All geek questions in one place

Call a function twice with Assembly and C ++

I have code that changes the function that will be called to my new function, but I do not want to call only my new function, I also want to name the old one. This is an example, so you can understand what I'm saying:

If I parsed my .exe, I will look at this part:

L00123456: mov eax, [L00654321] //doesn't matter mov ecx, [eax+1Ch] //doesn't matter push esi //the only parameter 0x123 call SUB_L00999999 //this is the function I wanna overwrite //...

(0x123 is the address of this line) So, I used this code:

 DWORD old; DWORD from = 0x123; DWORD to = MyNewFunction; VirtualProtect(from, 5, PAGE_EXECUTE_READWRITE, &old); DWORD disp = to - (from + 5); *(BYTE *)(from) = 0xE8; *(DWORD *)(from + 1) = (DWORD)disp;

Now instead of calling SUB_L00999999, it calls MyNewFunction ...

So ... any ideas on how I can still call the old function?

I tried things like this (in different ways), but this is a failure of my application:

 int MyNewFunction(int parameter) { DWORD oldfunction = 0x00999999; _asm push parameter _asm call oldfunction }

Notes. I am using Visual Studio C ++ 2010 and these codes are in .dll loaded in .exe.

Thanks.

+4
source share
2 answers

I had a problem similar to this some time ago. Anyway, _asm call dword ptr [oldfunction] worked for me.

+2
source

ret expects the top stack argument to be the return address. You can use this by pushing the address of the old function onto the stack immediately before your ret statement in your new function. When the call returns (or rather, branches to the old function), the stack pointer shifts to leave the original return address (0x128 here) on top, so that the stack will look intact. (just as it should have been if you hadn’t taken the hook).

+2
source

Source: https://habr.com/ru/post/1315474/

More articles:


All Articles