Hooking CGInputCtrl_OnMouseMoveRel

[Cromon]

Hello everybody!

Im trying to get friend with hooking functions from WoW. Or to be more precise (cause hooking isnt a problem any more ) creating prototypes of the functions. I want to take CGInputCtrl_onMouseMoveRel (Offset: 0x57FFB0 3.2.2a) as a first example. I took IDA and found the following:

Code:

.text:0057FFB0 sub_57FFB0      proc near               ; CODE XREF: .text:0049AA3Cp
.text:0057FFB0
.text:0057FFB0 var_18          = dword ptr -18h
.text:0057FFB0 var_14          = dword ptr -14h
.text:0057FFB0 var_C           = dword ptr -0Ch
.text:0057FFB0 arg_0           = dword ptr  8

So what i think now:
The function has 1 Argument, which may be CGInputCtrl* this. So it may look like:
RETURNTYPE CGInputCtrl::OnMouseMoveRel();

Now we have to go to the returntype. That to be honest is a bit more a problem for me. From what i have learned the returnvalue is put in eax so i try to take a look on eax at the end:

Code:

.text:00580093                 pop     edi
.text:00580094                 pop     esi
.text:00580095                 pop     ebp
.text:00580096                 retn    4
.text:00580096 sub_57FFB0      endp

So for me this looks like there is no returnvalue so i think it may be like this:
void CGInputCtrl::OnMouseMoveRel().

Now my questions:
Would you agree with what i have found there?

Greetings
Cromon

[kynox]

You're partly right, it has one argument indeed, but the argument isn't the CGInputControl class; it's a float as verified by this line:

.text:00580048 fld [ebp+arg_0]

You can also tell that it is of the "thiscall" calling convention as verified by the preservation of ecx:

.text:0057FFC6 mov esi, ecx

So in summary, the proper prototype is:

void (__thiscall * CGInputControl__OnMouseMoveRel)(void *this, float floatArg)

[ggg898]

@kynox,

I wonder if theres a easy general way to see if a function is thiscall or stdcall, since both passes arguments i registers?

thanks

[kynox]

Err, read my second point.

[ggg898]

Just wondered if that was in general. thanks.

[Cromon]

Hey Kynox!

Thanks for that! To pratice a bit i just took the next function in the list, CGInputCtrl_ToggleControlBit.

So, im trying the same approach:

Code:

.text:00581230 arg_0           = dword ptr  8
.text:00581230 arg_4           = dword ptr  0Ch
.text:00581230 arg_8           = dword ptr  10h
.text:00581230 arg_C           = dword ptr  14h

4 arguments, type may be figured out when looking whats done with'em later.

Then we find mov esi, ecx before anything is made on ecx so this again may be __thiscall, so far:
T CGInputCtrl::ToggleControlBit((4byte)arg1, (4byte)arg2, (4byte)arg3, (4byte)arg4);

The last "chunk" looks as following:

Code:

.text:00581289 loc_581289:                             ; CODE XREF: CGInputCtrl__ToggleControlBit+2Aj
.text:00581289                 pop     edi
.text:0058128A                 pop     esi
.text:0058128B                 pop     ebx
.text:0058128C                 pop     ebp
.text:0058128D                 retn    10h

So this looks for me again like no returnvalue, so
void CGInputCtrl::ToggleControlBit(a0, a1, a2, a3);

for the types i cant really figure out what they should but they are compared [ebp + argX], 0 i guess it may be a numerical type like float or int. From the context i would say these are integers

Code:

void CGInputCtrl::ToggleControlBit(int, int, int, int)

Will test that as soon as i can. Maybe you see a major error.

Greetings

[Cypher]

@kynox,

I wonder if theres a easy general way to see if a function is thiscall or stdcall, since both passes arguments i registers?

thanks

__stdcall doesn't pass arguments in registers... Wtf are you talking about?

[ggg898]

@Cypher, i dunno. Im sick and am taking antibiotics, it might even make me more stupid than usual.

What ive been wondering is how do you know if it is thiscall or fastcall, since both passes stuff in ecx. Its no actual problem, just curious.

[Cypher]

@Cypher, i dunno. Im sick and am taking antibiotics, it might even make me more stupid than usual.

What ive been wondering is how do you know if it is thiscall or fastcall, since both passes stuff in ecx. Its no actual problem, just curious.

MSDN to the rescue!

WHOOSH!

__fastcall (C++)
__thiscall (C++)

Read those two pages. The answer should be obvious.

EDIT:

By the way, no, antibiotics wouldn't cause such a side effect under usual circumstances.

[ggg898]

EDIT:

By the way, no, antibiotics wouldn't cause such a side effect under usual circumstances.

Damn, I was really hoping that was it.

[flo8464]

This is pretty helpfull, started to learn reversing with this:

x86 Disassembly/Calling Conventions - Wikibooks, collection of open-content textbooks

[Cromon]

Oh yes, that looks interesting, that helps a lot reversing!

Now im facing a final problem:
Detouring __thiscall. I googled a lot and found several sometimes strange methods to detour __thiscall functions. Sadly every of these methodes result in a ACCES_VIOLATION. Anybody has a hint how i manage that __thiscall?

Greetings
Cromon

[Cypher]

Detouring a __thiscall function is no different to detouring any other type of function. Just ensure that you preserve the correct registers and perform any necessary stack cleanup.

In the case of __thiscall you need to preserve the value of ECX, and pop the appropriate amount of bytes off the stack if you return without calling the trampoline.

[Cromon]

Oukey, i will try that. I wanted to make it pretty much like that:
hook the function
call the original using __asm
return without returnvalue (its void)

Should i write the hook as __declspec(naked) to prevent ECX getting manipulated on any way during the prolog?

[lanman92]

Yes. Though, it may not matter. I'd do it to be on the safe side since it won't hurt performance or anything.