Hi Guys,
I am relatively new to asm and injection.
I am trying to call the game function at 0x009B1870
From what i understand it is using _thiscall convention because of the ecx register..
I have made sure that my ecx register is being passed correctly by stepping thru with ollydbg
my two parameters are also being passed corrently.
My asm seems to be working in some cases, but in other cases it causes the game to crash even though ecx, and arg1, arg2 are being passed correctly.
Any ideas?
Thanks...
Below is a snippet of a call to the game function:
MOV ECX,DWORD PTR DS:[EAX] ; Case 14 of switch game.9B262C
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+8]
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+0C]
MOV EAX,DWORD PTR DS:[EAX+4]
PUSH ECX ; /Arg2
MOV ECX,DWORD PTR DS:[ESI+233B4] ; |
PUSH EAX ; |Arg1
CALL 009B1870
Below is my injected assembly:
var asm = new[]
{
"mov esi, " + esi, // Probably not needed...
"mov ecx, " + slot, // Parameter 1
"push ecx",
"mov ecx, " + ecx, // Set *this
"push " + bar, // Parameter 2
"call " + address, // Call function
"retn"
};
Below is the game function its self:
CPU Disasm
Address Hex dump Command Comments
009B1870 /$ 55 PUSH EBP ; game.009B1870(guessed Arg1,Arg2)
009B1871 |. 8BEC MOV EBP,ESP
009B1873 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
009B1876 |. C1E0 04 SHL EAX,4
009B1879 |. 0345 0C ADD EAX,DWORD PTR SS:[ARG.2]
009B187C |. 69C0 64010000 IMUL EAX,EAX,164
009B1882 |. 8D5408 48 LEA EDX,[ECX+EAX+48]
009B1886 |. 52 PUSH EDX ; /Arg1
009B1887 |. E8 84F6FFFF CALL 009B0F10 ; \game.009B0F10
009B188C |. 5D POP EBP
009B188D \. C2 0800 RETN 8
009B1890 /. 55 PUSH EBP
009B1891 |. 8BEC MOV EBP,ESP
009B1893 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
009B1896 |. 69C0 64010000 IMUL EAX,EAX,164
009B189C |. 8D9408 C89001 LEA EDX,[ECX+EAX+190C8]
009B18A3 |. 52 PUSH EDX ; /Arg1
009B18A4 |. E8 67F6FFFF CALL 009B0F10 ; \game.009B0F10
009B18A9 |. 5D POP EBP
009B18AA \. C2 0400 RETN 4
I am relatively new to asm and injection.
I am trying to call the game function at 0x009B1870
From what i understand it is using _thiscall convention because of the ecx register..
I have made sure that my ecx register is being passed correctly by stepping thru with ollydbg
my two parameters are also being passed corrently.
My asm seems to be working in some cases, but in other cases it causes the game to crash even though ecx, and arg1, arg2 are being passed correctly.
Any ideas?
Thanks...
Below is a snippet of a call to the game function:
MOV ECX,DWORD PTR DS:[EAX] ; Case 14 of switch game.9B262C
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+8]
AND CL,DL
CMP CL,4
JNE SHORT 009B26AB
MOV ECX,DWORD PTR DS:[EAX+0C]
MOV EAX,DWORD PTR DS:[EAX+4]
PUSH ECX ; /Arg2
MOV ECX,DWORD PTR DS:[ESI+233B4] ; |
PUSH EAX ; |Arg1
CALL 009B1870
Below is my injected assembly:
var asm = new[]
{
"mov esi, " + esi, // Probably not needed...
"mov ecx, " + slot, // Parameter 1
"push ecx",
"mov ecx, " + ecx, // Set *this
"push " + bar, // Parameter 2
"call " + address, // Call function
"retn"
};
Below is the game function its self:
CPU Disasm
Address Hex dump Command Comments
009B1870 /$ 55 PUSH EBP ; game.009B1870(guessed Arg1,Arg2)
009B1871 |. 8BEC MOV EBP,ESP
009B1873 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
009B1876 |. C1E0 04 SHL EAX,4
009B1879 |. 0345 0C ADD EAX,DWORD PTR SS:[ARG.2]
009B187C |. 69C0 64010000 IMUL EAX,EAX,164
009B1882 |. 8D5408 48 LEA EDX,[ECX+EAX+48]
009B1886 |. 52 PUSH EDX ; /Arg1
009B1887 |. E8 84F6FFFF CALL 009B0F10 ; \game.009B0F10
009B188C |. 5D POP EBP
009B188D \. C2 0800 RETN 8
009B1890 /. 55 PUSH EBP
009B1891 |. 8BEC MOV EBP,ESP
009B1893 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
009B1896 |. 69C0 64010000 IMUL EAX,EAX,164
009B189C |. 8D9408 C89001 LEA EDX,[ECX+EAX+190C8]
009B18A3 |. 52 PUSH EDX ; /Arg1
009B18A4 |. E8 67F6FFFF CALL 009B0F10 ; \game.009B0F10
009B18A9 |. 5D POP EBP
009B18AA \. C2 0400 RETN 4
Aucun commentaire:
Enregistrer un commentaire