C++ hooking a function in an application

Refresh

November 2018

Views

641 time

2

I'm having trouble hooking a function inside of a game client that is used to send everyone in the room a UDP Packet that is compressed with Zlib. Any help would be mostly appreciated. The problem with the hook is, it prints the first packet's size, then crashes, I've tried every possible way that I know to fix the issue, I've been researching for hours, to no avail finding nothing.

Some things I was thinking that could be wrong are: the arguments, or the calling convention, or both.

Here's the hook functions (C++):

typedef int (__stdcall *PSendUDPPacket)(char*, int, short int, bool);

PSendUDPPacket OrigSendUDPPacket;

void hookTheFunction()
{
    *(PDWORD)&OrigSendUDPPacket = (DWORD)DetourFunction((PBYTE)0x004CAC50, (PBYTE)MySendUDPPacket);
}

int __stdcall MySendUDPPacket(char* arg1, int arg2, short int arg3, bool arg4)
{
    printf("Sending UDP Packet SIZE: %i.\n", arg2);
    return OrigSendUDPPacket(arg1, arg2, arg3, arg4);
}

Here's the entire function dumped from Ollydbg that I'm trying to hook:

Address   Hex dump          Command
004CAC50      55            PUSH EBP
004CAC51      8BEC          MOV EBP,ESP
004CAC53      83EC 58       SUB ESP,58
004CAC56  /.  53            PUSH EBX
004CAC57  |.  56            PUSH ESI
004CAC58  |.  57            PUSH EDI
004CAC59  |.  51            PUSH ECX
004CAC5A  |.  8D7D A8       LEA EDI,[EBP-58]
004CAC5D  |.  B9 16000000   MOV ECX,16
004CAC62  |.  B8 CCCCCCCC   MOV EAX,CCCCCCCC
004CAC67  |.  F3:AB         REP STOS DWORD PTR ES:[EDI]
004CAC69  |.  59            POP ECX
004CAC6A  |.  894D FC       MOV DWORD PTR SS:[EBP-4],ECX
004CAC6D  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004CAC70  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
004CAC73  |.  8B4D 14       MOV ECX,DWORD PTR SS:[EBP+14]
004CAC76  |.  83E1 01       AND ECX,00000001
004CAC79  |.  F7D9          NEG ECX
004CAC7B  |.  1BC9          SBB ECX,ECX
004CAC7D  |.  F7D9          NEG ECX
004CAC7F  |.  894D F4       MOV DWORD PTR SS:[EBP-0C],ECX
004CAC82  |.  8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
004CAC85  |.  8955 E8       MOV DWORD PTR SS:[EBP-18],EDX
004CAC88  |.  837D E8 FF    CMP DWORD PTR SS:[EBP-18],-1
004CAC8C  |.  74 05         JE SHORT 004CAC93
004CAC8E  |.  E9 D9000000   JMP 004CAD6C
004CAC93  |>  C745 F0 00000 MOV DWORD PTR SS:[EBP-10],0
004CAC9A  |.  C745 EC 00000 MOV DWORD PTR SS:[EBP-14],0
004CACA1  |.  EB 09         JMP SHORT 004CACAC
004CACA3  |>  8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
004CACA6  |.  83C0 01       ADD EAX,1
004CACA9  |.  8945 EC       MOV DWORD PTR SS:[EBP-14],EAX
004CACAC  |>  837D EC 08    CMP DWORD PTR SS:[EBP-14],8
004CACB0  |.  0F8D B4000000 JGE 004CAD6A
004CACB6  |.  8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
004CACB9  |.  6BC9 76       IMUL ECX,ECX,76
004CACBC  |.  8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
004CACBF  |.  33C0          XOR EAX,EAX
004CACC1  |.  8A440A 05     MOV AL,BYTE PTR DS:[ECX+EDX+5]
004CACC5  |.  85C0          TEST EAX,EAX
004CACC7  |.  75 02         JNE SHORT 004CACCB
004CACC9  |.^ EB D8         JMP SHORT 004CACA3
004CACCB  |>  8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
004CACCE  |.  6BC9 76       IMUL ECX,ECX,76
004CACD1  |.  8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
004CACD4  |.  33C0          XOR EAX,EAX
004CACD6  |.  8A440A 3B     MOV AL,BYTE PTR DS:[ECX+EDX+3B]
004CACDA  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CACDD  |.  3981 C0030000 CMP DWORD PTR DS:[ECX+3C0],EAX
004CACE3  |.  75 1F         JNE SHORT 004CAD04
004CACE5  |.  837D F4 00    CMP DWORD PTR SS:[EBP-0C],0
004CACE9  |.^ 74 17         JE SHORT 004CAD02
004CACEB  |.  68 00020000   PUSH 200
004CACF0  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
