1

I need a hook function with the __usercall convention. I already hooked functions that were defined as __usercall and __userpurge, but this time it's __usercall with arguments that are also passed through the stack. The main problem is in calling the original function. After ret (it doesn't matter retn, retf, regardless of the operand) the function goes to an address that has nothing to do with the program itself.

void __usercall fn(float *o@<ebx>, char *a2, int a3, int a4, float a5, float a6, float a7, float a6, int a7, int a10, _DWORD *a11, float a12)

function begin:

.text:00414350 83 EC 1C                             sub     esp, 1Ch
.text:00414353 83 3D 24 F3 50 00 00                 cmp     dword_50F324, 0
.text:0041435A 55                                   push    ebp             ; green
.text:0041435B 8B 6C 24 28                          mov     ebp, [esp+20h+a3]
.text:0041435F 56                                   push    esi             ; red
.text:00414360 8B 74 24 48                          mov     esi, [esp+24h+a10]

function end:

.text:00414965 5F                                   pop     edi
.text:00414966 5E                                   pop     esi
.text:00414967 5D                                   pop     ebp
.text:00414968 83 C4 1C                             add     esp, 1Ch
.text:0041496B C3                                   retn

In the code itself, after calling the function, 0x2C is added to the esp

hook code:

void __stdcall hook(float* a1, char* a2, int a3, int a4, float a5, float a6, float a7, float a8, int a9, int a10, void* a11, float a12) {
    original_proxy(a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12);
}

__declspec(naked) void __stdcall proxy(char* a2, int a3, int a4, float a5, float a6, float a7, float a8, int a9, int a10, void* a11, float a12) {
    _asm {
        //without "enter" arguments will be null
        //
        //if you do not pass arguments manually,
        //but immediately call the hook function,
        //then everything will be fine with the arguments
        enter 0x0, 0x0
        push a12
        push a11
        push a10
        push a9
        push a8
        push a7
        push a6
        push a5
        push a4
        push a3
        push a2
        push ebx
        call hook
        leave
        ret
    }
}

__declspec(naked) void __stdcall original_proxy(float* a1, char* a2, int a3, int a4, float a5, float a6, float a7, float a8, int a9, int a10, void* a11, float a12) {
    _asm {
        push a12
        push a11
        push a10
        push a9
        push a8
        push a7
        push a6
        push a5
        push a4
        push a3
        push a2
        mov ebx, a1
        call original
        retn //after that the code goes to another address (it is always the same)
    }
}

What could be the problem? Most likely something is wrong with asm, but then why does the code go to the same address after ret?

Sorry for my English, the translator can't always convey the meaning correctly. Thanks in advance!

Improve this question

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.