Pro tips for hooking up the function

**voron00** · 4th May 2016, 06:42

I didn't fully understand the magic stuff and database thing but apparently you want to find what causes the segfault.

When a program crashes it should generate a core dump file. For more or less modern systems it should be in /var/lib/systemd/coredump core.cod2_lnxded.1000.etc.

Move this core dump to your home dir, if its compressed (lz4), unlz4 it (unlz4 filename.lz4), move the uncompressed core dump to your cod2_lnxded dir and start GDB like:

PHP Code:


gdb cod2_lnxded corefilename

You should see the crash now (if not, type 'bt'). The adress where it's crashed should be the toppest one. Search this adress in ida and it should point you the spot of the crash (proably will be inside of some sub).

If you can't understand what exactly this function does you proably want to hook it.

Hooking is quite easy, there are multiple ways to do it. Basicly you redirect this function, do some stuff e.g read it's params and call the original function. You can hook a function, function call or use a cHook class.

For hooking a function, use the way kung posted above, for a function call there is alot of references in libcod.cpp just search cracking_hook_call but basicly it works like:

PHP Code:


cracking_hook_call(0x0812A3EC, (int)hook_test_func);


void hook_test_func(int a1, int a2) {

    printf("Test: %i, %i", a1, a2);

    int (*Orig)(int a1, int a2);
    *(int *)&Orig = 0x0812A004; // The real adress of a function you are trying to hook as a call

    Orig(a1, a2);

}

1. Hook the call
2. Get stuff and do stuff
3. Call the original

You can find where the function e.g sub_812A004 is called by just searching it as text in IDA and you will find something like:

PHP Code:


.text:0812A3EC                 call    sub_812A004

Where 0812A3EC is the hook call adress.

You don't have to call the original function if you are rewriting it as a reverse, for this you can also use cracking_hook_function but do NOT use craacking_hook_function if you are calling the original inside a hooked function. Reversing though can be a lot of pain in the arse. As kung said above you can look at q3 source to see some useful references.

BTW: I had a segfaults with playFxOnTag() function, which was related to models without that tag in some way, also feel free to upload your coredump file, or share the code where that crash is so we can look for it aswell.

**kung foo man** · 4th May 2016, 07:14

Originally Posted by voron00

Hooking is quite easy, there are multiple ways to do it. Basicly you redirect this function, do some stuff e.g read it's params and call the original function. You can hook a function, function call or use a cHook class (which can be more handy than usual cracking_hook_function, but does the same thing atm).

Ye, but remember the "Original" function is still redirected, so when you call it without unhooking it, you are catched in a loop. Hence this little helper class:

PHP Code:


cHook::cHook(int from, int to) {
    this->from = from;
    this->to = to;
}
void cHook::hook() {
    memcpy((void *)oldCode, (void *)from, 5);
    cracking_hook_function(from, to);
}
void cHook::unhook() {
    memcpy((void *)from, (void *)oldCode, 5);
}

It saves the first 5 bytes just to restore them later to call the original function.

Thread: Pro tips for hooking up the function

Thread Tools

Search Thread

Display

Hybrid View

The Following User Says Thank You to voron00 For This Useful Post:

The Following User Says Thank You to kung foo man For This Useful Post:

Posting Permissions