摘要:
聊一聊游戏外挂开发中常用的HOOK技术。
1 |
|
- We check the length to be at least 5 bytes because this is the smallest relative jmp in x86. The instructions you will be destroying by overwriting will be at least 5 bytes. In a word, we have at least a
jmp
opcode at that address, and thejmp
opcode is going to be at least 5 bytes;- We use VirtualProtect to take permissions of the memory we are overwriting.
- We set the memory we’re ovewriting with 0x90 which is the NOP (no operationg) instruction, this is not 100% necessary but is a nice failsafe measure. While you’re debugging it’s also nice to watch the 0x90 get written so you know you’re doing the right thing in the right spot. We NOP the entire instruction by giving it the len argument.
- Then we calculate the relative address between the destination and src address by subtracting them, we subtract len. The result of this calculation is the relative offset from the last byte we overwrote to the address of our function we are jumping to. Keep in mind, we are using a relative jump, not an absolute jump so this must be calculated at runtime.
- Then we write 0xE9(byte code) which is the relative jmp instruction, then we add 1 byte(0xE9) so we can write the relative offset.
- Then we use VirtualProtect to reset the page permissions to what they were before we modified them.
- You have to execute your code inside a declspec naked function, you must preserve the registers and the stack so you don’t corrupt the stack of registers and you must execute the stolen bytes. Then you have to jump back to the src+len address.
The__declspec(naked)
indicates that the function is going to be no epilogue and prologue. And we can write assembly code in it.- The
_asm
indicates no other assembly code but ours.- This line is our own code, which replaces the original one (
subecx, [ebp + 08]
) to add whole health value while pressing SPACE button;- The
hookLength
we are using(6) overrides the second assembly line although we don’t need to override to execute our code so that we have to re-write it;- After