使用内联 asm 挂钩 usercall
我用 IDA pro 反汇编了一个可执行文件。我的目标是挂钩 __usercall 函数。我知道我需要在我的 C++ 代码中用 inine asm 包装 __usercall ,因为我无法 typedef 该函数。但我只是不确定这是如何运作的。
我知道该函数采用一个对象作为参数和一个 *Vector3 作为参数,计算值将存储在其中。有没有一种简单的方法来判断哪个参数是什么?
(抱歉代码很长)
char __usercall sub_572EA0<al>(int a1<ecx>, int a2<edx>, int a3<eax>, int a4)
{
int v4; // edi@1
int v5; // esi@1
float v6; // eax@2
char v7; // al@3
int v8; // eax@5
char result; // al@11
int v10; // [sp+Ch] [bp-74h]@2
float v11; // [sp+10h] [bp-70h]@4
float v12; // [sp+14h] [bp-6Ch]@4
float v13; // [sp+18h] [bp-68h]@5
float v14; // [sp+1Ch] [bp-64h]@5
float v15; // [sp+20h] [bp-60h]@5
float v16; // [sp+24h] [bp-5Ch]@10
float v17; // [sp+28h] [bp-58h]@10
float v18; // [sp+2Ch] [bp-54h]@10
char v19; // [sp+30h] [bp-50h]@10
float v20; // [sp+3Ch] [bp-44h]@4
float v21; // [sp+40h] [bp-40h]@4
float v22; // [sp+44h] [bp-3Ch]@4
float v23; // [sp+54h] [bp-2Ch]@7
v4 = a3;
v5 = a1;
if ( a3 )
{
LODWORD(v6) = sub_55A920(*(_DWORD *)(a1 + 208));
if ( !sub_53ADD0(
v5,
v6,
v4,
(int)&v10) )
{
v7 = sub_4EC240(v4);
sub_4E3ED0(
1,
"Cannot find tag [%s]\n",
v7);
}
}
else
{
sub_572BE0();
*(float *)&v10 = *(float *)(v5 + 20) + v20;
v11 = *(float *)(v5 + 24) + v21;
v12 = *(float *)(v5 + 28) + v22;
}
v8 = dword_8FF12C;
v13 = flt_96A218;
v14 = flt_96A21C;
v15 = flt_96A220;
if ( dword_8FF12C == 2047 )
v8 = dword_8FF1D0;
sub_462250(
&v23,
&v13,
&v10,
&unk_82D6A0,
v8,
8400899);
if ( 1.0 == v23
|| (unsigned __int16)sub_492C50(&v23) == *(_DWORD *)(v5 + 208)
|| *(_UNKNOWN **)(v5 + 364) == &unk_FFFFFF
&& (v16 = v13
+ (*(float *)&v10 - v13)
* v23,
v17 = (v11 - v14) * v23 + v14,
v18 = v23 * (v12 - v15) + v15,
sub_4C35B0(
&v16,
v5 + 20,
v5 + 32,
&v19),
sub_432850(
*(_DWORD *)(v5 + 348),
&v19)) )
result = sub_550250(a4, &v13, &v10);
else
result = 0;
return result;
}
ASM 可能是错误的,这样的东西会接近吗?
// Don't know what params goes where, ie: where the Vec3 goes and where the object goes
int __stdcall func_hook(param1, param2, param3, param4);
// Where to put the address? -->> 0x572EA0
// char __usercall sub_572EA0<al>(int a1<ecx>, int a2<edx>, int a3<eax>, int a4);
__declspec(naked) void func_hook()
{__asm{
push ebp
mov ebp, esp
mov ecx param1
mov edx param2
mov eax param3
push param4
call func_hook
leave
ret
}}
这段代码中缺少的一件事是用户调用的地址(0x572EA0)。不知道该放在哪里...
这就是程序调用该函数的方式。调用在底部: http://i43.tinypic.com/2mez9c8.jpg
I disassembled an executable file with IDA pro. My goal is to hook the __usercall function. I know i need to wrap the __usercall with inine asm in my C++ code since i can't typedef thefunction. But i'm just not sure how this works.
I know the function takes an object as parameter and a *Vector3 as parameter in which the calculated value will be stored. Is there an easy way to tell which param will be what??
