madCodeHook && small distance jmp like 0xEB / 0x74

[uall]

your code doesnt support distance jump with
EB / 74 etc. in the first 5 bytes or why does this fail?:

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  jmp @ende
  nop
  nop
  @ende:
  pop eax
  mov eax, i
end;

and this not

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  nop
  nop
  pop eax
  mov eax, i
end;

i wanted to look for my new hook function how u solve the problem

also this fails:

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  @weiter:
  nop
  nop
  mov eax, i
  cmp eax, 1
  add eax, 1
  je @weiter
  pop eax
end;

and this not:

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  @weiter:
  nop
  nop
  mov eax, i
  cmp eax, 1
  add eax, 1
  //je @weiter
  pop eax
end;

[nildo]

uall, that was exatly what we were talking about!
By the way... Why does ICQ keeps removing you from my contact list?? I am not able to add you... ICQ does not allow... outch

[madshi]

your code doesnt support distance jump with EB / 74 etc. in the first 5 bytes

It does!

or why does this fail?:

The disassembler in both cases correctly sais, that hooking that API would be dangerous. Why is that?

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  jmp @ende
  nop
  nop
  @ende:
  pop eax
  mov eax, i
end;

The disassembler doesn't know what purpose those 2 "nop" bytes in the midst of the code have. They will never be executed, so the disassembler doesn't see them as part of the code. Those 2 bytes might contain important data! Writing a JMP into the beginning of the function would destroy that data, so madCodeHook refuses to install the hook.

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push eax
  @weiter:
  nop
  nop
  mov eax, i
  cmp eax, 1
  add eax, 1
  je @weiter
  pop eax
end;

That's easy. Let's say we put a JMP instruction into the beginning of this function. Later in the code "je @weiter" jumps back into the midst of the first 5 bytes of the function code. That would crash! So that's why madCodeHook refuses to hook this one.

[madshi]

E.g. check out this one:

Code: Select all

function SomeFunc(i: integer): integer;
asm
  push esi
  jmp @ende
  @testData:
  dw $1234
  @ende:
  mov esi, offset @testData
  add ax, word ptr [esi]
  pop esi
end;

begin
  MessageBox(0, pchar(IntToHex(SomeFunc(1), 1)), 'info', 0);

Writing a JMP into the beginning of SomeFunc would be *BAD*.

Isn't my disassembler clever?

[uall]

Code: Select all

function SomeFunc(i: integer): integer; 
asm 
  push eax 
  @weiter: 
  nop 
  nop 
  mov eax, i 
  cmp eax, 1 
  add eax, 1 
  je @weiter 
  pop eax 
end;

why not copy the data until POP EAX ? shouldnt be that problem

Code: Select all

unction SomeFunc(i: integer): integer; 
asm 
  push esi 
  jmp @ende 
  @testData: 
  dw $1234 
  @ende: 
  mov esi, offset @testData 
  add ax, word ptr [esi] 
  pop esi 
end; 

begin 
  MessageBox(0, pchar(IntToHex(SomeFunc(1), 1)), 'info', 0);

same here:
why not copy the hole data (function) if u know that the bytes are used? changing
mov esi, addr
could done with relocation table

also you can give the user an option to TRY to hook this because

Code: Select all

function SomeFunc(i: integer): integer; 
asm 
  push eax 
  jmp @ende 
  nop 
  nop 
  @ende: 
  pop eax 
  mov eax, i 
end;

with changing the distance jump JMP @ende should work fine

[uall]

your last example is bad - its something like a check routine:

Code: Select all

function SomeFunc(i: integer) : integer;
asm
  @aha:
  push edx
  mov eax, i
  mov edx, offset @aha
  xor eax, [edx]
  pop edx
end;

is hooked successful - lokking into relocation table would show u that the data has a check routine

[madshi]

why not copy the data until POP EAX ? shouldnt be that problem

Wouldn't help. Look: Those 2 data bytes might be referenced by other functions, too! madCodeHook doesn't know what purpose those 2 bytes have, so it simply cannot overwrite them without risking stability.

also you can give the user an option to TRY to hook this because [...]

Is there a practical situation where you need to hook a function with such a strange code? Or are you just thinking "some day someone might need to hook such a function"?

[madshi]

your last example is bad - its something like a check routine: is hooked successful - lokking into relocation table would show u that the data has a check routine

Well, there you have an example of a function which madCodeHook hooks, although it might be better to *not* hook it. If you ask me, I should teach madCodeHook how to detect that, too, and refuse hooking of that function, too.

[uall]

1.) "some day someone might need to hook such a function" <- right :>
2.) i mean u can add a function ForceHookCode(...)
3.) " Those 2 data bytes might be referenced by other functions, too!"
every function can be used by other function - so in this way your hookcode must refuse (right word ? ) EVERY hook because an other function maybe read the data from first 5 bytes oO

[madshi]

every function can be used by other function - so in this way your hookcode must refuse EVERY hook

Well, that'd be a bit too strict... madCodeHook refuses to install a hook only if it seems probable that stability would be impacted.

In win9x there are some system dlls which have very strange code. It's not unusual to see such code in there as this:

Code: Select all

public blablaA
push $0
jmp @blabla

public blablaW
push $1

@blabla:
call ...
[...]
ret

If in this situation madCodeHook would hook the API "blablaA", that would destroy the API "blablaW". You see? When disassembling "blablaA" the "mov eax, $21" are just dummy bytes like those 2 NOPs in your strange code. If I'd ignore such dummy bytes and simply install the hook, madCodeHook would not be stable in win9x, anymore.

---------------

Ok, dann pack doch mal Butter bei die Fische!

Tell me one (only one) real world API which madCodeHook *incorrectly* refuses to hook!