Hey, I had a DLL I used to inject that I don't have the source for. I wanted to change part of it do I located the desired part and tried to hook it.
Code:
#include <windows.h>
#include <iostream>
DWORD dwJmpBack = ((DWORD)GetModuleHandleA("Test.dll")+0x424E2), cmdOld_ = 0;
typedef struct
{
int ServerTime; //0x0000
int CurrentButton; //0x0004
int ViewAngles[3]; //0x0008
char _0x0014[24];
}usercmd_t;//Size=0x002C
typedef struct
{
usercmd_t usercmds[128];
int currentCmdNum; // 0x16E8
usercmd_t *GetUserCmd(int cmdNum)
{
int id = cmdNum & 0x7F;
return &usercmds[id];
}
}input_t;
__declspec(naked) void MyHook()
{
__asm
{
PUSHAD;
PUSHFD;
}
input_t * Input_T = ( input_t* )0x010638A4;
usercmd_t* cmdOld = Input_T->GetUserCmd( Input_T->currentCmdNum - 1 );
usercmd_t* cmd = Input_T->GetUserCmd( Input_T->currentCmdNum );
cmdOld->ServerTime = cmd->ServerTime + 1;
cmdOld_ = Input_T->currentCmdNum - 1;
__asm
{
POPAD;
POPFD;
mov ecx, cmdOld_;
push ecx;
jmp [dwJmpBack];
}
}
void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen)
{
DWORD dwOldProtect, dwBkup, dwRelAddr;
VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
*pAddress = 0xE9;
*((DWORD *)(pAddress + 0x1)) = dwRelAddr;
for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;
VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
return;
}
BOOL APIENTRY DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
if(dwReason==DLL_PROCESS_ATTACH)
{
MakeJMP((BYTE*)((DWORD)GetModuleHandleA("Test__.dll") + 0x424DB), (DWORD)MyHook, 0x6);
}
return TRUE;
}
What I overwrote was just:
Code:
MOV ECX,[EAX+1600h] //Value of the current cmd
PUSH ECX
But it crashes with a violation read of 0x200..... I haven't been able to debug why sucessfully yet Any help? Seems it's not returning correctly after...