AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting (https://forums.alliedmods.net/forumdisplay.php?f=107)
-   -   Solved Crash on DHook detouring (dhooks.ext.dll + 0xc3e0) (https://forums.alliedmods.net/showthread.php?t=311939)

Addie 11-09-2018 03:24
Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
I'm trying to get the address to a function from its caller function, to set up a detour for it. It looks like this:

CNMRiH_GameRules::CleanAndResetMap(void) + E4 == call CEventQueue::Clear(void)

Both are non-virtual so I'm using DHooks with Experimental Dynamic Detours. I set up my gamedata to look like this:

PHP Code:
"Games"
{
    "nmrih"
    {
        "Addresses"
        {
            "CEventQueue::Clear"
            {
                "windows"
                {
                    "signature" "CNMRiH_GameRules::CleanAndResetMap"        //Tells it to use this signature which is in the signatures block        
                    "read" "228"        //Tells it to read 228 bytes and get the pointer for what is here    
                }
                //"linux"{}
            }
        }
        
        "Signatures"
        {
            /* Used solely to get the offset for CEventQueue::Clear */
            "CNMRiH_GameRules::CleanAndResetMap"
            {
                "library" "server"
                "windows" "\x55\x8B\xEC\xA1****\x83\xEC\x24\x83\x78\x30\x00\x56\x57"
                "linux" "@_ZN16CNMRiH_GameRules16CleanAndResetMapEv"
            }
        }    
    }

And this is my script:

PHP Code:
#include <sdktools>
#include <dhooks>

#define DHOOK_PRE false
#define DHOOK_POST true

Handle hClear;

public void OnPluginStart()
{
    Handle hGameData LoadGameConfigFile("EQC.games");
    if(!hGameData)
        SetFailState("Couldn't find EQC.games gamedata.");
    
    // Setup detour on CEventQueue::Clear
    hClear DHookCreateDetour(Address_NullCallConv_THISCALLReturnType_VoidThisPointer_Address);
    if (!hClear)
        SetFailState("Failed to set up detour for CEventQueue::Clear");
    
    // Load the address of the function from EQC's address gamedata file.
    if (!DHookSetFromConf(hClearhGameDataSDKConf_Address"CEventQueue::Clear"))
        SetFailState("Failed to load CEventQueue::Clear address from gamedata");
    
    // Add a pre hook on the function.
    if (!DHookEnableDetour(hClearDHOOK_PREDetour_OnEventQueueClear))
        SetFailState("Failed to detour CEventQueue::Clear");
    
    PrintToServer("CEventQueue::Clear detoured!");
}

public MRESReturn Detour_OnEventQueueClear(Address pThisHandle hReturnHandle hParams)
{
    PrintToServer("CEventQueue::Clear called");
    //Do stuff
    return MRES_Ignored;

However, it seems to crash the server the moment I start it.

https://crash.limetech.org/sselqyxocfdi
https://crash.limetech.org/zltfxqe7oabw

Am I doing something wrong here? The signature is confirmed valid
Thanks

Benoist3012 11-09-2018 04:27
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
PHP Code:
"Games"
{
    "nmrih"
    {
        "Addresses"
        {
            "CEventQueue::Clear"
            {
                "windows"
                {
                    "signature" "CNMRiH_GameRules::CleanAndResetMap"        //Tells it to use this signature which is in the signatures block        
                    "read" "228"        //Tells it to read 228 bytes and get the pointer for what is here    
                }
                //"linux"{}
                "read" "0"
            }
        }
        
        "Signatures"
        {
            /* Used solely to get the offset for CEventQueue::Clear */
            "CNMRiH_GameRules::CleanAndResetMap"
            {
                "library" "server"
                "windows" "\x55\x8B\xEC\xA1****\x83\xEC\x24\x83\x78\x30\x00\x56\x57"
                "linux" "@_ZN16CNMRiH_GameRules16CleanAndResetMapEv"
            }
        }    
    }
Add "read" "0" this shall fix your issue.
https://wiki.alliedmods.net/SDKTools...ddress_lookups

Edit:
Location in sourcemod code where this is done https://github.com/alliedmodders/sou...pp#L1031#L1047

Addie 11-09-2018 05:40
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
Thank you, I've fixed that together with a wrong offset calculation (now 244 instead of 228)

Unfortunately, it's still crashing, now on sourcemod.logic.dll!CGameConfig::GetAddress instead:
https://crash.limetech.org/hhvmep4pdgdl

I'm not sure what's up with that. The offset is definitely correct this time:

https://i.imgur.com/L6dWmQu.png

PHP Code:
"CEventQueue::Clear"
{
    "windows"
    {
        "signature" "CNMRiH_GameRules::CleanAndResetMap"    
        "read" "244"
    }
    //"linux"{}
    "read" "0"
(page also added "offset" "4" so I tried with that as well)

hmmmmm 11-09-2018 17:08
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
Any chance you can send the IDB?

Fyren 11-09-2018 17:54
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
"Read" isn't for offsets, it's for indirections.

Addie 11-09-2018 19:46
Re: Crash on DHook detouring
 
Quote:
Originally Posted by Fyren (Post 2623317)
"Read" isn't for offsets, it's for indirections.
Alright bear with me, I'm still pretty new to this; If the offset doesn't go there, where should I specify it?

Thanks for the hints so far

Addie 11-09-2018 22:13
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
Marking as solved as I managed to get my hands on a unique signature for the target function (thanks Ryan!) This approach is no longer needed.

Fyren 11-10-2018 00:17
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
I was wrong in my earlier reply. A read or offset entry are equivalent.

Though you found an alternate solution, in case someone happens to want the info:

If you have a signature for a function, and 0xF4 bytes into that function is a call instruction, then addressOf(sig) + 0xF4 does not hold the target of the call. First, there's an 0xE8 for call's opcode, then a relative offset for the target. It's relative to the next instruction.

So, the offset is at addressOf(sig) + 0xF5. You'd have to get what's at that address (you could use a "read" "0" like Benoist said) and add it to addressOf(sig) + 0xF4 + 0x5. The 0x5 is because the call instruction is 5 bytes long, so that's the address of the next instruction.

hmmmmm 11-10-2018 05:35
Re: Crash on DHook detouring
 
Glad you solved it :)

Quote:
Originally Posted by Addie (Post 2623328)
It created an i64 file instead, does that work?
For reference an i64 is just an IDB created by x64 version of IDA for x64 binaries.

Addie 11-10-2018 10:33
Re: Crash on DHook detouring (dhooks.ext.dll + 0xc3e0)
 
Quote:
Originally Posted by Fyren (Post 2623352)
I was wrong in my earlier reply. A read or offset entry are equivalent.

Though you found an alternate solution, in case someone happens to want the info:

If you have a signature for a function, and 0xF4 bytes into that function is a call instruction, then addressOf(sig) + 0xF4 does not hold the target of the call. First, there's an 0xE8 for call's opcode, then a relative offset for the target. It's relative to the next instruction.

So, the offset is at addressOf(sig) + 0xF5. You'd have to get what's at that address (you could use a "read" "0" like Benoist said) and add it to addressOf(sig) + 0xF4 + 0x5. The 0x5 is because the call instruction is 5 bytes long, so that's the address of the next instruction.
Thanks for clearing that up, I'll keep it in mind for future use


All times are GMT -4. The time now is 12:09.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.