C++ Detour Help

09/06/2013 06:15 Clopss#1

Was wondering if someone knows why my return SendTramp crashes exe
Perhaps the (int, int, size_t, int, int) from IDA is incorrect?

09/06/2013 09:31 tliu0c#2

could be. Follow that function in OD and see where the crash is triggered

09/06/2013 10:35 Dr. Coxxy#3

rufst die originalfunktion 2x mit unk2 auf anstatt mit unk2, unk3.

EDIT:
english:
youre calling the origfunction with unk2, unk2 instead of unk2, unk3.

09/07/2013 01:45 Clopss#4

It seems that function only has the opcode for the packet, this is detour of parent function of sendto(),

Code:

int __stdcall SendTramp(char *, int, DWORD*, u_short);
DETOUR_TRAMPOLINE_EMPTY(int __stdcall SendTramp(char *, int, DWORD*, u_short));
int __stdcall SendDetour(char *buf, int len, DWORD* x, u_short hostshort) {
    Logger << TimeToString() << ": Client -> Server (Length: " << len << "  x=" << x << " host=" << hostshort << " )\n\n";
    LogPacket( buf, len );
    Logger << std::endl;
	CHAR szTemp[MAX_STRING] = {0}; 
	sprintf(szTemp, "x:%08x ", x);
	WriteChatColor(szTemp,2,0);
    return 0x10;
	//return SendTramp( buf, len, x, hostshort);
}

I'm using code off some tutorial for detouring the sendto(), but the packets are obfuscated so I switched to parent function. The Tramp once again, doesn't work. How do I go about finding the issue?

09/07/2013 02:48 tliu0c#5

seems that you are trying to hook a packet function? You have to clearly describe what you are trying to do and which function is what instead of just giving a chunk of code without context...

Generally tho, when I do my hooks I never use __stdcall for the trampoline function. Because stdcall pops parameters at the end and can corrupt the stack. But then again I am not sure how you are doing your detour so maybe this is not true for you. (Are you using the microsoft detour library?)

09/07/2013 03:31 Clopss#6

Heres the function:

Code:

.text:00697660 ; int __stdcall SendToFunc(char *buf, int len, int, u_short hostshort)
.text:00697660 SendToFunc        proc near
.text:00697660
.text:00697660 to              = sockaddr ptr -14h
.text:00697660 var_4           = dword ptr -4
.text:00697660 buf             = dword ptr  4
.text:00697660 len             = dword ptr  8
.text:00697660 arg_8           = dword ptr  0Ch
.text:00697660 hostshort       = word ptr  10h
.text:00697660
.text:00697660                 sub     esp, 14h
.text:00697663                 mov     eax, dword_8BD320
.text:00697668                 mov     edx, dword ptr [esp+14h+hostshort]
.text:0069766C                 mov     [esp+14h+var_4], eax
.text:00697670                 mov     eax, [esp+14h+arg_8]
.text:00697674                 push    esi
.text:00697675                 mov     esi, ecx
.text:00697677                 mov     ecx, [eax]
.text:00697679                 push    edx             ; hostshort
.text:0069767A                 mov     [esp+1Ch+to.sa_family], 2
.text:00697681                 mov     dword ptr [esp+1Ch+to.sa_data+2], ecx
.text:00697685                 call    ds:htons
.text:0069768B                 mov     ecx, [esp+18h+len]
.text:0069768F                 mov     edx, [esp+18h+buf]
.text:00697693                 push    10h             ; tolen
.text:00697695                 mov     word ptr [esp+1Ch+to.sa_data], ax
.text:0069769A                 lea     eax, [esp+1Ch+to]
.text:0069769E                 push    eax             ; to
.text:0069769F                 mov     eax, [esi+4]
.text:006976A2                 push    0               ; flags
.text:006976A4                 push    ecx             ; len
.text:006976A5                 mov     ecx, [eax]
.text:006976A7                 push    edx             ; buf
.text:006976A8                 push    ecx             ; s
.text:006976A9                 call    ds:sendto
.text:006976AF                 mov     ecx, [esp+18h+var_4]
.text:006976B3                 cmp     eax, 0FFFFFFFFh
.text:006976B6                 setnz   al
.text:006976B9                 pop     esi
.text:006976BA                 call    sub_75E9C9
.text:006976BF                 add     esp, 14h
.text:006976C2                 retn    10h
.text:006976C2 SendToFunc        endp

As for detour, I use the one built into Macroquest, AddDetourF: [Only registered and activated users can see links. Click Here To Register...]

Code:

#define DetourOffset 0x697660
//#define EzDetour(offset,detour,trampoline) AddDetourf((DWORD)offset,detour,trampoline)
PLUGIN_API VOID InitializePlugin(VOID) {
    Logger.open( "C:\\Packets.txt", std::ios::out | std::ios::app | std::ios::ate );
    if ( Logger.tellp() > 0 ) Logger << "\n\n\n";
    Logger << "##\n## Logging Started (" << NowToString() << ")\n##\n\n\n";

    EzDetour(DetourOffset,SendDetour,SendTramp);
}

Thanks for help, think I should use MS detour instead?

09/07/2013 06:29 Dr. Coxxy#7

its a thiscall and not a stdcall - dont trust idas reversed calling convention.

09/09/2013 11:31 Tr.T!mbo#8

Remember: If you have something like "retn 10h", it can only be __stdcall or __thiscall. Time ago, there was a nice Video here made by Mr.Sm!th (or so). It was german so I barely understood, but for you this should be fine.

09/09/2013 11:34 Dr. Coxxy#9

Quote:

Originally Posted by Tr.T!mbo

Remember: If you have something like "retn 10h", it can only be __stdcall or __thiscall. Time ago, there was a nice Video here made by Mr.Sm!th (or so). It was german so I barely understood, but for you this should be fine.

depends heavily on the compiler used.
could be fastcall or a custom calling convention as well.