Hi,
I'm trying to hook PF_WriteByte_I(). I've been able to hook successfully PF_MessageBegin_I() and PF_MessageEnd_I(), but I just cannot get WriteByte to work...
ANd here why: it's a relatively short, in fact very short function. It's more a wrapper than anything else, and all the other PF_Write[Type]_I() are based on the same skeleton, so it's hard to make a sig for it, since I end up with many memory refs. My only option was to use a displacement.
I've came to that sig:
Code:
{
"name" : "PF_WriteByte_I",
"library" : "engine",
"arguments" :
[
{
"type" : "int"
}
],
"identifiers":
[
{
"os" : "windows",
"value" : [0xC3,0x90,"*","*","*","*","*","*","*","*","*","*","*","*","*","*","*","*",0x55,0x8B,"*",0xA1,"*","*","*","*",0x85,0xC0,0x75,"*",0x68,"*","*","*","*",0xE8,"*","*","*","*","*","*","*",0x8B,"*","*",0x50,0x68,"*","*","*","*",0xE8,"*","*","*","*",0x83,"*","*","*",0xC3],
"displacement" : 18
},
{
"os" : "linux",
"value" : "PF_WriteByte_I"
}
]
}
No choice but to use a displacement. STill, the function is not working... each time my hook takes effect (i.e. when the func gets called), the server ends up crashing. Note on Linux it works perfectly, thanks to symbolic data.
I don't really know what I'm doing wrong on the windows part. I've used a 18 bytes displacement so I could make the signature unique. But, absolutely not working.
I'm posting the disasm here too.
As you can see, it just returns the return value of a called func.
Code:
.text:01D6ACAB loc_1D6ACAB: ; CODE XREF: sub_1D6AA40+33j
.text:01D6ACAB ; sub_1D6AA40+138j ...
.text:01D6ACAB 5F pop edi ; jumptable 01D6AC4F default case
.text:01D6ACAC 5E pop esi
.text:01D6ACAD 5B pop ebx
.text:01D6ACAE C3 retn
.text:01D6ACAE sub_1D6AA40 endp
.text:01D6ACAE
.text:01D6ACAE ; ---------------------------------------------------------------------------
.text:01D6ACAF 90 align 10h
.text:01D6ACB0 56 AC D6 01 5C AC D6 01 78 AC D6 01 93 AC D6 01 off_1D6ACB0 dd offset loc_1D6AC56 ; DATA XREF: sub_1D6AA40+20Fr
.text:01D6ACB0 dd offset loc_1D6AC5C ; jump table for switch statement
.text:01D6ACB0 dd offset loc_1D6AC78
.text:01D6ACB0 dd offset loc_1D6AC93
.text:01D6ACC0
.text:01D6ACC0 ; =============== S U B R O U T I N E =======================================
.text:01D6ACC0
.text:01D6ACC0 ; Attributes: bp-based frame
.text:01D6ACC0
.text:01D6ACC0 sub_1D6ACC0 proc near ; CODE XREF: sub_1D54F80+141p
.text:01D6ACC0 ; sub_1D55150+17Fp
.text:01D6ACC0 ; DATA XREF: ...
.text:01D6ACC0
.text:01D6ACC0 arg_0 = dword ptr 8
.text:01D6ACC0
.text:01D6ACC0 55 push ebp
.text:01D6ACC1 8B EC mov ebp, esp
.text:01D6ACC3 A1 B4 27 03 02 mov eax, dword_20327B4
.text:01D6ACC8 85 C0 test eax, eax
.text:01D6ACCA 75 0D jnz short loc_1D6ACD9
.text:01D6ACCC 68 C0 B3 E5 01 push offset aWrite_byteCall ; "WRITE_BYTE called with no active messag"...
.text:01D6ACD1 E8 4A 14 04 00 call sub_1DAC120
.text:01D6ACD1 ; ---------------------------------------------------------------------------
.text:01D6ACD6 83 db 83h ; â
.text:01D6ACD7 C4 db 0C4h ; -
.text:01D6ACD8 04 db 4
.text:01D6ACD9 ; ---------------------------------------------------------------------------
.text:01D6ACD9
.text:01D6ACD9 loc_1D6ACD9: ; CODE XREF: sub_1D6ACC0+Aj
.text:01D6ACD9 8B 45 08 mov eax, [ebp+arg_0]
.text:01D6ACDC 50 push eax
.text:01D6ACDD 68 FC A7 E5 01 push offset off_1E5A7FC
.text:01D6ACE2 E8 A9 AF FC FF call sub_1D35C90
.text:01D6ACE7 83 C4 08 add esp, 8
.text:01D6ACEA 5D pop ebp
.text:01D6ACEB C3 retn
.text:01D6ACEB sub_1D6ACC0 endp
.text:01D6ACEB
.text:01D6ACEB ; ---------------------------------------------------------------------------
.text:01D6ACEC 90 90 90 90 align 10h
Function starts at sub_1D6ACC0().
I was wondering if anyone could help me making it work. Note it's a tricky one... There is something I'm probably missing.
I wasnt sure about the arg type either. I know it's a WriteByte (hence it could be char), but I made an int there... I tried too with char in the sig, but not working better
Thanks!
Misery