Results 1 to 10 of 28

Thread: Pro tips for hooking up the function

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 3rd May 2016, 00:22 #1
    kung foo man
    kung foo man is offline
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,011
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    You don't need to let it crash, you can unhook a hooked function in itself, call itself, save the return value, rehook it and just return the saved value, so for the engine it's like nothing happened.

    Example from

    PHP Code:
    static int size_all 0;
    static     int i 0;
    cHook *hook_MSG_WriteBigString;
    void MSG_WriteBigString(int *MSGchar *s)
    {

            int len;

            len strlen(s);
            printf("i=%d size_all=%d len=%d MSG=%p %s\n"isize_alllenMSGs);

            size_all += len;
            i++;
        
            hook_MSG_WriteBigString->unhook();
        
            void (*sig)(int *MSGchar *s);
        *(    int *)&sig 0x0806825E;
            sig(MSGs);
        
            hook_MSG_WriteBigString->hook();
        

    And instead of writing the hardcoded address (*(int *)&sig = 0x0806825E;), you can take the value of hook_MSG_WriteBigString->from.

    For finding stuff you want: e.g. at the start of libcod I wanted to find a script function ("closer" because it was easy to reimplement and I actually never used it) and I had no clue about anything, since cracking was totally new to me. I started with some C knowledge and WinHex, like this:

    At first I searched the plain string in WinHex: lets say it was at file offset 0x12345

    Then you go to that file address in IDA (some option in menu) and then IDA shows you the actual memory address of that file offset, lets say 0xaabbccdd is "closer". But the address wasn't linked anywhere, but it had to be linked somewhere I thought, so I searched the hex numbers of it in WinHex with no success, till I reversered them (0xddccbbaa), since x86 is using little-endianness. That way I found the actual table which hold the string->function address relations and I could slowly decompile all kind of glued C function to the script engine e.g.

    On the other hand you could just search an error string from anything in WinHex too and enter the file offset in IDA again. Since IDA has analyzed a lot from beginning, it can show all found function which point to the error message then.

    And don't forget all the GPL engines, RTCW, Quake 3 etc., which all have a lot of code in common.
    timescale 0.01
    Reply With QuoteReply With Quote

  2. The Following 3 Users Say Thank You to kung foo man For This Useful Post:

    maxdamage99 (3rd May 2016),serthy (19th August 2020),Whiskas (3rd May 2016)
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules