0

I want to hook a function from a x86 executeable. That's the functions prototype decompiled with the hex-rays plugin for IDA:

int __userpurge sub_43CE70<eax>(int a1<eax>, int a2, char a3, int a4, int a5, int a6)

so the function is acception eax as the first parameter and returns to the same register.

I tried the following function as a wrapper:

int the_wrapper(int a2, unsigned a3, int a4, int a5, int a6)
{
    int a1;
    _asm
    {
        mov [a1], eax
    };
    char bString[50];
    sprintf(bString,"a1: %u, a2: %u, a3: %d, a4: %d, a5: %d, a6: %d",a1,a2,a3,a4,a5,a6);
    logs(bString);
    int rtn;
    _asm{
        push a6
        push a5
        push a4
        push a3
        push a2
        mov eax, [a1]
        call the_function
        mov [rtn], eax
    };
    return rtn;
}

for some reason it's not working and crashed everytime the function gets called.

user2367563
  • 1

1 Answers1

0

You need to declare your wrapper with the same calling convention than the function you are trying to wrap.

Depending on the convention (the most common being cdecl and stdcall but it also depends on the compiler of the wrapped code) it is either the caller or the callee that cleans the stack. If you do not use the correct convention you are prone to stack corruption and crash.

Seki
  • 11,135
  • 7
  • 46
  • 70