public static void InstallSend() { _hookDelegateSend = HookSend; var addrs = HookHelper.searchAsm(new byte[] { 0x8d, 0x8e, 0x7c, 0x01, 0x00, 0x00, 0x89, 0x45, 0xf8 }); Debug.Requires(addrs.Count == 1); _hookAddress = (IntPtr)addrs[0]; IntPtr codeCave = HookHelper.MakeCodeCave(new[] { "pushad", "lea ecx, [esi + 0x17c]", "mov dword[ebp-0x8], eax", "push edi", "push ebx", "mov eax, [ebp + 8]", //param1 "mov eax, [eax]", "push dword[eax+0x40]", //type2 - placeholder "call " + Marshal.GetFunctionPointerForDelegate(_hookDelegateSend), "popad", "lea ecx, [esi + 0x17c]", "jmp " + (_hookAddress + 9) }); HookHelper.Jump(_hookAddress, codeCave); }
public static void InstallRecv() { _hookDelegateRecv = HookRecv; var addrs = HookHelper.searchAsm(new byte[] { 0xff, 0x75, 0x14, 0x8d, 0x04, 0x1f }); Debug.Requires(addrs.Count == 1); var _hookAddressPre = (IntPtr)addrs[0] - 14; var _hookAddressPost = (IntPtr)addrs[0]; IntPtr codeCavePre = HookHelper.MakeCodeCave(new[] { "push ebx", //len "push edi", //dest "mov eax, [ebp + 8]", //param1 "mov eax, [eax]", "push dword[eax+0x40]", //type2 - placeholder "push edi", "push esi", "push ebx", "mov esi, [ebp + 8]", "lea ecx, [esi + 0x74]", //"mov dword[esp + 0xc], ecx", //store key in placeholder "jmp " + (_hookAddressPre + 9) // calls Rc4 and takes 3 arguments off the stack }); IntPtr codeCavePost = HookHelper.MakeCodeCave(new[] { "mov eax, esp", "pushad", "mov ebx, [eax+8]", //len "push ebx", "mov ebx, [eax+4]", //dest "push ebx", "mov ebx, [eax]", //type "push ebx", "call " + Marshal.GetFunctionPointerForDelegate(_hookDelegateRecv), "popad", "push dword[ebp + 0x14]", "lea eax, [edi + ebx]", "jmp " + (_hookAddressPost + 6) }); HookHelper.Jump(_hookAddressPre, codeCavePre); HookHelper.Jump(_hookAddressPost, codeCavePost); }
internal static void Install() { // 8b 34 b0 85 f6 75 14 68 2d 04 00 00 List <int> addrs = HookHelper.searchAsm(new byte[] { 0x8b, 0x34, 0xb0, 0x85, 0xf6, 0x75, 0x14, 0x68, 0x2d, 0x04, 0x00, 0x00 }); Debug.Requires(addrs.Count == 1); var hookLocation = new IntPtr(addrs[0]); _speedModifierLocation = Marshal.AllocHGlobal(4); _db8Location = Marshal.AllocHGlobal(4); IntPtr codeCave = HookHelper.MakeCodeCave(new[] { "mov esi, dword[esi*0x4+eax]", //instruction from original "mov dword[" + _speedModifierLocation + "], esi", "mov dword[" + _db8Location + "], ebx", "test esi, esi", //instruction from original "jmp " + (hookLocation + 5) }); HookHelper.Jump(hookLocation, codeCave); }
internal static void Install2(HookType hook) { // 83 c4 08 89 46 18 List <int> addrs = HookHelper.searchAsm(new byte[] { 0x83, 0xc4, 0x08, 0x89, 0x46, 0x18 }); Debug.Requires(addrs.Count == 1); int addrStart = addrs[0]; var hookLocation = new IntPtr(addrStart); IntPtr codeCave = HookHelper.MakeCodeCave(new[] { "pushad", "push dword[ebp+8]", "push dword[ebp+8]", "call " + Marshal.GetFunctionPointerForDelegate(hook), "popad", "add esp,8", //instruction from original "mov dword[esi+0x18],eax", //instruction from original "jmp " + (hookLocation + 6) }); HookHelper.Jump(hookLocation, codeCave); }
internal static void Install(HookType hook) { // Get start of function List <int> addrs = HookHelper.searchAsm(new byte[] { 0x89, 0x4d, 0xe8, 0x8b, 0x46, 0x78 }); Debug.Requires(addrs.Count == 1); int addrStart = addrs[0]; // End of function (5e 8b e5 5d c2 08 00) is at addrStart + 0x0267 int addrEnd = addrStart + 0x0267; var hookLocation1 = new IntPtr(addrStart); var hookLocation = new IntPtr(addrEnd); IntPtr codeCave2 = Marshal.AllocHGlobal(4); IntPtr codeCave1 = HookHelper.MakeCodeCave(new[] { "mov eax, dword[esi+0x10]", //eax will be overwritten soon "mov dword[" + codeCave2 + "],eax", //store value in codeCave "mov dword[ebp-0x18],ecx", //instruction from original (89 4d e8) "mov eax,dword[esi+0x78]", //instruction from original (8b 46 78) "jmp " + (hookLocation1 + 6) }); HookHelper.Jump(hookLocation1, codeCave1); IntPtr codeCave = HookHelper.MakeCodeCave(new[] { "push dword [ebp+0x8]", //id parameter "push dword [" + codeCave2 + "]", "call " + Marshal.GetFunctionPointerForDelegate(hook), "pop esi", "mov esp,ebp", "pop ebp", "retn 8" }); HookHelper.Jump(hookLocation, codeCave); }