[英]Access violation when calling function of a game from dll
我試圖調用一個名為“以撒的綁定:重生”的游戲功能,該功能可以設置您當前擁有的鑰匙數量。 這是我當前注入的dll代碼:
main.cpp
#include <iostream>
typedef void(__cdecl *funcB)(byte namePtr);
funcB originalFunction;
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved)
{
uintptr_t modBase = (uintptr_t)GetModuleHandle(NULL);
originalFunction = (funcB)(modBase + 0x150860);
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
originalFunction(17); //set keys to 17
break;
default:
break;
}
return TRUE;
}
這是來自x64dbg的函數的匯編:
010E0860 | 55 | push ebp |
010E0861 | 8B EC | mov ebp,esp |
010E0863 | 83 EC 08 | sub esp,8 |
010E0866 | 8B 81 D8 24 00 00 | mov eax,dword ptr ds:[ecx+24D8] | ;line that calls the EXCEPTION_ACCESS_VIOLATION
010E086C | 8D 55 08 | lea edx,dword ptr ss:[ebp+8] |
010E086F | 03 45 08 | add eax,dword ptr ss:[ebp+8] |
010E0872 | 83 F8 63 | cmp eax,63 | 63:'c'
010E0875 | 89 45 08 | mov dword ptr ss:[ebp+8],eax |
010E0878 | 56 | push esi |
010E0879 | 8D 75 FC | lea esi,dword ptr ss:[ebp-4] |
010E087C | C7 45 FC 63 00 00 00 | mov dword ptr ss:[ebp-4],63 | 63:'c'
010E0883 | 0F 4D D6 | cmovge edx,esi |
010E0886 | C7 45 F8 00 00 00 00 | mov dword ptr ss:[ebp-8],0 |
010E088D | 8D 45 F8 | lea eax,dword ptr ss:[ebp-8] |
010E0890 | 5E | pop esi |
010E0891 | 83 3A 00 | cmp dword ptr ds:[edx],0 |
010E0894 | 0F 4F C2 | cmovg eax,edx |
010E0897 | 8B 00 | mov eax,dword ptr ds:[eax] |
010E0899 | 89 81 D8 24 00 00 | mov dword ptr ds:[ecx+24D8],eax |
010E089F | A1 D0 A0 4C 01 | mov eax,dword ptr ds:[14CA0D0] |
010E08A4 | 83 B8 6C F5 10 00 02 | cmp dword ptr ds:[eax+10F56C],2 |
010E08AB | 74 14 | je isaac-ng.10E08C1 |
010E08AD | C7 80 6C F5 10 00 01 00 | mov dword ptr ds:[eax+10F56C],1 |
010E08B7 | C7 80 74 F5 10 00 02 00 | mov dword ptr ds:[eax+10F574],2 |
010E08C1 | 8B E5 | mov esp,ebp |
010E08C3 | 5D | pop ebp |
010E08C4 | C2 04 00 | ret 4 |
我假設函數唯一采用的參數是將鍵設置為的數字,但是由於我對RE還是很陌生,所以我不太確定。 同樣,如果我沒有犯錯,那么調用約定應該是__cdecl
。
我認為這可能與ecx
設置錯誤有關,因為它在程序集中的函數調用之前設置為不同的設置。
x64dbg日志:
EXCEPTION_DEBUG_INFO:
dwFirstChance: 1
ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
ExceptionFlags: 00000000
ExceptionAddress: 010E0866 isaac-ng.010E0866
NumberParameters: 2
ExceptionInformation[00]: 00000000 Read
ExceptionInformation[01]: 01661ED8 Inaccessible Address
First chance exception on 010E0866 (C0000005, EXCEPTION_ACCESS_VIOLATION)!
好的,所以我研究了此thiscall
工作方式,現在對其進行了整理。 我將dll代碼更改為此,
#include <windows.h>
#include <iostream>
struct _Isaac { //Make a class for the function
typedef void(__thiscall *funcB)(void *pThis, int keyAmount);
funcB originalFunction;
void *pThis = (void*)0x12ED56E8; //Address for the instance
};
_Isaac Isaac;
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved)
{
uintptr_t modBase = (uintptr_t)GetModuleHandle(NULL);
Isaac.originalFunction = (_Isaac::funcB)(modBase + 0x150860);
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
Isaac.originalFunction((void*)Isaac.pThis, 17);
break;
default:
break;
}
return TRUE;
}
現在它可以正常工作了。 無論如何,對於快速的響應和建議,我真是個忘了OOP的新手:)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.