 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
SpaceUrkel
How do I cheat?
![]() Reputation: 0
Joined: 25 Feb 2012
Posts: 8
|
 Posted: Sat Mar 03, 2012 11:39 pm Post subject: direct jump opcode for x86 |
 |
|
Hi everyone,
recently I have been trying to write a function in assembly
that detours a target function to another. Now the way I want todo this is
to copy the first 5 bytes (the size of one instruction) from the
target function and replace it with a direct jump instruction to the hook, which
I have to generate from the address supplied in the 2nd parameter.
The whole thing would look like this:
| Code: |
;int __stdcall ( function, hook, storage ) exampel: (funcA, funcB,ip_stor)
?HookFunc@@YGXPAX00@Z PROC
push ebp
mov ebp, esp
;read the first instruction of the function (parameter 1)
mov esi, DWORD PTR [ebp][08h] ;esi = target function
mov edi, DWORD PTR [ebp][10h] ;edi = user defines buffer
mov ecx, 5
rep movsb
;patch the first instruction of the function
sub esi,5
mov BYTE PTR [esi], 0ffh ;0xFF = direct jump?
inc esi ;increase offset + 1
mov ecx, DWORD PTR [ebp][0Ch] ;ecx = address for jump
mov [esi],ecx
pop ebp
retn
?HookFunc@@YGXPAX00@Z ENDP
|
and the detour function I have written in C++ looks like:
| Code: |
void __declspec(noreturn,naked) funcB()
{
printf("%s\n"__FUNCTION__);
__asm{
call GetIP //apparently inline assembler won't let me use EIP directly
lea esi,ip_stor //the coppied instruction from earlier
mov edi,eax //address of xor eax,eax
mov ecx,05h //ecx = 5
rep movsb
nop //this is where we paste our instruction
jmp funcA+5 //jump to original function
}
}
|
At first I thought all I have todo to generate an absolute jump instruction is to set the first byte to 0xFF
and then fill the remaining 4 bytes with the target address.
Now the thing is, when I debug this, the opcode I generate does something completely else:
Instead of a jmp instruction, it is disassembles to a push instruction. Obviously I haven't
quite gotten the hang of opcodes yet and I can't find any solutions on google. What am I doing
wrong?
_________________
et illus fugit |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
|
| Back to top |
|
|
SpaceUrkel
How do I cheat?
![]() Reputation: 0
Joined: 25 Feb 2012
Posts: 8
|
| Posted: Sun Mar 04, 2012 5:38 am Post subject: |
|
|
Thanks for the help. Here is the finished function:
| Code: |
;int __stdcall ( function, hook, storage )
?HookFunc@@YGXPAX00@Z PROC
push ebp
mov ebp, esp
mov esi, DWORD PTR [ebp][08h]
_check_e9: ;sometimes (especially while debugging) a function_ptr is linked to a vtable
cmp BYTE PTR [esi], 0e9h ;test if %function starts with a relative jmp
jne _read ;if this isn't the case, go a head and save the first byte
mov ebx,[esi][01h] ;copy the target RVA of the jmp instruction we just varified
add esi,ebx ;add the RVA to esi to get to the actual function VA
add esi,5 ;don't ask
jmp _check_e9 ;check for another jmp instruction
_read:
mov edi, DWORD PTR [ebp][10h]
mov ecx, INSTRUCTION_SIZE
rep movsb
sub esi,5
mov DWORD PTR [edi], esi
mov edx, esi
mov BYTE PTR [esi], 0e9h
inc esi
mov ecx, DWORD PTR [ebp][0Ch]
xor edx, 0ffffffffh
add edx, ecx
sub edx, 4
mov [esi],edx
pop ebp
retn
?HookFunc@@YGXPAX00@Z ENDP
|
Now all I have to figure out is how to use this.
_________________
et illus fugit |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
