I didn't read your entire post, but I will jsut describe the process to you.
Say you have a function like so (it doesn't do much, just add two arguments passed to it via stdcall calling convention. It allocates a stack-frame just for the sake of giving it charateristics of a function you'll likely be dealing with [if you are hijacking a win api it will be stdcall most of the time, and most ingame routines are cdecl):
Code:
push ebp
mov ebp, esp
sub esp, 0x10
mov eax, dword ptr[ebp+0x8]
add eax, dword ptr[ebp+0xC]
add esp 0x10
pop ebp
ret
The process of a detour (we'll talk about the most common detours for simplicity's sake.) is to hijack control passed to the function _before_ the function's code has time to execute. The most common method of doing this is by placing a jump at start of the function to redirect control passed to the function over to another method you've programmed (i.e the hijackee). The problem with this, ofcourse, is that as x86 instrutions are linear (and some are dependant on the address in which they reside) you cannot simply shift all the instructions down to make room for this jump instruction or place the instruction inbetween the code which proceeds it and the start of the function.
So to place that required jump instruction, we need to copy it over the first few instructions of the function.
Code:
jmp addressOfFunctionToPassControlTo
[... instrunctions we removed to make room for jump]
endOfHijackJump:
mov eax, dword ptr[ebp+0x8]
add eax, dword ptr[ebp+0xC]
add esp 0x, 10
pop ebp
ret
This works perfectly fine. However, if we want to execute the original function (i.e if we want to execute the function as if the detour has not been placed, which is required if you want to do so from within the detour and most detours need to do this) we need a way to string the instructions we removed together with the rest of the function (thus completing an effective equivilent of the function without the detour that we can execute whilst also have a detour in placeon the original function.) We do this by allocating a region of executable, writable memory. In this region of memory, we copy the replaced instructions followed by a jump to the instruction just after the hijack jump we placed in the function.
i.e, our functions effective equivilent will look something like:
Code:
push ebp
mov ebp, esp
sub esp, 0x10
jmp endOfHijackJump
Other less common methods are to place the detour half-way between the function. Place hardware bps, etc. If you want to know about them, ask and I will bother explaining them.
Detour are a very common method used in most areas of program manipulation and by code-debuggers, they could be used to to create detours or wall-hacks.