Bit late to the party,
But im trying to get this semi working for some packet inspecting.
PHP Code:
Address Hex dump Command Comments
007633EA /$ /56 PUSH ESI ; Conquer.007633EA(guessed void)
007633EB |. |8BF1 MOV ESI,ECX
007633ED |. |E8 7B5ED6FF CALL 004C926D ; [Conquer.004C926D
007633F2 |. |68 4C040000 PUSH 44C ; /Arg1 = 44C
007633F7 |. |8BC8 MOV ECX,EAX ; |
007633F9 |. |E8 E8FAE6FF CALL 005D2EE6 ; \Conquer.005D2EE6
007633FE |. |84C0 TEST AL,AL
00763400 |. |75 34 JNZ SHORT 00763436
00763402 |. |E8 2C21E2FF CALL 00585533 ; [Conquer.00585533
00763407 |. |0FB74E 06 MOVZX ECX,WORD PTR DS:[ESI+6]
0076340B |. |51 PUSH ECX ; /Arg1
0076340C |. |8BC8 MOV ECX,EAX ; |
0076340E |. |E8 D0AFF0FF CALL 0066E3E3 ; \Conquer.0066E3E3
00763413 |. |E8 1E25EBFF CALL 00615936
00763418 |. |0FB74E 06 MOVZX ECX,WORD PTR DS:[ESI+6]
0076341C |. |51 PUSH ECX ; /Arg1
0076341D |. |8BC8 MOV ECX,EAX ; |
0076341F |. |E8 4857F5FF CALL 006B8B6C ; \Conquer.006B8B6C
00763424 |. |8D46 04 LEA EAX,[ESI+4]
00763427 |. |0FB708 MOVZX ECX,WORD PTR DS:[EAX]
0076342A |. |51 PUSH ECX ; /Arg2
0076342B |. |50 PUSH EAX ; |Arg1
0076342C |. |B9 386BA500 MOV ECX,OFFSET 00A56B38 ; |PTR to ASCII "$.v"
00763431 |. |E8 2DFFFFFF CALL 00763363 ; \Conquer.00763363
00763436 |> |5E POP ESI
00763437 \. |C3 RETN
Using OllyDbg i found this function.
Now "Correct me if im wrong" the function we are trying to detour is the call @ 00763431.
Then why does the detour init replace it with 0x68 (Push ???) and a pointer to the C# function and returns after it (0xC3)
PHP Code:
public DetourHook(Delegate targetFunc, Delegate hookFunc)
{
this.TargetPtr = Marshal.GetFunctionPointerForDelegate(targetFunc);
this.TargetFunc = targetFunc;
this.HookPtr = Marshal.GetFunctionPointerForDelegate(hookFunc);
originalBytes = new byte[6];
Marshal.Copy(TargetPtr, originalBytes, 0, 6);
var hookPointerBytes = BitConverter.GetBytes(HookPtr.ToInt32());
//newBytes = new byte[] { 0x68, hookPointerBytes[0], hookPointerBytes[1], hookPointerBytes[2], hookPointerBytes[3], 0xC3 };
newBytes = new byte[] { 0x68, hookPointerBytes[0], hookPointerBytes[1], hookPointerBytes[2], hookPointerBytes[3], 0xC3 };
}