Remove Detour/Unhook

**trojan.win128** · 05-13-2013

Here is the DetourFunction (in injected DLL):

Code:

int initHook(void)
{
	DWORD *vTable;
	HMODULE hMod;

	do{
		hMod = GetModuleHandleA("d3d9.dll");
		Sleep(50);
	}while(!hMod);

	DWORD addy = dwFindPattern((DWORD)hMod,0x128000,(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86","xx????xx????xx");
	if(addy)
	{
		memcpy(&vTable,(void *)(addy +0x2),4);
		EndScene_orig = (EndSceneType)DetourFunction((PBYTE)vTable[42],(PBYTE)EndSceneDetour);
	}
	return true;
}

I tried doing this:

Code:

DetourRemove((PBYTE)EndScene_orig, (PBYTE)EndSceneDetour);

But for some reason, the game crashes when I unload the DLL.

Any help is appreciated!

**Pingo** · 05-13-2013

My guess is you're not writing the original bytes back to the EndScene address.
So it tries to jump to some deallocated memory and crashes.
Just a guess..

**trojan.win128** · 05-13-2013

Originally Posted by Pingo

My guess is you're not writing the original bytes back to the EndScene address.
So it tries to jump to some deallocated memory and crashes.
Just a guess..

Any suggestions on how I should reset it back to normal?
Should I create a copy of the default memory before hooking?

EDIT:
Nevermind, the DetourRemove function is working like a charm now. Had problems with some EndScene codes.

**Pingo** · 05-13-2013

Originally Posted by trojan.win128

Any suggestions on how I should reset it back to normal?
Should I create a copy of the default memory before hooking?

Yeah copy the first 5 bytes before hooking and store it.
Write the default bytes back before unloading the dll.
See if that helps any.

**topblast** · 05-13-2013

I made this,

Code:

//Hook
ReturnPresent = DetourCreate( (PBYTE)dwTable[17], &hkPresent, 7); // hkPresent is the function
//delete Hook
datareturn dt = DetourDelete(ReturnPresent);//delete
// Recreate Hook
ReturnPresent = DetourCreate(dt.function, &hkPresent, dt.len);


typedef struct 
{
    const INT len;
    PBYTE function;
} datareturn;


template<typename t>
datareturn dxHook::DetourDelete( t& dst )
{
    BYTE *jmp = (BYTE *)dst;
    datareturn* dt = (datareturn*)(jmp - sizeof(datareturn));
    auto len = dt->len;
    auto src = dt->function;
    DWORD dwback;
    VirtualProtect(src, len, PAGE_READWRITE, &dwback);
    memcpy(dt->function, jmp, dt->len);
    jmp -= sizeof(datareturn);
    datareturn retdt = {len, src};


    VirtualProtect(src, len, dwback, &dwback);
    free(jmp);
    dst = NULL;
    return retdt;
}


template<typename t>
t dxHook::DetourCreate(PBYTE src, t dst, const INT len)
{
    BYTE *jmp = (BYTE *)malloc(sizeof(datareturn) + len + 5 );            
    datareturn dt = {len, src};


    memcpy(jmp, &dt, sizeof(datareturn));
    jmp += sizeof(datareturn);
    DWORD dwback;
    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback);
    memcpy(jmp, src, len);
    jmp += len;
    jmp[0] = 0xE9;
    *(DWORD *)(jmp + 1) = (DWORD)(src + len - jmp) - 5;            
    src[0] = 0xE9;
    *(DWORD *)(src + 1) = (DWORD)((PBYTE)dst - src) - 5;
    for(INT i = 5; i < len; i++) src[i] = 0x90;
    VirtualProtect(src, len, dwback, &dwback);


    return(t)(jmp - len);
}

**trojan.win128** · 05-13-2013

@topblast Thanks!

I'll try that in my next projects.

Thread: Remove Detour/Unhook

Thread Tools

Display

Remove Detour/Unhook

The Following User Says Thank You to Pingo For This Useful Post:

The Following User Says Thank You to topblast For This Useful Post:

Similar Threads

should we REMOVE THE EDIT BUTTON?

[removing word filter] "Fuck" you want

Remove MSN Live 8.0 Ads [GUIDE

removing the edit button, attempt 2

removing softnyx nprotect!!!