| View previous topic :: View next topic |
| Author |
Message |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Thu Apr 10, 2008 2:49 pm Post subject: |
|
|
A Hook means that when the API is called it is redirected somehow, be it modification of the IAT or simple call at hte beggining of the API. Usually checks for something like a parameter containing information about the targeted process,dc,etc.
If it does contain that information it doesnt allow the API to be sent.
It is easily bypassed using the hook hop method. adding 5 bytes to the ProcAddy for the API your sending. Or even making a copy of the dll and creating a function wrapper that jumps to the imported function in the copied dll instead of using the direct api.
_________________
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Thu Apr 10, 2008 3:17 pm Post subject: |
|
|
um..ok..i didnt get a word of that, but gunbound wont let me draw on top of it. i can draw on top of other stuff but not gunbound. is there anyway i can fix this or is gameguard/directx blocking me?
edit: ok i somewhat understand, so how could i use the "hook hop" method?
_________________
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Thu Apr 10, 2008 5:21 pm Post subject: |
|
|
Assign a DWORD the return of GetProcAddress and then + 5 at the end of it.
then make a delcspec(naked) function that has the exact skeleton as the API your choosing and rewrite the first 5 bytes you jumped and jump to the DWORD you defined above as the GetProcAddress+5
Example: a wrapper hook hop for PostMessageA
| Code: | DWORD dwPostMessage = (DWORD)GetProcAddress( LoadLibrary( _T("user32.dll") ), "PostMessageA" ) + 5;
declspec(naked) BOOL WINAPI PostMessageAW( HWND hWnd, UINT Message, WPARAM wParam, LPARAM lParam )
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
jmp dword ptr ds:[dwPostMessage]
}
} |
Edit:
Btw, this method ONLY works for a USER-MODE hook. If the API is hooked in kernel-mode then you have to create a driver.
_________________
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Fri Apr 11, 2008 2:31 pm Post subject: |
|
|
um...how do i do this using the TextOut function?
edit: i tried this
DWORD dwTextOut = (DWORD)GetProcAddress( LoadLibrary( _T("user32.dll") ), "TextOutA" ) + 5;
declspec(naked) TextOut(aGunBound,50,42,buffer,size);
yeh retarded way of copying >.> and i got these errors:
C:\Documents and Settings\Owner\Desktop\KalBot0aix\KalBot0aix.cpp(37) : error C2065: '_T' : undeclared identifier
C:\Documents and Settings\Owner\Desktop\KalBot0aix\KalBot0aix.cpp(3 : error C2065: 'declspec' : undeclared identifier
C:\Documents and Settings\Owner\Desktop\KalBot0aix\KalBot0aix.cpp(3 : error C2065: 'naked' : undeclared identifier
C:\Documents and Settings\Owner\Desktop\KalBot0aix\KalBot0aix.cpp(3 : error C2146: syntax error : missing ';' before identifier 'TextOutA'
_________________
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Fri Apr 11, 2008 9:03 pm Post subject: |
|
|
-_-.
You just cant copy my example and replace the words a bit.
1. TextOut is NOT located in user32.dll, if you searched it up you'd see its located in gdi32.dll
2. _T is a macro for UNICODE, its located in tchar.h and if ur not using a UNICODE Charecter Set for your project then you can just get rid of it.
3. My bad with the declspec(naked) theres an Undersqort before it.
_delcspec(naked) should work.
4. Your not calling it like a function -_-, your creating your own new wrapper function...
Get the Parameters and type of function that TextOut is and then make a new function with the same skeleton.
_________________
|
|
| Back to top |
|
 |
Sinok Cheater
Reputation: 0
Joined: 21 Mar 2008 Posts: 34
|
Posted: Sat Apr 12, 2008 1:00 am Post subject: |
|
|
| lurc wrote: | -_-.
You just cant copy my example and replace the words a bit.
1. TextOut is NOT located in user32.dll, if you searched it up you'd see its located in gdi32.dll
2. _T is a macro for UNICODE, its located in tchar.h and if ur not using a UNICODE Charecter Set for your project then you can just get rid of it.
3. My bad with the declspec(naked) theres an Undersqort before it.
_delcspec(naked) should work.
4. Your not calling it like a function -_-, your creating your own new wrapper function...
Get the Parameters and type of function that TextOut is and then make a new function with the same skeleton. |
I can't believe you're actually helping him, he copies your code and asks you why it won't work for him.
