[Question] Assembly injection

[Millow]

I'm using a endscene hook in order to inject some asm code and use DoString. I'm just annoyed that I don't really understand what was going on so I read a bit. I've learned a lot, although I'm still a noob. But I have a few questions.

This is the asm code provided in one the examples for DoString :

Code:

"mov eax, " + DoStringArg_Codecave, //Put the CodeCave pointer in the EAX register
"push 0", //Push 0 in the stack 
"push eax", //Push the code cave pointer 
"push eax", //Push the code cave pointer again
"mov eax, " + FrameScript__Execute, // move the FS_execute pointer to eax
"call eax", //we call the function located at the pointer address, DoString in our case
"add esp, 0xC", //clean the space that arguments used on the stack
"retn", //we return to the parent

Looking at the FS Execute function in IDA, I can see that it takes three arguments. However, I don't know how to find out what type the arguments should be ? From looking at DoString, I guess it looks this way DoString(codecave pointer, codecavepointer, bool ?).

That's all right, but if I wanna call a function that is not DoString or GetlocalizedText, how would I go about finding what arguments I should put on the stack for my function call to work properly ?

As an example, GetQuestTitle takes one argument, how do I trace the type of arguments and what it should be in order to be able to call it ?

One last question if I may,

Code:

"call " + (uint)ClntObjMgrGetActivePlayerObj,
"mov ecx, eax", //EAX contains the return value from the previous call
"push -1",
 
"mov edx, " + Lua_GetLocalizedText_Space + "",
"push edx",
 
"call " + (uint)FrameScript__GetLocalizedText,
"retn",

Why do we call ClntObjMgrGetActivePlayerObj ? We put the return value in EAX, then in ECX, but if we look at the function itself

Code:

FrameScript__GetLocalizedText proc near
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
push    ebp
mov     ebp, esp
push    ebx
push    esi
mov     esi, ecx
mov     eax, [esi+8]
mov     ebx, [eax+4]
push    edi
mov     edi, [eax]
call    ClntObjMgrGetActivePlayer

It never uses the value in ECX, it justs erases it the next block after the conditional jump "mov ecx, [esi+0F8h]".

What am I missing ? Thx for any tips, sorry it this has been asked before but I haven't found anything about it in the numerous DoString thread. I want to understand how this works before going further in my learnings.

[SKU]

I'm using a endscene hook in order to inject some asm code and use DoString. I'm just annoyed that I don't really understand what was going on so I read a bit. I've learned a lot, although I'm still a noob. But I have a few questions.

This is the asm code provided in one the examples for DoString :

Code:

"mov eax, " + DoStringArg_Codecave, //Put the CodeCave pointer in the EAX register
"push 0", //Push 0 in the stack 
"push eax", //Push the code cave pointer 
"push eax", //Push the code cave pointer again
"mov eax, " + FrameScript__Execute, // move the FS_execute pointer to eax
"call eax", //we call the function located at the pointer address, DoString in our case
"add esp, 0xC", //clean the space that arguments used on the stack
"retn", //we return to the parent

Looking at the FS Execute function in IDA, I can see that it takes three arguments. However, I don't know how to find out what type the arguments should be ? From looking at DoString, I guess it looks this way DoString(codecave pointer, codecavepointer, bool ?).

That's all right, but if I wanna call a function that is not DoString or GetlocalizedText, how would I go about finding what arguments I should put on the stack for my function call to work properly ?

* See where the arguments come from and how they're being treated before getting pushed onto the stack / passed via register
* See how the function treats the arguments. For example:

push ebp
mov ebp, esp
mov eax, [ebp+8] ; Grab first argument
; From now on, look how it's being used
mov edx, [eax+4] ; Aha, first argument is a pointer to a structure/array/..

* Place a breakpoint at the function call, then examine the stack values. If you suspect it's a valid memory address, check out what it actually points to.
* Find out what kind of calling convention you're dealing with. Who cleans up the stack? Arguments passed via registers? Once you know the proper prototype you could hook it and log the arguments over a few calls and compare.
* If you find out that the function actually recieves a pointer to a structure, find other functions that also recieve that structure. Often, one function alone won't tell you everything about the structure it's manipulating. Think about it:

You get such a structure:

struct Foo {
// BIG ASS STRUCTURE, LOTS OF COOL STUFF HAPPENIN'
// ..
int m_Width;
int m_Height;
// ..
// Lots of member functions
// ..
int GetWidth() const throw() { return m_Width; }
int GetHeight() const throw() { return m_Height; }
// ..
};

And say you have the (rather unlikely) function:

int __stdcall GetFooWidth(const Foo* pFoo) {
return pFoo->GetWidth();
}

Assuming the GetWidth method got inlined, you might (not) see something like this:

GetFooWidth:
push ebp
mov ebp, esp
mov eax, [ebp+8]
mov eax, [eax+0xA0] ; Lets say m_Width is at +0xA0
leave
retn 4

This function obviously doesn't tell the whole story of the structure - but it's a start.

As an example, GetQuestTitle takes one argument, how do I trace the type of arguments and what it should be in order to be able to call it ?

One last question if I may,

Code:

"call " + (uint)ClntObjMgrGetActivePlayerObj,
"mov ecx, eax", //EAX contains the return value from the previous call
"push -1",
 
"mov edx, " + Lua_GetLocalizedText_Space + "",
"push edx",
 
"call " + (uint)FrameScript__GetLocalizedText,
"retn",

Why do we call ClntObjMgrGetActivePlayerObj ? We put the return value in EAX, then in ECX, but if we look at the function itself

Code:

FrameScript__GetLocalizedText proc near
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
push    ebp
mov     ebp, esp
push    ebx
push    esi
mov     esi, ecx
mov     eax, [esi+8]
mov     ebx, [eax+4]
push    edi
mov     edi, [eax]
call    ClntObjMgrGetActivePlayer

It never uses the value in ECX, it justs erases it the next block after the conditional jump "mov ecx, [esi+0F8h]".

What am I missing ? Thx for any tips, sorry it this has been asked before but I haven't found anything about it in the numerous DoString thread. I want to understand how this works before going further in my learnings.

Huh? It does use ecx.

mov esi, ecx
mov eax, [esi+8]


All of this and much more is explained in Amazon.com: Reversing: Secrets of Reverse Engineering (978076457481: Eldad Eilam: Books

[Millow]

Thanx Sku for your reply, very informative ! Facepalm for my second question, missed the ecx. I will order the book, I've seen it mentioned a lot of times but tried to avoid it. But if I want to really understand asm well, it looks like a must. I still have a long way to go, but I will get there.

One last thing, when the function returns, you wrote "ret 4". I looked it up and it essentially frees up the space on the stack that was used for the callee arguments, right ? Is it the same as "add esp, 0x8" ?

Cheers!

[SKU]

The idea is the same (although you'd just add 0x4 to the stack pointer in this case): Pretend nothing happened. It's just a matter of who has to clean up the stack (and how arguments are passed, ...). In this case, (__stdcall, go look up the 'standard' calling conventions), the callee (the function) cleans up after it. With a __cdecl function, it might (not) look like this:

int __cdecl GetFooWidth(const Foo* pFoo) {
return pFoo->GetWidth();
}

push 0xdeadbeef ; Assume our structure instance is at 0xdeadbeef
call GetFooWidth
add esp, 0x4 ; Clean up

Note: There's a good chance I've made mistakes here, but you should get the general idea: Read books, write dummy code and look at it in a disassembler.