Raised This Month: $12 Target: $400
 3% 

[INFO] Hooking without extension


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
BHaType
Great Tester of Whatever
Join Date: Jun 2018
Old 08-27-2020 , 04:56   [INFO] Hooking without extension
Reply With Quote #1

Introduction

I think many people think that it is impossible to create a hook from a plugin without extension but in fact this is not the case and in this topic I will show you how to hook a normal function without using extension

Notes
  • This method is simply as information and is not as an alternative
  • It is very difficult to make such a hook and you need to understand ASM very well
  • If the hook will crash it is very difficult to understand what exactly is causing the crash which is also a minus
  • This topic uses Source Scramble but this hook can also be done without it
  • There is also a great replacement for Source Scramble that will save you from the first stage

Stages
  1. You need to get the base addresses of server.dll and sourcemod.logic.dll
  2. Get the plugin's callback address
  3. Create a hook
  4. Create an original function (optional)

Getting base addresses

There is already a topic on the forum about how to get a PEB so we will skip this part.
PEB stores modules in a ladder order, so we need to go through all the steps to find the necessary modules.

This is C++ code and we need to do the same via sourcemod.

Spoiler


And we should get something like this (This is just an example and you can rewrite it as you want).

Spoiler


Now we need to get the module name and its address but the problem is that the module names are stored in Unicode format so I created a function that allows reading Unicode but it's not perfect


Spoiler


It remains to add StrEqual and save the found modules so we go to the next stage

Getting callback address

Now We need to create a callback through which you can get another callback that will already be set to Hook
You can use any sourcemod function to do this
I chose SortFloats

The offset of this function is 33C0
Spoiler


To pass an argument to callback you need to write sending the argument and calling the function manually using ASM
I have already written a ready made ASM that should work on any sourcemod function

Code:
 8B 44 24 08 56 57 8B 7C 24 0C 8B CF FF 70 08 8B 17 FF 92 88 00 00 00 8B F0 57 8B CE 8B 16 FF 12 8B 16 8D 44 24 0C 50 8B CE FF 52 20 5F 33 C0 5E C3
Which is the same as function below
The second argument of this function will take the index of callback which will be passed via the plugin

PHP Code:
cell_t context (IPluginContext *pContext, const cell_t *params)
{
    
cell_t result;

    
pFunc->PushCell((cell_t)pContext);
    
pFunc->Execute(&result);

    return 
0;

It's time to start getting callback
Spoiler


I'll add that I'm using the UTIL_SetModel function as an example

Creating hook

Now the callback has already been found it remains to create a Hook
Our hook is that the UTIL_SetModel function will create a call to our plugin's function and pass parameters to it

Spoiler


Creating SDK which call original code (optional)

As you can see our hook works but the original code is not called which means the UTIL_SetModel function just outputs a message so you need to create an SDK that will call the original code
In General there are two ways to solve this problem the first is to create the SDK and the second is to rewrite the meaning of the original function in our hook

I will follow the path of creating the SDK
Creating an original code call via the SDK is not universal and is not suitable for every function

The best way for me is to create a jump through a relative address

Spoiler


Ending...

I repeat that this is not an alternative
All this can be done without Source Scramble but without it you will have to use gamedata and search for dummy/unused functions/memory

Just some test
Attached Files
File Type: sp Get Plugin or Get Source (hook.sp - 189 views - 9.0 KB)
__________________
cry

Last edited by BHaType; 09-27-2020 at 20:01.
BHaType is offline
Send a message via AIM to BHaType
Scag
AlliedModders Donor
Join Date: May 2017
Location: Crashing Hale
Old 08-27-2020 , 14:38   Re: [INFO] Hooking without extension
Reply With Quote #2

Awesome. Thanks for this.
__________________
Over-engineering is underrated.

GitHub
BTC
ETH

Retired
Scag is offline
Rostu
Junior Member
Join Date: Feb 2019
Old 09-10-2020 , 07:22   Re: [INFO] Hooking without extension
Reply With Quote #3

You can use MemoryEx to avoid additional addiction [Source Scramble]
Very very old thread [2.0 Version]: https://forums.alliedmods.net/showthread.php?t=320439
GitHub: https://github.com/Rostu13/Memory-Extended [3.1 Version]
Example: Get any library
P.S Get PEB funciton => https://github.com/Rostu13/Memory-Ex...nction.inc#L28
PHP Code:
public void OnPluginStart()
{
    
CheckInitPEB();
}
public 
void MemoryEx_InitPEB()
{
    
g_pSourcemod g_hMem.GetModuleHandle("sourcemod.logic");
    
g_pServer g_hMem.GetModuleHandle("server");

    
CreateCallback();
    
CreateHook();


Malloc? Win/Lin =>
https://github.com/Rostu13/Memory-Ex...emoryAlloc.inc
PHP Code:
#include <MemoryEx>

public void OnPluginStart()
{
    
CheckInitPEB();
}
public 
void MemoryEx_InitPEB()
{
    
Address pBase VirtualAlloc(0x100);
    
PrintToServer("pBase = 0x%X"pBase);
    
FreeMemory(pBase);

Extra: link with description inc [Only rus]: https://hlmod.ru/resources/inc-memory-extended.1448/

Last edited by Rostu; 09-10-2020 at 07:29. Reason: add extra links
Rostu is offline
BHaType
Great Tester of Whatever
Join Date: Jun 2018
Old 09-27-2020 , 19:58   Re: [INFO] Hooking without extension
Reply With Quote #4

Quote:
Originally Posted by Rostu View Post
You can use MemoryEx to avoid additional addiction [Source Scramble
I'll add it as a note to the main post
__________________
cry
BHaType is offline
Send a message via AIM to BHaType
cravenge
Veteran Member
Join Date: Nov 2015
Location: Chocolate Factory
Old 12-24-2020 , 04:16   Re: [INFO] Hooking without extension
Reply With Quote #5

Before, it used to work but it crashes now when SortFloats is called during the creation of the callbacks. Can that part be replaced with...
PHP Code:
CreateHandleCallback(pFunc); 
instead since the first argument is asking for an address?
cravenge is offline
BHaType
Great Tester of Whatever
Join Date: Jun 2018
Old 12-24-2020 , 22:36   Re: [INFO] Hooking without extension
Reply With Quote #6

It is pointless to call CreateHandleCallback manually since functions in sm are passed as an index and not an address so the SortFloats function is patched here and it(SortFloats) calls the CreateHandleCallback function with the context as an argument

If you are using this as "scientific" research or just testing, you can simply change the offsets for functions, but for permanent use, it is better to get context via script
Attached Files
File Type: sp Get Plugin or Get Source (hook_fixed_offsets.sp - 100 views - 9.0 KB)
File Type: sp Get Plugin or Get Source (hooking_via_script_manager.sp - 120 views - 4.4 KB)
__________________
cry
BHaType is offline
Send a message via AIM to BHaType
cravenge
Veteran Member
Join Date: Nov 2015
Location: Chocolate Factory
Old 12-24-2020 , 22:54   Re: [INFO] Hooking without extension
Reply With Quote #7

Ah, I see. I was reading the crash logs and all of them kept pointing out that SortFloats was at fault. How strange that it never occured before.
cravenge is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 14:21.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode