C#: Hijacking a near relative call
Posted
by Lex
on Stack Overflow
See other posts from Stack Overflow
or by Lex
Published on 2010-03-13T22:50:29Z
Indexed on
2010/03/13
22:55 UTC
Read the original article
Hit count: 152
Alright, I'm trying to write a vary basic modification to a program NOT written by me.
I DO NOT have the source to it.
I also do not care if this only works for a single version of the program, so hard coding offsets is feasible. Anyways, I've found the function and where it is called in the compiled program.
.text:1901C88F loc_1901C88F: ; CODE XREF: ConnectionThread+1A2j
.text:1901C88F ; DATA XREF: .text:off_1901CC64o
.text:1901C88F 8B C8 mov ecx, eax ; jumptable 1901C862 case 11
.text:1901C891 8B C6 mov eax, esi
.text:1901C893 E8 48 C5 FF FF call ChatEvent
According to IDA the full function signature is:
char *__usercall ChatEvent<eax>(char *Data<eax>, unsigned int Length<ecx>)
I already have all I need to patch the program during runtime, and do whatever other manipulations I need.
What I need, is to be able to write a function like so:
bool ProcessChat(char *Data, unsigned int Length);
char *__usercall HijackFunction(char *Data, unsigned int Length){
if (ProcessChat(Data, Length))
Call OriginalChatEvent(Data, Length);
}
Get the jist of what I am trying to do?
With stdcall function it's easy just replace the 4 byte address with my own function's address. But this is a near relative call, which is.. more annoying.
So, anyone have any idea?
© Stack Overflow or respective owner