Hooking - suggested options besides EndScene?

[Tanaris4]

So I'm experimenting much more on injection on mac, and have had some pretty decent success, especially with actually changing much of the original mach_override to meet my needs. One piece I have been struggling with is hooking glClear (which I believe is called at the start of every frame via OpenGL). The entire function is a jmp instruction, and for some reason (after 2 hours of work) I've been unable to redirect it. So I wanted to ask - do people hook any other functions which are similar to EndScene in that they are called on a regular/consistent basis?

Ideally I'm looking for something that would be cross-compatible (i.e. a Direct3D hook won't work for me as I'm doing this on mac)

Thanks!!

[Robske]

I know people who are using BeginScene to execute their logic, any method that's being called on a regular basis (not only during ingame gameplay mind you!) and in context of the mainthread will suffice.

From the top of my head these could serve as an EndScene replacement: But you'll probably run into trouble with these if you use them in your own code
- Packet methods
- Lua Library methods
- EnumVisibleObjects
I think it's best to hook them and look at the frequency at which they are called and pick the most optimal one for your project.

I'm unsure about the Mac side of things, but there shouldn't be any distinct difference between glClear and EndScene when it comes to detouring them afaik.

[Tanaris4]

@Robske - there isn't, but the library I'm using "needs" 6+ bytes to over-write, the glClear function is only 5 bytes (I'm sure there is a way around this, but I tried for 2 hours yesterday to get around this and nothing )

Any idea which lua functions/events are called on a consistent basis?

[MaiN]

@Robske - there isn't, but the library I'm using "needs" 6+ bytes to over-write, the glClear function is only 5 bytes (I'm sure there is a way around this, but I tried for 2 hours yesterday to get around this and nothing )

Any idea which lua functions/events are called on a consistent basis?

How do the bytes in the function look right now? Also, why don't you just detour the stub it's jumping to?

[Tanaris4]

That's what I was trying to do, and couldn't get it to work :/ So I came here to ask if there was another function to hook

If you want to look, here is what I use to actually hook:

Code:

	me = mach_override_ptr(	(void*)0xFF03D7,
							(void*)&_hook_glClear,
							(void**)&_real_glClear);

The mach functions: tanaris4 private pastebin - collaborative debugging tool

The function I'm hooking:

[GliderPro]

Can't you just replace 0x00018e08 with the address of your hook and jump to 0x00018e08 at the end of your hook?

[Tanaris4]

one would think That's what I was trying, and honestly didn't want to invest another 2/3 hours figuring it out if there was a different function I could hook easily

Edit: Something I should have clarified, I thought I was replacing the jump command correctly, but wow would crash the second I replaced that jump instruction to jump somewhere else (and the corresponding jump was never made). Do i need to "freeze" wow, then replace the jump, then resume to prevent a crash? Or is this not an issue?

[wraithZX]

Are you attempting to replace the jump target with an absolute address?
The E9 opcode is relative to the instruction, so you need to be calculating a new relative offset to your hook, not inserting an absolute address.

[Tanaris4]

It's relative

[wraithZX]

....you have stepped through it in a debugger, haven't you?

[Tanaris4]

nope, I believe my only choice is GDB (for os x), and unfortunately I'm not at all familiar with it (can only stop/start WoW entirely)

Should I be using GDB to step through? (would i make a breakpoint at glClear?)

[BoogieManTM]

You can debug with IDA. download the remote debugger, attach, and then connect to the remote debugger with a windows IDA client. works muuuuuch better than trying to use GDB

[Tanaris4]

Perfect, I'll do just that - thanks!

[alextrusk]

That's what the function looks like on my side (xp sp3, opengl32.dll version 5.1.2600.5512):

Code:

.text:5ED03124 ; void __stdcall glClear(GLbitfield mask)
.text:5ED03124                 public _glClear@4
.text:5ED03124 _glClear@4      proc near               ; DATA XREF: .text:off_5EDA2CB8o
.text:5ED03124
.text:5ED03124 mask            = dword ptr  4
.text:5ED03124
.text:5ED03124                 mov     edx, large fs:18h
.text:5ED0312B                 cmp     _dwTlsIndex, 40h
.text:5ED03132                 jge     short loc_5ED03144
.text:5ED03134                 mov     eax, edx
.text:5ED03136                 add     edx, _dwTlsOffset
.text:5ED0313C                 mov     edx, [edx]
.text:5ED0313E                 jmp     dword ptr [edx+32Ch]
.text:5ED03144 ; ---------------------------------------------------------------------------
.text:5ED03144
.text:5ED03144 loc_5ED03144:                           ; CODE XREF: glClear(x)+Ej
.text:5ED03144                 push    _dwTlsIndex     ; dwTlsIndex
.text:5ED0314A                 call    ds:__imp__TlsGetValue@4 ; TlsGetValue(x)
.text:5ED03150                 xchg    eax, edx
.text:5ED03151                 jmp     dword ptr [edx+32Ch]
.text:5ED03151 _glClear@4      endp

I'm not at all versed in MacOS, but it looks like you're trying to detour some sort of import wrapper or w/e.
You should be targeting the glClear in the actual opengl32 binary instead.

[Tanaris4]

You're hooking the dll? Not the detour to the external lib w/in wow?

Interesting idea