C ++中间函数钩子：获取寄存器值并跳回[Windows上的x86汇编]

Question

There is an int value in register EBP and a string in EBX . I need to get the values from these registers in my own function, do some operations on them and finally jump back some code below.

I do a JMP at 0x46AA17 to my function called JmpHook .

 void JmpHook()
 {
      char *mystring;
      _asm mov mystring, ebx

      printf("value: %s", mystring);

      _asm
      {
          jmp       [0x46AA87]
      }
  }

As you can see, I am trying to move the string at EBX into mystring and at the end jump back to 0x46AA87 which is located some lines below my JMP JmpHook .

printf is being called and mystring being output but all this seems very untidy in OllyDbg. I am also unable to get EBP as it's being overwritten at the beginning of JmpHook (Saw that in OllyDbg). The JMP at the end of JmpHook also does not work:

So my question is how to properly jump to my own function, save the two registers there in variables and then after some operations jump back to the original code.

Thank you!

Answer 1

You can get the value of the last EBP from the stack.

It is the first value that is pushed on the stack when you call your function. If I am not mistaken it will be at [EBP].

As for the jump, can you make it so that instead of jumping to the hook, you call it? After the function returns the code will continue from the next address.

The reason you are getting an error is because you never reach the end of the function. Normally a function contains a prologue and an epilogue, where stack pointers are saved and retrieved.

Prologue:

push ebp
mov  ebp, esp

Epilogue:

pop ebp

Since you never reach the end of the function, the pop is not called, and your stack is corrupted.

The error you are getting with the jump is because you are jumping to a location pointed to by the memory in the address 0x46AA87. You probably wanted to jump to the address, so the brackets are unnecessary.