(sorry for the long code)
char __usercall sub_572EA0<al>(int a1<ecx>, int a2<edx>, int a3<eax>, int a4)
{
int v4; // edi@1
int v5; // esi@1
float v6; // eax@2
char v7; // al@3
int v8; // eax@5
char result; // al@11
int v10; // [sp+Ch] [bp-74h]@2
float v11; // [sp+10h] [bp-70h]@4
float v12; // [sp+14h] [bp-6Ch]@4
float v13; // [sp+18h] [bp-68h]@5
float v14; // [sp+1Ch] [bp-64h]@5
float v15; // [sp+20h] [bp-60h]@5
float v16; // [sp+24h] [bp-5Ch]@10
float v17; // [sp+28h] [bp-58h]@10
float v18; // [sp+2Ch] [bp-54h]@10
char v19; // [sp+30h] [bp-50h]@10
float v20; // [sp+3Ch] [bp-44h]@4
float v21; // [sp+40h] [bp-40h]@4
float v22; // [sp+44h] [bp-3Ch]@4
float v23; // [sp+54h] [bp-2Ch]@7
v4 = a3;
v5 = a1;
if ( a3 )
{
LODWORD(v6) = sub_55A920(*(_DWORD *)(a1 + 208));
if ( !sub_53ADD0(
v5,
v6,
v4,
(int)&v10) )
{
v7 = sub_4EC240(v4);
sub_4E3ED0(
1,
"Cannot find tag [%s]\n",
v7);
}
}
else
{
sub_572BE0();
*(float *)&v10 = *(float *)(v5 + 20) + v20;
v11 = *(float *)(v5 + 24) + v21;
v12 = *(float *)(v5 + 28) + v22;
}
v8 = dword_8FF12C;
v13 = flt_96A218;
v14 = flt_96A21C;
v15 = flt_96A220;
if ( dword_8FF12C == 2047 )
v8 = dword_8FF1D0;
sub_462250(
&v23,
&v13,
&v10,
&unk_82D6A0,
v8,
8400899);
if ( 1.0 == v23
|| (unsigned __int16)sub_492C50(&v23) == *(_DWORD *)(v5 + 208)
|| *(_UNKNOWN **)(v5 + 364) == &unk_FFFFFF
&& (v16 = v13
+ (*(float *)&v10 - v13)
* v23,
v17 = (v11 - v14) * v23 + v14,
v18 = v23 * (v12 - v15) + v15,
sub_4C35B0(
&v16,
v5 + 20,
v5 + 32,
&v19),
sub_432850(
*(_DWORD *)(v5 + 348),
&v19)) )
result = sub_550250(a4, &v13, &v10);
else
result = 0;
return result;
}
The ASM is probaly wrong, would something like this be close??
// Don't know what params goes where, ie: where the Vec3 goes and where the object goes
int __stdcall func_hook(param1, param2, param3, param4);
// Where to put the address? -->> 0x572EA0
// char __usercall sub_572EA0<al>(int a1<ecx>, int a2<edx>, int a3<eax>, int a4);
__declspec(naked) void func_hook()
{__asm{
push ebp
mov ebp, esp
mov ecx param1
mov edx param2
mov eax param3
push param4
call func_hook
leave
ret
}}
One thing missing in this piece of code is the address of the usercall (0x572EA0). Not sure where to put that...
This is how the program is calling the function. The call is at the bottom:
http://i43.tinypic.com/2mez9c8.jpg
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您挂钩的函数是 Borland
__fastcall,而不是__usercall(事实上并没有这样的约定,它只是 IDA 版本的“未知约定”)。就使用内联汇编挂钩而言,
ECX、EDX和EAX是暂存寄存器,因此我们不需要保留它们,并且调用是很好的,所以我们不需要担心堆栈:“容易程度”取决于您在逆向工程方面的经验以及您正在编写的程序,在本例中我会说它是
a1,因为您可以看到它移动到临时文件,然后访问它使用指针表示法(IDA 表示未知结构的方式)来提取 3 个浮点数,这通常是大多数应用程序用于矢量分量的方式(而且大多数矢量都有 3 个分量)。如果您能够真正调试实际调用,查看哪些参数是指针,查看函数调用站点等,这也会有很大帮助。因此,我更喜欢使用 ollydbg 进行 RE,并用 IDA 执行流程图对其进行补充,以实现棘手的跳转序列(想想函数中有 20 多个goto:<)that function you are hooking is Borland
__fastcall, not__usercall(in fact there is actually no such convention, its just IDA's version of "unknown convention").In terms of hooking this with inline asm,
ECX,EDXandEAXare scratch registers, so we don't need to preserve them, and the call is well foermed so we don't need to worry about the stack:The 'easyness' depends on your experience in reverse engineering and with the program you are REing, in this case I'd say its
a1, because you can see it move to a temporary, which is then accessed using pointer notation (IDA's way of representing unknown structs) to pull out 3floats, which is generally what most apps use for vector components (and also most vectors have 3 components). It also helps greatly if you can actually debug the call in action, see what params are pointers, have a look at the functions call sites etc. For this reason I prefer using ollydbg for RE, supplementing it with IDA execution flow graphs for tricky jump sequences (think 20+gotos in a function :<)