Proper method to hook a _usercall?

[Tanaris4]

So I'm trying to hook this function:

Code:

void *__usercall WardenModule__Load<eax>(const void *modulePointer<eax>, unsigned int moduleSize<edx>, int a3<ecx>)

I realize that the return value is actually stored in eax, and I can't simply just hook the function as above, i.e. I may need to save all the registers, then restore them before finishing my hook function. Is there a guide posted somewhere on this?

Or should I literally just hook the function with NO arguments, and then read values from the registers via assembly to save, do some work, then restore to the previous value? And if so, are there certain registers I have to store?

Thanks in advance!

Edit: Found this thread: http://www.mmowned.com/forums/world-...ow-code-c.html

So I'm assuming I just need to do:

Code:

	push 0xDEADBABE		//   Placeholder for the return address
		pushfd				//   Save the flags and registers
		pushad
		//-- Something useful goes here :)
		popad				//   Restore the registers and flags
		popfd
		ret					//   Return control to the hijacked thread

[MaiN]

So I'm trying to hook this function:

Code:

void *__usercall WardenModule__Load<eax>(const void *modulePointer<eax>, unsigned int moduleSize<edx>, int a3<ecx>)

I realize that the return value is actually stored in eax, and I can't simply just hook the function as above, i.e. I may need to save all the registers, then restore them before finishing my hook function. Is there a guide posted somewhere on this?

Or should I literally just hook the function with NO arguments, and then read values from the registers via assembly to save, do some work, then restore to the previous value? And if so, are there certain registers I have to store?

Thanks in advance!

Edit: Found this thread: http://www.mmowned.com/forums/world-...ow-code-c.html

So I'm assuming I just need to do:

Code:

    push 0xDEADBABE        //   Placeholder for the return address
        pushfd                //   Save the flags and registers
        pushad
        //-- Something useful goes here :)
        popad                //   Restore the registers and flags
        popfd
        ret                    //   Return control to the hijacked thread

Hex-Rays is wrong about those function signatures 99% of the time. I suggest you check how it looks in ASM. You will see the proper calling convention, and it's almost certainly a normal thiscall, stdcall or cdecl. I haven't seen any function in the new WoW that has another calling convention than one of those 3. Only place I have seen that is in the actual Warden module, and that's because of its polymorphism.

To answer your actual question, I suggest you declare the hook as naked and use inline ASM to clean whatever you need to clean and call the original function. You won't almost never need to do this, except when you are going cross-compiler - for instance, if you are injecting a GCC compiled DLL into WoW, then some of the calling conventions will differ - for instance thiscall in GCC pushes the 'this' pointer onto the stack, while thiscall in MSVC hold 'this' in the ECX register.