Struggling w/reversing some assembly

[Tanaris4]

So I feel like this is very straightforward, but I'm trying to hook this function:

Code:

int _Format_string(int arg0, ...)
{
  int result; // eax@2
  va_list va; // [sp+34h] [bp+Ch]@1
  int *v3; // [sp+38h] [bp+10h]@2

  va_start(va, arg0);
  if ( *(_BYTE *)(arg0 + 4) & 0x40 )
    result = sub_4F49E6(arg0, 4u, *(const char **)va, &v3);
  return result;
}

I can hook it just fine, but I don't understand how I can actually print out the variable it is formatting. Note: in the particular instance I'm debugging, it never gets to sub_4F49E6.

Here is the assembly:


This is what I've *tried* to do:

Code:

int (*_real_Format_string)(int destination, ...);
int _hook_Format_string(int destination, ...)
{
	printf("--- _Format_string ---\n");
	
	printf(" 0x%X at 0x%X \n", destination, (unsigned int)&destination);
	
	int res = (int)(*_real_Format_string)( destination );
	printf( " Result: 0x%X 0x%X\n", res, &res);
	return res;
}

And it hooks the function just fine, but I have NO idea how to actually print out the string that is being passed to it. (Note: I actually call a breakpoint w/GDB, then view the memory location in a GUI, and it's not a string, so I'm thoroughly confused).

Here is calling the actual function:

Code:

_Format_string(v8, "Revision %d, Version %d.%d.%d.%d\n", *(_DWORD *)(v8 + 4336), 4, 26, 1, 8);

Thanks in advance, I have literally been trying to figure this out for the past 2 hours.

[Woweur]

Hi, so yeah your's code work fine, just (i think) wow redirect every printf so you can't show the output of printf. Personaly, i have the same problem and i use only a file output.

[caytchen]

Hi, so yeah your's code work fine, just (i think) wow redirect every printf so you can't show the output of printf. Personaly, i have the same problem and i use only a file output.

Quoted for epic fail.
Remember to force _cdecl, you can find the remaining arguments on the stack, i.e. you will have to directly use the ESP register and go from there. Remember to pushad/popad, in case.

[Tanaris4]

Can I do something like:

Code:

	UInt32 result = 0; // eax@2
	asm volatile("mov %%eax, %0\n" :"=r"(result));

I'm trying this, but unfortunately it's not working :/

[Cypher]

Jesus that's an ugly assembler syntax, lol. What compiler is that?*

* I know that's AT&T syntax, but some of the ugliness is the fault of the compiler too and it's weird-ass assembler directive syntax.

[Tanaris4]

i'm on a mac

Got it working :-) Thanks for the pointers guys

Code:

//_Format_string(int destination, ...)
int (*_real_Format_string)(int arg0, ...);
int _hook_Format_string(int arg0, ...)
{
	
	// DO NOT CALL FUNCTIONS BEFORE THIS!!! Big no no!
	UInt32 result = 0; // eax@2
	va_list va; // [sp+34h] [bp+Ch]@1
	int *v3; // [sp+38h] [bp+10h]@2
	
	asm volatile("mov %%eax, %0\n" :"=r"(result));
	asm volatile("mov %%ebp, %0\n" :"=r"(va));
	asm volatile("mov %%ebp, %0\n" :"=r"(v3));
	
	// result is a pointer to the string that needs to be formatted
	// va is the list of arguments
	// still no clue what v3 is hah!
	
	va += 0xC;
	v3 += 0x10;
	
	char *stringPtr = (char*)result;
	
	char *theStringToBeFormatted = nil;
	theStringToBeFormatted = va_arg(va, char *);
	char finalString[0x800];
	vsprintf(finalString, theStringToBeFormatted, va);
	
	printf("--- _Format_string ---  New hook: 0x%X\n", (unsigned int)&_hook_Format_string);
	printf("  Final string: %s", finalString);
	
	/*printf("  EAX: 0x%X\n", (unsigned int)result);
	printf("  VA: 0x%X\n", (unsigned int)va);
	printf("  V3: 0x%X\n", (unsigned int)v3);*/
	

	int res = (int)(*_real_Format_string)( arg0 );
	return res;
}

[Cypher]

I realize you're on a Mac, my question still stands however. What compiler is that? G++?

[Tanaris4]

GCC, it's just it uses AT&T syntax on intel macs, for whatever reason, Makefile:

Code:

CFLAGS=-g -m32
LDFLAGS=-bundle -framework CoreFoundation
wow: wow.c mach_override.h mach_override.c

clean:
        rm -rf wow *.dSYM