004CACF3  |.  52            PUSH EDX
004CACF4  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CACF7  |.  81C1 B4030000 ADD ECX,3B4
004CACFD  |.  E8 E995F3FF   CALL 004042EB
004CAD02  |>^ EB 9F         JMP SHORT 004CACA3
004CAD04  |>  8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
004CAD07  |.  6BC0 76       IMUL EAX,EAX,76
004CAD0A  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CAD0D  |.  33D2          XOR EDX,EDX
004CAD0F  |.  8A5401 77     MOV DL,BYTE PTR DS:[EAX+ECX+77]
004CAD13  |.  85D2          TEST EDX,EDX
004CAD15  |.  74 2F         JE SHORT 004CAD46
004CAD17  |.  837D F0 00    CMP DWORD PTR SS:[EBP-10],0
004CAD1B  |.  74 02         JE SHORT 004CAD1F
004CAD1D  |.^ EB 84         JMP SHORT 004CACA3
004CAD1F  |>  C745 F0 01000 MOV DWORD PTR SS:[EBP-10],1
004CAD26  |.  66:8B45 0C    MOV AX,WORD PTR SS:[EBP+0C]
004CAD2A  |.  50            PUSH EAX
004CAD2B  |.  8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
004CAD2E  |.  51            PUSH ECX
004CAD2F  |.  8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
004CAD32  |.  8B82 C0030000 MOV EAX,DWORD PTR DS:[EDX+3C0]
004CAD38  |.  50            PUSH EAX
004CAD39  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CAD3C  |.  E8 2F7AF3FF   CALL 00402770
004CAD41  |.^ E9 5DFFFFFF   JMP 004CACA3
004CAD46  |>  66:8B4D 0C    MOV CX,WORD PTR SS:[EBP+0C]
004CAD4A  |.  51            PUSH ECX
004CAD4B  |.  8B55 08       MOV EDX,DWORD PTR SS:[EBP+8]
004CAD4E  |.  52            PUSH EDX
004CAD4F  |.  8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
004CAD52  |.  50            PUSH EAX
004CAD53  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CAD56  |.  8B91 C0030000 MOV EDX,DWORD PTR DS:[ECX+3C0]
004CAD5C  |.  52            PUSH EDX
004CAD5D  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CAD60  |.  E8 3681F3FF   CALL 00402E9B
004CAD65  \.^ E9 39FFFFFF   JMP 004CACA3
004CAD6A   >  EB 5D         JMP SHORT 004CADC9
004CAD6C  />  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004CAD6F  |.  8B4D 10       MOV ECX,DWORD PTR SS:[EBP+10]
004CAD72  |.  3B88 C0030000 CMP ECX,DWORD PTR DS:[EAX+3C0]
004CAD78  |.  74 32         JE SHORT 004CADAC
004CAD7A  |.  8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
004CAD7D  |.  6BD2 76       IMUL EDX,EDX,76
004CAD80  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004CAD83  |.  33C9          XOR ECX,ECX
004CAD85  |.  8A4C10 05     MOV CL,BYTE PTR DS:[EDX+EAX+5]
004CAD89  |.  85C9          TEST ECX,ECX
004CAD8B  |.  74 1F         JE SHORT 004CADAC
004CAD8D  |.  66:8B55 0C    MOV DX,WORD PTR SS:[EBP+0C]
004CAD91  |.  52            PUSH EDX
004CAD92  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004CAD95  |.  50            PUSH EAX
004CAD96  |.  8B4D 10       MOV ECX,DWORD PTR SS:[EBP+10]
004CAD99  |.  51            PUSH ECX
004CAD9A  |.  8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
004CAD9D  |.  8B82 C0030000 MOV EAX,DWORD PTR DS:[EDX+3C0]
004CADA3  |.  50            PUSH EAX
004CADA4  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CADA7  |.  E8 EF80F3FF   CALL 00402E9B
004CADAC  |>  837D F4 00    CMP DWORD PTR SS:[EBP-0C],0
004CADB0  |.  74 17         JE SHORT 004CADC9
004CADB2  |.  68 00020000   PUSH 200
004CADB7  |.  8B4D F8       MOV ECX,DWORD PTR SS:[EBP-8]
004CADBA  |.  51            PUSH ECX
004CADBB  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
004CADBE  |.  81C1 B4030000 ADD ECX,3B4
004CADC4  |.  E8 2295F3FF   CALL 004042EB
004CADC9  |>  33C0          XOR EAX,EAX
004CADCB  |.  5F            POP EDI
004CADCC  |.  5E            POP ESI
004CADCD  |.  5B            POP EBX
004CADCE  |.  83C4 58       ADD ESP,58
004CADD1  |.  3BEC          CMP EBP,ESP
004CADD3  |.  E8 883E2A00   CALL 0076EC60
004CADD8  |.  8BE5          MOV ESP,EBP
004CADDA  |.  5D            POP EBP
004CADDB  \.  C2 1000       RETN 10

0 answers