Results 1 to 9 of 9
  1. #1
    Junior Member
    Join Date
    Jan 2014
    Posts
    5

    Post Detour and continue with the original function?

    Hello everbody, I'm new in this forum, I suppose this thread goes here, but tell me if I'm in the wrong forum !

    I'm using the DetourApply function I copied from this forum to Hook a function:

    Code:
    void *DetourApply(BYTE *orig, BYTE *hook, int len)
    {
    	DWORD dwProt = 0;
    	BYTE *jmp = (BYTE*)malloc(len+JMP32_SZ);
    	VirtualProtect(orig, len, PAGE_READWRITE, &dwProt);
    	memcpy(jmp, orig, len);
    	jmp += len; // increment to the end of the copied bytes
    	jmp[0] = JMP;
    	*(DWORD*)(jmp+1) = (DWORD)(orig+len - jmp) - JMP32_SZ;
    	memset(orig, NOP, len);
    	orig[0] = JMP;
    	*(DWORD*)(orig+1) = (DWORD)(hook - orig) - JMP32_SZ;
    	VirtualProtect(orig, len, dwProt, 0);
    	return (jmp-len);
    }
    But once I hook a function it is replaced by the one I specified on the second parameter. Is there anyway to just specify a Callback that will be called when the original function is called? Something like make a JMP in the original function to my callback function and later resume to the original function execution, so the callback can just log what parameters the original function received.

    Thanks in advance!

  2. #2
    Coders
    Join Date
    Nov 2009
    Location
    Belgium
    Posts
    990

    Re: Detour and continue with the original function?

    Hello OhDev and welcome.

    I don't think you fully get what hooking is all about. What you asked is exactly what that detour function does. Hooking does not replace the original function. It gets the first 5 bytes in this case, puts a jmp instruction to memory allocated outside of the game memory space. More into detail, what happens when the original function is called:
    • The original function allocated in game process memory is called
    • It reaches the jmp instruction and jmp's to your own function
    • Instructions are executed in your own function
    • If previous instructions call the original function, the rest of the original code will be executed

    Easy as that. Your hook fits your needs. If you have any questions, feel free to ask.

  3. #3
    Junior Member
    Join Date
    Jan 2014
    Posts
    5

    Re: Detour and continue with the original function?

    Hi mowl, thanks for your answer. I was sure that the DetourApply() functions does exactly that, but please try this C code:

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <windows.h>
    
    #define JMP32_SZ 5 // the size of JMP <address>
    #define NOP 0x90 // opcode for NOP
    #define JMP 0xE9 // opcode for JUMP
    
    typedef void (*HookMePtr)();
    static HookMePtr OriginalHookMe;
    
    void *DetourApply(BYTE *orig, BYTE *hook, int len)
    {
    	DWORD dwProt = 0;
    	BYTE *jmp = (BYTE*)malloc(len+JMP32_SZ);
    	VirtualProtect(orig, len, PAGE_READWRITE, &dwProt);
    	memcpy(jmp, orig, len);
    	jmp += len; // increment to the end of the copied bytes
    	jmp[0] = JMP;
    	*(DWORD*)(jmp+1) = (DWORD)(orig+len - jmp) - JMP32_SZ;
    	memset(orig, NOP, len);
    	orig[0] = JMP;
    	*(DWORD*)(orig+1) = (DWORD)(hook - orig) - JMP32_SZ;
    	VirtualProtect(orig, len, dwProt, 0);
    	return (jmp-len);
    }
    
    void HookMe()
    {
        printf("HookMe called!\n");
    }
    
    void CallbackHookMe()
    {
        printf("Callback called first!\n");
    }
    
    int main()
    {
        HookMe();
    
        OriginalHookMe = (HookMePtr)DetourApply((BYTE *)&HookMe, (BYTE *)&CallbackHookMe, 6);
    
        HookMe();
    
        return 0;
    }
    The last call to HookMe() only prints "Callback called first!". The functions is directly replaced by CallbackHookMe() instead of executing both.

    Thanks again!

  4. #4

    Re: Detour and continue with the original function?

    Must call
    OriginalHookMe

    after finishing inside the callback

  5. #5
    Junior Member
    Join Date
    Jan 2014
    Posts
    5

    Re: Detour and continue with the original function?

    Hi NightGhost, thanks for your answer! I know that I can just call OriginalHookMe() when CallbackHookMe() ends, but there is the problem. I'm hooking a VB6 application, and it magically doesn't allow to call their functions (it gives me an access violation at 0x00000072, even with the DLL injected!). I spent two months trying to call a VB6 function to make the hook works, by calling the original function after the callback, and I couldn't solve it. That's why now I'm asking for a function that can install a callback instead of replacing the target function, that way I won't need to call the original function and I won't enter into the VB6 stuff.

    Any ideas? Thanks again!

  6. #6

    Re: Detour and continue with the original function?

    Some suggestions:

    1. Look for calling conventions. I think compiler (VS) standard does _cdecl. VB might be different, and cause problems on stack.
    2. Access violation at 0x72, might be returnaddress being passed wrongly and at RET it goes to the wrong address (0x72). Also make sure you have the number of arguments right. You cant just detour any function with the example above. Preserve stack
    3. Try __declspec naked

  7. #7
    Junior Member
    Join Date
    Jan 2014
    Posts
    5

    Re: Detour and continue with the original function?

    Thanks for your answer!

    1. VB6 uses __stdcall, I'm using __stdcall too.
    2. It's a VB6 procedure, not a function (it's the same but the first doesn't return any value).
    3. I tried __declspec() but I used it the right way?

    Here's what I'm using right now:

    Code:
    typedef void (__stdcall *SampleSubPtr)(WORD, WORD);
    That is supposed to be a VB6 function/procedure that takes two integer parameters (16-bit integers) and there's no return value. How can I implement __declspec here? Like this?

    Code:
    typedef void (__declspec() __stdcall *SampleSubPtr)(WORD, WORD);
    If yes, that doesn't work for me

    Thanks for your answer again !

  8. #8

    Re: Detour and continue with the original function?

    Code:
    __declspec(naked) void stuff () //<-- no arguments!
    {
     _asm {
           ;put here the overwritten code
        jmp[back] ;jump over overwritten code
         }
    }
    But I suggest to find the cause of the error: debug it ollydbg.

  9. #9
    Junior Member
    Join Date
    Jan 2014
    Posts
    5

    Re: Detour and continue with the original function?

    Hey, sorry, I'm not a good friend of ASM, can you please provide me a simple working example of that? Also, what's that? A function to make a callback instead of replacing?

    I tried debugging with OllyDbg and that is what it says: "Access violation when reading [00000076]". That's the only thing I know to do with the debugger, just File > Attach > process and see which error it throws!

    Thank you very much for your answer!

Similar Threads

  1. Is a qvm Server Detour possible?
    By Murphy1971 in forum Urban Terror Cheats
    Replies: 1
    Last Post: May 24th, 2013, 10:45
  2. How to detour '__usercall' convention?
    By Coldblade in forum Reverse Engineering
    Replies: 4
    Last Post: May 12th, 2011, 21:39
  3. Replies: 4
    Last Post: January 20th, 2010, 15:21
  4. ET won't continue after et console =s
    By |DsZ|ReLaX in forum Server Setup
    Replies: 10
    Last Post: August 18th, 2007, 02:22
  5. Writing your own detour functions
    By Sinner in forum Tutorials
    Replies: 4
    Last Post: February 14th, 2007, 23:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •