Jump to content
Tuts 4 You

5Byte detour ideas


Recommended Posts



I am just wondering if something like this will work; 


static short(__stdcall*_GetAsyncKeyState)(int vKey);
_GetAsyncKeyState = (short(__stdcall*)(int))((DWORD)GetAsyncKeyState + 0x5);
if( GetAsyncKeyState(VK_XBUTTON1) )
Link to comment

Your code in the first post is just calling the function as normal. Nothing you posted is detouring, hooking, or anything.

_GetAsyncKeyState will also crash your app if you call it because you are corrupting the stack by removing the calling convention bytes.


From what it looks like you are trying to do, you want to "hook hop" the first 5 bytes or something. You can do that by using stuff like:


mov eax, apiAddress         // Store the API address in EAX..
add eax, 5                  // Step 5 bytes ahead of the API start..
// push arguments here..
mov edi, edi                // Restore the __stdcall calling convention..
push ebp                    // Restore the __stdcall calling convention..
mov ebp, esp                // Restore the __stdcall calling convention..
jmp eax                     // Call the API..

Link to comment

another alternative is to check the first 2 bytes are the typical 'padder' bytes.,. like mov edi, edi, then check if the 5 bytes back from it are all 90h or CCh, (nops or int 3 padding between functions), then its easier to do the jmp $-7 for the first 2 bytes, then the 5 bytes back from that can go to your hook prologue, and then jump back to real api va +2.. considerably less messy

Link to comment

you didnt read / understand what i said did you?

.7DC8EB91: 9090909090 nop

GetAsyncKeyState: mov edi,edi

.7DC8EB98: 55 push ebp

.7DC8EB99: 8BEC mov ebp,esp

see the first 2 bytes... mov edi,edi.. does nothing, padding bytes, so we can use them

see the 5 nops before the start of the function? yeh....

.7DC8EB91: E9FFFFFFFF jmp .07DC8EB95 ; pur your jump to your hook here (FFFFFFFF here was just me filling in the bytes)


.7DC8EB96: EBF9 jmps .07DC8EB91 ; jump 5 bytes back (our caving area)

and then your code can call the real api (api va + 2 bytes)

much much tidier, less bullshit especially with nested calling and other nastiness..

see ?

Edited by evlncrn8
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...