[英]C++ mid-function hook: get register values and jump back [x86 assembly on windows]
There is an int value in register EBP
and a string in EBX
. 寄存器EBP
有一个int值, EBX
有一个字符串。 I need to get the values from these registers in my own function, do some operations on them and finally jump back some code below. 我需要在我自己的函数中从这些寄存器中获取值,对它们执行一些操作,最后跳回下面的一些代码。
I do a JMP
at 0x46AA17
to my function called JmpHook
. 我在0x46AA17
做了一个名为JmpHook
的JMP
。
void JmpHook()
{
char *mystring;
_asm mov mystring, ebx
printf("value: %s", mystring);
_asm
{
jmp [0x46AA87]
}
}
As you can see, I am trying to move the string at EBX
into mystring
and at the end jump back to 0x46AA87
which is located some lines below my JMP JmpHook
. 正如你所看到的,我试图将EBX
的字符串移动到mystring
中,最后跳回到0x46AA87
,它位于我的JMP JmpHook
下面的一些行。
printf
is being called and mystring being output but all this seems very untidy in OllyDbg. 正在调用printf
并输出mystring但在OllyDbg中这一切似乎都非常不整洁。 I am also unable to get EBP
as it's being overwritten at the beginning of JmpHook
(Saw that in OllyDbg). 我也无法获得EBP
因为它在JmpHook
开始时被覆盖(在OllyDbg中看到)。 The JMP
at the end of JmpHook
also does not work: 在JMP
在年底JmpHook
也不起作用:
So my question is how to properly jump to my own function, save the two registers there in variables and then after some operations jump back to the original code. 所以我的问题是如何正确跳转到我自己的函数,将两个寄存器保存在变量中,然后在一些操作后跳回到原始代码。
Thank you! 谢谢!
You can get the value of the last EBP from the stack. 您可以从堆栈中获取最后一个EBP的值。
It is the first value that is pushed on the stack when you call your function. 它是您调用函数时在堆栈上推送的第一个值。 If I am not mistaken it will be at [EBP]. 如果我没有记错,那将是[EBP]。
As for the jump, can you make it so that instead of jumping to the hook, you call it? 至于跳跃,你可以这样做,而不是跳到钩子,你称之为? After the function returns the code will continue from the next address. 函数返回后,代码将从下一个地址继续。
The reason you are getting an error is because you never reach the end of the function. 您收到错误的原因是因为您永远不会到达函数的末尾。 Normally a function contains a prologue and an epilogue, where stack pointers are saved and retrieved. 通常,函数包含序言和结尾,其中堆栈指针被保存和检索。
Prologue: 序幕:
push ebp
mov ebp, esp
Epilogue: 结语:
pop ebp
Since you never reach the end of the function, the pop is not called, and your stack is corrupted. 由于您永远不会到达函数的末尾,因此不会调用pop,并且您的堆栈已损坏。
The error you are getting with the jump is because you are jumping to a location pointed to by the memory in the address 0x46AA87. 跳转时出现的错误是因为您跳转到地址0x46AA87中内存所指向的位置。 You probably wanted to jump to the address, so the brackets are unnecessary. 你可能想跳转到地址,所以括号是不必要的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.