PDA

View Full Version : Hook call vs hook function



thawalrus
28th September 2019, 18:38
Hello,

I was interested in how libcod does the hooking. Now I see that there are two functions that are very much alike: cracking_hook_function and cracking_hook_call. One is inserting a JMP instruction, the other is not.

Now, my question is: How does the function without the JMP instruction work? My assumption is that hooking always needs a JMP instruction.

Thanks in advance.

Regards,
Walrus

thawalrus
28th September 2019, 19:11
I've now just realized that perhaps the cracking_hook_call is not really 'hooking', but replacing the call itself. If that's the case, then this only makes sense if the function is called only from one place?

IzNoGoD
28th September 2019, 21:47
iirc one of them is reversible while the other is not. I've used the hooked stuff from time to time to hijack a function without impairing its normal operation, but adding a single instruction (or function call) to it.

thawalrus
28th September 2019, 22:36
Yes, the call hook can easily be repaired by putting the original function address there again. For the other one you need to repair the function itself or creating a 'trampoline' to have the original function procedure executed.

php
30th September 2019, 18:44
You just answered your own question. ¯\_(ツ)_/¯