero

deepzero

Posted
Posted

what are you trying to do and what do you think your code snippet accomplishes?


atom0s

atom0s

Posted
Posted

Your code in the first post is just calling the function as normal. Nothing you posted is detouring, hooking, or anything.


_GetAsyncKeyState will also crash your app if you call it because you are corrupting the stack by removing the calling convention bytes.


 


From what it looks like you are trying to do, you want to "hook hop" the first 5 bytes or something. You can do that by using stuff like:


 



mov eax, apiAddress         // Store the API address in EAX..

add eax, 5                  // Step 5 bytes ahead of the API start..

 

// push arguments here..

 

mov edi, edi                // Restore the __stdcall calling convention..

push ebp                    // Restore the __stdcall calling convention..

mov ebp, esp                // Restore the __stdcall calling convention..

jmp eax                     // Call the API..

evlncrn8

evlncrn8

Posted
Posted

another alternative is to check the first 2 bytes are the typical 'padder' bytes.,. like mov edi, edi, then check if the 5 bytes back from it are all 90h or CCh, (nops or int 3 padding between functions), then its easier to do the jmp $-7 for the first 2 bytes, then the 5 bytes back from that can go to your hook prologue, and then jump back to real api va +2.. considerably less messy

D3ADB33F

D3ADB33F

Posted
  • Author
Posted (edited)

trying to 5byte jump GetASyncKeyState, 5bytes is required for its purpose.


Edited by D3ADB33F
evlncrn8

evlncrn8

Posted
Posted (edited)

you didnt read / understand what i said did you?

.7DC8EB91: 9090909090 nop

GetAsyncKeyState: mov edi,edi

.7DC8EB98: 55 push ebp

.7DC8EB99: 8BEC mov ebp,esp

see the first 2 bytes... mov edi,edi.. does nothing, padding bytes, so we can use them

see the 5 nops before the start of the function? yeh....

.7DC8EB91: E9FFFFFFFF jmp .07DC8EB95 ; pur your jump to your hook here (FFFFFFFF here was just me filling in the bytes)

GetAsyncKeyState:

.7DC8EB96: EBF9 jmps .07DC8EB91 ; jump 5 bytes back (our caving area)

and then your code can call the real api (api va + 2 bytes)

much much tidier, less bullshit especially with nested calling and other nastiness..

see ?

Edited by evlncrn8
  • Like 1
Peter Ferrie

Peter Ferrie

Posted
Posted

that should say "EBF9" not "E9FA", but the idea is correct.

evlncrn8

evlncrn8

Posted
Posted

ah good point, cheers peter, simple typo

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...