C#: Hijacking a near relative call

Posted by Lex on Stack Overflow See other posts from Stack Overflow or by Lex
Published on 2010-03-13T22:50:29Z Indexed on 2010/03/13 22:55 UTC
Read the original article Hit count: 152

Filed under:
|
|

Alright, I'm trying to write a vary basic modification to a program NOT written by me.
I DO NOT have the source to it.
I also do not care if this only works for a single version of the program, so hard coding offsets is feasible. Anyways, I've found the function and where it is called in the compiled program.

.text:1901C88F loc_1901C88F:                     ; CODE XREF: ConnectionThread+1A2j
.text:1901C88F                                   ; DATA XREF: .text:off_1901CC64o
.text:1901C88F 8B C8          mov     ecx, eax  ; jumptable 1901C862 case 11
.text:1901C891 8B C6          mov     eax, esi
.text:1901C893 E8 48 C5 FF FF call    ChatEvent

According to IDA the full function signature is:

char *__usercall ChatEvent<eax>(char *Data<eax>, unsigned int Length<ecx>)

I already have all I need to patch the program during runtime, and do whatever other manipulations I need.
What I need, is to be able to write a function like so:

bool ProcessChat(char *Data, unsigned int Length);
char *__usercall HijackFunction(char *Data, unsigned int Length){
    if (ProcessChat(Data, Length))
        Call OriginalChatEvent(Data, Length);
}

Get the jist of what I am trying to do?
With stdcall function it's easy just replace the 4 byte address with my own function's address. But this is a near relative call, which is.. more annoying.

So, anyone have any idea?

© Stack Overflow or respective owner

Related posts about c#

Related posts about asm