The concept of detour, bypassing?

[alesandro676]

Hello everyone,
This is my first post here..

Well, I have had some suspicious questions or confirmations about how detour works..

Also wanted to make sure that I'm on the right track about how detour works

first I need a program like Ollydbg or IDA pro to reverse or find a specific address of a function so I can edit it on my own and then inject it into the program/game as a DLL right?? correct me if I'm wrong I'm still a beginner and I will be really glad hearing the right advices from you guys.

So this is what happens when we're trying to make a wallhack for call of duty for example? we open the game and find the function of its texture and start editing it ya?

Alright, how about bypassing, bypassing is making this hack undetected? correct me if I'm wrong..

what makes a hack detected and what makes it undetected?

I'm sorry if my questions sound stupid and I hope I'm not bothering anyone...

Thank you for your time.

[radnomguywfq3]

I didn't read your entire post, but I will jsut describe the process to you.

Say you have a function like so (it doesn't do much, just add two arguments passed to it via stdcall calling convention. It allocates a stack-frame just for the sake of giving it charateristics of a function you'll likely be dealing with [if you are hijacking a win api it will be stdcall most of the time, and most ingame routines are cdecl):

Code:

push ebp
mov ebp, esp
sub esp, 0x10
mov eax, dword ptr[ebp+0x8]
add eax, dword ptr[ebp+0xC]
add esp 0x10
pop ebp
ret

The process of a detour (we'll talk about the most common detours for simplicity's sake.) is to hijack control passed to the function _before_ the function's code has time to execute. The most common method of doing this is by placing a jump at start of the function to redirect control passed to the function over to another method you've programmed (i.e the hijackee). The problem with this, ofcourse, is that as x86 instrutions are linear (and some are dependant on the address in which they reside) you cannot simply shift all the instructions down to make room for this jump instruction or place the instruction inbetween the code which proceeds it and the start of the function.

So to place that required jump instruction, we need to copy it over the first few instructions of the function.

Code:

jmp addressOfFunctionToPassControlTo
[... instrunctions we removed to make room for jump]
endOfHijackJump:
mov eax, dword ptr[ebp+0x8]
add eax, dword ptr[ebp+0xC]
add esp 0x, 10
pop ebp
ret

This works perfectly fine. However, if we want to execute the original function (i.e if we want to execute the function as if the detour has not been placed, which is required if you want to do so from within the detour and most detours need to do this) we need a way to string the instructions we removed together with the rest of the function (thus completing an effective equivilent of the function without the detour that we can execute whilst also have a detour in placeon the original function.) We do this by allocating a region of executable, writable memory. In this region of memory, we copy the replaced instructions followed by a jump to the instruction just after the hijack jump we placed in the function.

i.e, our functions effective equivilent will look something like:

Code:

push ebp
mov ebp, esp
sub esp, 0x10
jmp endOfHijackJump

Other less common methods are to place the detour half-way between the function. Place hardware bps, etc. If you want to know about them, ask and I will bother explaining them.


Detour are a very common method used in most areas of program manipulation and by code-debuggers, they could be used to to create detours or wall-hacks.

[alesandro676]

Great answer, understood most of it

so it's a must to learn asm yeah?

thought it was all about c++ hehe

Thank you sir!

[Jabberwock]

No. You can detour a function by using Microsoft Detours Express 3.0.

Detours - Microsoft Research

[kingofproz]

No. You can detour a function by using Microsoft Detours Express 3.0.

Detours - Microsoft Research

HI ... i know it is not the place to talk about but .. ur thread was closed so i had to follow your last post .. about the ava injector .... i keep getting this error : couldnt open the process with access to it .. and u wrote : you can overcome this error by injecting at loading stage soo what do u mean by loading stage ??!?!?! u mean when i first start the game and a pic shows in the mid then i press inject ??!?!? please i really need your help

[radnomguywfq3]

Great answer, understood most of it

so it's a must to learn asm yeah?

thought it was all about c++ hehe

Thank you sir!

To write your own detouring module, a very basic grasp of the concept would be required, yes. But as already pointed out, you don't need to write a detouring module, there are tons out there which are easily accessible (I.E the MS Detours Library.)

Writing a detouring module is actually very simple if you can find a light-weight instruction length engine. You may (very rarely, depending on the prologue of the functions being detoured) need to perform code relocation (i.e, you cannot simply relocate a jump by copying it to another memory location, as the jump instruction itself is respective jump opcode followed by an offset from the address at which it resides describing where to jump to.)