Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

5Byte detour ideas

D3ADB33F
D3ADB33F
in Programming and Coding

Featured Replies

Posted

Hi, 


 


I am just wondering if something like this will work; 


 


static short(__stdcall*_GetAsyncKeyState)(int vKey);

_GetAsyncKeyState = (short(__stdcall*)(int))((DWORD)GetAsyncKeyState + 0x5);

 

if( GetAsyncKeyState(VK_XBUTTON1) )

{

RelevantFunction();

Sleep(50);

}

}

depends if the first instruction really is 5 bytes total or more doesnt it

what are you trying to do and what do you think your code snippet accomplishes?


Your code in the first post is just calling the function as normal. Nothing you posted is detouring, hooking, or anything.


_GetAsyncKeyState will also crash your app if you call it because you are corrupting the stack by removing the calling convention bytes.


 


From what it looks like you are trying to do, you want to "hook hop" the first 5 bytes or something. You can do that by using stuff like:


 



mov eax, apiAddress         // Store the API address in EAX..

add eax, 5                  // Step 5 bytes ahead of the API start..

 

// push arguments here..

 

mov edi, edi                // Restore the __stdcall calling convention..

push ebp                    // Restore the __stdcall calling convention..

mov ebp, esp                // Restore the __stdcall calling convention..

jmp eax                     // Call the API..

another alternative is to check the first 2 bytes are the typical 'padder' bytes.,. like mov edi, edi, then check if the 5 bytes back from it are all 90h or CCh, (nops or int 3 padding between functions), then its easier to do the jmp $-7 for the first 2 bytes, then the 5 bytes back from that can go to your hook prologue, and then jump back to real api va +2.. considerably less messy

  • Author

trying to 5byte jump GetASyncKeyState, 5bytes is required for its purpose.


Edited by D3ADB33F

you didnt read / understand what i said did you?

.7DC8EB91: 9090909090 nop

GetAsyncKeyState: mov edi,edi

.7DC8EB98: 55 push ebp

.7DC8EB99: 8BEC mov ebp,esp

see the first 2 bytes... mov edi,edi.. does nothing, padding bytes, so we can use them

see the 5 nops before the start of the function? yeh....

.7DC8EB91: E9FFFFFFFF jmp .07DC8EB95 ; pur your jump to your hook here (FFFFFFFF here was just me filling in the bytes)

GetAsyncKeyState:

.7DC8EB96: EBF9 jmps .07DC8EB91 ; jump 5 bytes back (our caving area)

and then your code can call the real api (api va + 2 bytes)

much much tidier, less bullshit especially with nested calling and other nastiness..

see ?

Edited by evlncrn8

    • Like 1

    that should say "EBF9" not "E9FA", but the idea is correct.

    ah good point, cheers peter, simple typo

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.