Raised This Month: $ Target: $400
 0% 

Help on a particular signature


  
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Author Message
Misery
Senior Member
Join Date: Dec 2010
Old 06-10-2012 , 12:07   Help on a particular signature
Reply With Quote #1

Hi,

I'm trying to hook PF_WriteByte_I(). I've been able to hook successfully PF_MessageBegin_I() and PF_MessageEnd_I(), but I just cannot get WriteByte to work...
ANd here why: it's a relatively short, in fact very short function. It's more a wrapper than anything else, and all the other PF_Write[Type]_I() are based on the same skeleton, so it's hard to make a sig for it, since I end up with many memory refs. My only option was to use a displacement.

I've came to that sig:
Code:
{
	"name" : "PF_WriteByte_I",
	"library" : "engine",
	"arguments" :
	[
		{
			"type" : "int"
		}
	],
	"identifiers":
	[
		{
			"os" : "windows",
			"value" : [0xC3,0x90,"*","*","*","*","*","*","*","*","*","*","*","*","*","*","*","*",0x55,0x8B,"*",0xA1,"*","*","*","*",0x85,0xC0,0x75,"*",0x68,"*","*","*","*",0xE8,"*","*","*","*","*","*","*",0x8B,"*","*",0x50,0x68,"*","*","*","*",0xE8,"*","*","*","*",0x83,"*","*","*",0xC3],
			"displacement" : 18
		},
		{
			"os" : "linux",
			"value" : "PF_WriteByte_I"
		}
	]
}
No choice but to use a displacement. STill, the function is not working... each time my hook takes effect (i.e. when the func gets called), the server ends up crashing. Note on Linux it works perfectly, thanks to symbolic data.

I don't really know what I'm doing wrong on the windows part. I've used a 18 bytes displacement so I could make the signature unique. But, absolutely not working.

I'm posting the disasm here too.
As you can see, it just returns the return value of a called func.

Code:
.text:01D6ACAB                                                 loc_1D6ACAB:                            ; CODE XREF: sub_1D6AA40+33j
.text:01D6ACAB                                                                                         ; sub_1D6AA40+138j ...
.text:01D6ACAB 5F                                                              pop     edi             ; jumptable 01D6AC4F default case
.text:01D6ACAC 5E                                                              pop     esi
.text:01D6ACAD 5B                                                              pop     ebx
.text:01D6ACAE C3                                                              retn
.text:01D6ACAE                                                 sub_1D6AA40     endp
.text:01D6ACAE
.text:01D6ACAE                                                 ; ---------------------------------------------------------------------------
.text:01D6ACAF 90                                                              align 10h
.text:01D6ACB0 56 AC D6 01 5C AC D6 01 78 AC D6 01 93 AC D6 01 off_1D6ACB0     dd offset loc_1D6AC56   ; DATA XREF: sub_1D6AA40+20Fr
.text:01D6ACB0                                                                 dd offset loc_1D6AC5C   ; jump table for switch statement
.text:01D6ACB0                                                                 dd offset loc_1D6AC78
.text:01D6ACB0                                                                 dd offset loc_1D6AC93
.text:01D6ACC0
.text:01D6ACC0                                                 ; =============== S U B R O U T I N E =======================================
.text:01D6ACC0
.text:01D6ACC0                                                 ; Attributes: bp-based frame
.text:01D6ACC0
.text:01D6ACC0                                                 sub_1D6ACC0     proc near               ; CODE XREF: sub_1D54F80+141p
.text:01D6ACC0                                                                                         ; sub_1D55150+17Fp
.text:01D6ACC0                                                                                         ; DATA XREF: ...
.text:01D6ACC0
.text:01D6ACC0                                                 arg_0           = dword ptr  8
.text:01D6ACC0
.text:01D6ACC0 55                                                              push    ebp
.text:01D6ACC1 8B EC                                                           mov     ebp, esp
.text:01D6ACC3 A1 B4 27 03 02                                                  mov     eax, dword_20327B4
.text:01D6ACC8 85 C0                                                           test    eax, eax
.text:01D6ACCA 75 0D                                                           jnz     short loc_1D6ACD9
.text:01D6ACCC 68 C0 B3 E5 01                                                  push    offset aWrite_byteCall ; "WRITE_BYTE called with no active messag"...
.text:01D6ACD1 E8 4A 14 04 00                                                  call    sub_1DAC120
.text:01D6ACD1                                                 ; ---------------------------------------------------------------------------
.text:01D6ACD6 83                                                              db  83h ; â
.text:01D6ACD7 C4                                                              db 0C4h ; -
.text:01D6ACD8 04                                                              db    4
.text:01D6ACD9                                                 ; ---------------------------------------------------------------------------
.text:01D6ACD9
.text:01D6ACD9                                                 loc_1D6ACD9:                            ; CODE XREF: sub_1D6ACC0+Aj
.text:01D6ACD9 8B 45 08                                                        mov     eax, [ebp+arg_0]
.text:01D6ACDC 50                                                              push    eax
.text:01D6ACDD 68 FC A7 E5 01                                                  push    offset off_1E5A7FC
.text:01D6ACE2 E8 A9 AF FC FF                                                  call    sub_1D35C90
.text:01D6ACE7 83 C4 08                                                        add     esp, 8
.text:01D6ACEA 5D                                                              pop     ebp
.text:01D6ACEB C3                                                              retn
.text:01D6ACEB                                                 sub_1D6ACC0     endp
.text:01D6ACEB
.text:01D6ACEB                                                 ; ---------------------------------------------------------------------------
.text:01D6ACEC 90 90 90 90                                                     align 10h
Function starts at sub_1D6ACC0().


I was wondering if anyone could help me making it work. Note it's a tricky one... There is something I'm probably missing.

I wasnt sure about the arg type either. I know it's a WriteByte (hence it could be char), but I made an int there... I tried too with char in the sig, but not working better

Thanks!

Misery

Last edited by Misery; 06-10-2012 at 12:41.
Misery is offline
 



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 06:16.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode