D3ADB33F Posted October 18, 2013 Share Posted October 18, 2013 Hi, I am just wondering if something like this will work; static short(__stdcall*_GetAsyncKeyState)(int vKey); _GetAsyncKeyState = (short(__stdcall*)(int))((DWORD)GetAsyncKeyState + 0x5); if( GetAsyncKeyState(VK_XBUTTON1) ) { RelevantFunction(); Sleep(50); } } Link to comment
evlncrn8 Posted October 18, 2013 Share Posted October 18, 2013 depends if the first instruction really is 5 bytes total or more doesnt it Link to comment
deepzero Posted October 18, 2013 Share Posted October 18, 2013 what are you trying to do and what do you think your code snippet accomplishes? Link to comment
atom0s Posted October 18, 2013 Share Posted October 18, 2013 Your code in the first post is just calling the function as normal. Nothing you posted is detouring, hooking, or anything._GetAsyncKeyState will also crash your app if you call it because you are corrupting the stack by removing the calling convention bytes. From what it looks like you are trying to do, you want to "hook hop" the first 5 bytes or something. You can do that by using stuff like: mov eax, apiAddress // Store the API address in EAX.. add eax, 5 // Step 5 bytes ahead of the API start.. // push arguments here.. mov edi, edi // Restore the __stdcall calling convention.. push ebp // Restore the __stdcall calling convention.. mov ebp, esp // Restore the __stdcall calling convention.. jmp eax // Call the API.. Link to comment
evlncrn8 Posted October 18, 2013 Share Posted October 18, 2013 another alternative is to check the first 2 bytes are the typical 'padder' bytes.,. like mov edi, edi, then check if the 5 bytes back from it are all 90h or CCh, (nops or int 3 padding between functions), then its easier to do the jmp $-7 for the first 2 bytes, then the 5 bytes back from that can go to your hook prologue, and then jump back to real api va +2.. considerably less messy Link to comment
D3ADB33F Posted October 19, 2013 Author Share Posted October 19, 2013 (edited) trying to 5byte jump GetASyncKeyState, 5bytes is required for its purpose. Edited October 19, 2013 by D3ADB33F Link to comment
evlncrn8 Posted October 21, 2013 Share Posted October 21, 2013 (edited) you didnt read / understand what i said did you?.7DC8EB91: 9090909090 nopGetAsyncKeyState: mov edi,edi.7DC8EB98: 55 push ebp.7DC8EB99: 8BEC mov ebp,espsee the first 2 bytes... mov edi,edi.. does nothing, padding bytes, so we can use themsee the 5 nops before the start of the function? yeh.....7DC8EB91: E9FFFFFFFF jmp .07DC8EB95 ; pur your jump to your hook here (FFFFFFFF here was just me filling in the bytes)GetAsyncKeyState:.7DC8EB96: EBF9 jmps .07DC8EB91 ; jump 5 bytes back (our caving area)and then your code can call the real api (api va + 2 bytes)much much tidier, less bullshit especially with nested calling and other nastiness.. see ? Edited October 25, 2013 by evlncrn8 1 Link to comment
Peter Ferrie Posted October 25, 2013 Share Posted October 25, 2013 that should say "EBF9" not "E9FA", but the idea is correct. Link to comment
evlncrn8 Posted October 25, 2013 Share Posted October 25, 2013 ah good point, cheers peter, simple typo Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now