Vip_SolidSnake Admin
Posts : 61 Reputation : 26 Join date : 2010-02-04
| Subject: PB Bypassing Tutorials Sun 7 Feb 2010 - 17:16 | |
| This is kind of an updated tutorials
ill start out with cod2 for example
The easiest way i found was to open up IDA or olly and search for the text "PB_P" and scroll up a few lines and u will find something like this.. - Code:
-
.text:1004DD7C ; int __cdecl sub_1004DD7C(int, size_t Count, char *Dest) .text:1004DD7C sub_1004DD7C proc near ; CODE XREF: sub_1004FFCB+B7p .text:1004DD7C ; sub_100544BE+E8p ... .text:1004DD7C .text:1004DD7C Src = byte ptr -4B0h .text:1004DD7C var_4AF = byte ptr -4AFh .text:1004DD7C var_4AE = byte ptr -4AEh .text:1004DD7C var_4AD = byte ptr -4ADh .text:1004DD7C Dst = byte ptr -4ACh .text:1004DD7C var_4AB = byte ptr -4ABh .text:1004DD7C var_4A8 = byte ptr -4A8h .text:1004DD7C var_4A6 = byte ptr -4A6h .text:1004DD7C arg_0 = dword ptr 8 .text:1004DD7C Count = dword ptr 0Ch .text:1004DD7C Dest = dword ptr 10h .text:1004DD7C .text:1004DD7C push ebp .text:1004DD7D mov ebp, esp .text:1004DD7F sub esp, 4B0h .text:1004DD85 cmp dword_100A0448, 0 .text:1004DD8C jz locret_1004E023 .text:1004DD92 cmp dword_1009FE80, 0Ah .text:1004DD99 push ebx .text:1004DD9A jbe short loc_1004DDD5 .text:1004DD9C cmp [ebp+Count], 0Fh .text:1004DDA0 jle loc_1004E022 .text:1004DDA6 push 232Eh .text:1004DDAB push 54h ; Args .text:1004DDAD call sub_1003CB85 .text:1004DDB2 push eax ; Format .text:1004DDB3 push [ebp+Count] ; Count .text:1004DDB6 push [ebp+Dest] ; Dest .text:1004DDB9 call sub_10004529 .text:1004DDBE mov eax, [ebp+Dest] .text:1004DDC1 add esp, 14h .text:1004DDC4 lea ecx, [eax+1] .text:1004DDC7 .text:1004DDC7 loc_1004DDC7: ; CODE XREF: sub_1004DD7C+50j .text:1004DDC7 mov dl, [eax] .text:1004DDC9 inc eax .text:1004DDCA test dl, dl .text:1004DDCC jnz short loc_1004DDC7 .text:1004DDCE sub eax, ecx .text:1004DDD0 lea ebx, [eax+1] .text:1004DDD3 jmp short loc_1004DDD8 the code in blue is what you are looking for. So you hook that and ur offset is this 0x4DD7C notice where its found in the sub.
so hooking it is quite easy - Code:
-
int(*teh_Bypass)( int a1, size_t Count, char *Dest ); int Bypass_Hook( int a1, size_t Count, char *Dest ) {
//Your log code goes here. return orig_Bypass(a1,Count,Dest); } then in load library like so just call your function. - Code:
-
teh_Bypass = (int (__cdecl *)(int,size_t,char *))DetourFunction( ( PBYTE )pBase + 0x4DD7C, ( PBYTE )Bypass_Hook ); __asm mov [ teh_Bypass ], eax; [You must be registered and logged in to see this image.]Mobile number - 09286880872Yahoo Messenger - [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this image.] | |
|