Hooking mid-function to change value?

[Kenshin13]

Hey, I had a DLL I used to inject that I don't have the source for. I wanted to change part of it do I located the desired part and tried to hook it.

Code:

#include <windows.h>
#include <iostream>

DWORD dwJmpBack = ((DWORD)GetModuleHandleA("Test.dll")+0x424E2), cmdOld_ = 0;

typedef struct
{
	int ServerTime; //0x0000 
	int CurrentButton; //0x0004 
	int ViewAngles[3]; //0x0008
	char _0x0014[24];
}usercmd_t;//Size=0x002C

typedef struct
{
	usercmd_t usercmds[128];
	int currentCmdNum; // 0x16E8

	usercmd_t *GetUserCmd(int cmdNum)
	{
		int id = cmdNum & 0x7F;
		return &usercmds[id];
	}
}input_t;

__declspec(naked) void MyHook()
{
	__asm
	{
		PUSHAD;
		PUSHFD;
	}
        input_t * Input_T = ( input_t* )0x010638A4;
	usercmd_t* cmdOld = Input_T->GetUserCmd( Input_T->currentCmdNum - 1 );
	usercmd_t* cmd = Input_T->GetUserCmd( Input_T->currentCmdNum );
	cmdOld->ServerTime = cmd->ServerTime + 1;
	cmdOld_ = Input_T->currentCmdNum - 1;
	__asm
	{
		POPAD;
		POPFD;
		mov ecx, cmdOld_;
		push ecx;
		jmp [dwJmpBack];
	}
}

void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen)
{
	DWORD dwOldProtect, dwBkup, dwRelAddr;
	VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
	dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
	*pAddress = 0xE9;
	*((DWORD *)(pAddress + 0x1)) = dwRelAddr;
	for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;
	VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
	return;
}

BOOL APIENTRY DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
	if(dwReason==DLL_PROCESS_ATTACH)
	{
		MakeJMP((BYTE*)((DWORD)GetModuleHandleA("Test__.dll") + 0x424DB), (DWORD)MyHook, 0x6);
	}
	return TRUE;
}

What I overwrote was just:

Code:

MOV ECX,[EAX+1600h] //Value of the current cmd
PUSH ECX

But it crashes with a violation read of 0x200..... I haven't been able to debug why sucessfully yet Any help? Seems it's not returning correctly after...

[rawr im a tiger]

@Kenshin13, I'm unsure about this since ymmv by compiler, but try this:

Code:

mov ecx, [cmdOld_]

or

Code:

lea ecx, cmdOld_

I'm guessing you're hooking Barata's Tekno Multihack to edit the previous CMD and therefore make it not shake other's screens?

[Kenshin13]

@Kenshin13, I'm unsure about this since ymmv by compiler, but try this:

Code:

mov ecx, [cmdOld_]

or

Code:

lea ecx, cmdOld_

I'm guessing you're hooking Barata's Tekno Multihack to edit the previous CMD and therefore make it not shake other's screens?

Exactly so and I'm also trying to throw in silent aim there., I tried the "mov ecx, [cmdOld_]" before I posted this already but I'll try lea (Still seems like a fancy ass MOV to me but usually I just see it with pointers)

[Kenshin13]

Ok, I tried both, still crashes....Anyone?

[rawr im a tiger]

@Kenshin13, You pushad then pushfd, then popad and popfd. That's not how the stack works. pushad, pushfd, popfd, popad.

[Kenshin13]

@Kenshin13, You pushad then pushfd, then popad and popfd. That's not how the stack works. pushad, pushfd, popfd, popad.

Yea, @-InSaNe- corrected me on that. I know that's the general order, somehow I forgot. Anyways, I think I'm hooking the wrong address, I'll look into it more and report back.