Clearly he doesn't know what he's doing :\
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Sun Apr 13, 2008 7:41 am Post subject: |
|
|
| k..um i know i said i would return in a week, but i got it working of a macromedia flash program. still cant get it working on gunbound though. must i add 5 bytes?
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Sun Apr 13, 2008 8:46 am Post subject: |
|
|
| AwayTheWInd wrote: | | k..um i know i said i would return in a week, but i got it working of a macromedia flash program. still cant get it working on gunbound though. must i add 5 bytes? |
Yes, you do if you want to bypass it with this method, because the first 5 bytes are changed by GameGuard to jump to a check they have. This is what blocks the API. So obviously we want to jump the call -.-
_________________
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Sun Apr 13, 2008 9:32 am Post subject: |
|
|
um..im not sure if uve noticed but its not gameguard blocking it but the directx... wellt hats from my observations..
edit: iwas tricked by macromedia flash o.O!
well i only have one error left...
__declspec(naked)BOOL WINAPI myTextOutA(HDC,int,int,LPCTSTR,int);
C:\Documents and Settings\Owner\Desktop\HookHop\HookHop.cpp(17) : error C2488: 'myTextOutA' : 'naked' can only be applied to function definitions
Last edited by AwayTheWInd on Sun Apr 13, 2008 1:17 pm; edited 1 time in total |
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Sun Apr 13, 2008 1:27 pm Post subject: |
|
|
if i try to use typedef int(balh)(blahblahvlbahblah)
i use anohter dll with
blah = loadlibrary(hook.dll);
um i think u other stand it ahs the oter HHPtr stuff in it. as soon as i inject it into a process it crashes
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Sun Apr 13, 2008 3:41 pm Post subject: |
|
|
Get rid of the ; at the end and make it a function, not a prototype. _declspec definitions cant be used as a prototype.
_________________
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Sun Apr 13, 2008 5:02 pm Post subject: |
|
|
um this is my whole code.
#include "stdafx.h"
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
BOOL bWantsExit = FALSE;
HINSTANCE hInst;
DWORD Hook;
int main()
{
hInst = LoadLibrary("gdi32.dll");
Hook = (DWORD)GetProcAddress(hInst,"TextOutA") + 5;
__declspec(naked) BOOL WINAPI myTextOutA(HDC,int,int,LPCTSTR,int)
{
__asm
{
mov edi, edi
push ebp
mov ebp, esp
jmp [Hook]
}
}
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwMsg, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER( hModule );
UNREFERENCED_PARAMETER( lpReserved );
switch( dwMsg )
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls( hModule );
CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)main, NULL, 0, 0 );
return TRUE;
case DLL_PROCESS_DETACH:
bWantsExit = TRUE;
return TRUE;
}
return TRUE;
}
i get this error:
C:\Documents and Settings\Owner\Desktop\HookHop\HookHop.cpp(1 : error C2601: 'myTextOutA' : local function definitions are illegal
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Sun Apr 13, 2008 5:07 pm Post subject: |
|
|
You defined the entire wrapper function WITHIN main. Move the function out of it so its on its own outside the code.
_________________
|
|
| Back to top |
|
 |
AwayTheWInd Master Cheater
Reputation: 0
Joined: 11 Sep 2007 Posts: 450
|
Posted: Sun Apr 13, 2008 5:32 pm Post subject: |
|
|
damn..i feel so dumb when im doing this hookhop stuff.. first time..
C:\Documents and Settings\Owner\Desktop\HookHop\HookHop.cpp(12) : error C2447: missing function header (old-style formal list?)
{
hInst = LoadLibrary("gdi32.dll");
Hook = (DWORD)GetProcAddress(hInst,"TextOutA") + 5;
__declspec(naked) BOOL WINAPI myTextOutA(HDC,int,int,LPCTSTR,int)
}
int main()
{
__asm
{
mov edi, edi
push ebp
mov ebp, esp
jmp [Hook]
}
return 0;
}
|
|
| Back to top |
|
 |
lurc Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Sun Apr 13, 2008 6:25 pm Post subject: |
|
|
oh now you moved the function header out but left the entire actual function in the main...
the inline asm is part of the declspec(naked) -_-
All your dll work goes IN MAIN.
the ONLY thing in your _declspec(naked) wrapper is the inline asm -_-
Go Learn the basics of C++. PLEASE!
_________________
|
|
| Back to top |
|
 |
|