0

Hi so I was just trying to learn reverse-engineering and when I open my program in IDA pro I find this address sub_11330 (rebased to 0) https://gyazo.com/1c34d2c31f29583f05d0dd4d956d6f74 however when I try to hook this function the address GetModuleHandle(NULL) + 0x11330 doesn't work so I just tried to print the base address of the function with std::cout << (DWORD)callme - (DWORD)GetModuleHandle(NULL) and when I try this address it works (0x1128a) why can't I find it with IDA ? sorry if I wasn't clear if you can't understand what I'm trying to explain I'll re write my post.

this is how I'm hooking it

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{

    if (dwReason == DLL_PROCESS_ATTACH)
    {
        std::cout << "injected" << std::endl;
        Detour((PBYTE)GetModuleHandle(NULL) + 0x1128a, (PBYTE)&func);
    }

    return true;
}

My function detours just changes the first 5 bytes of the function and this one works i'm compiling with vs2015 in debug mode my program is a console application written in c++

cdonts
  • 9,304
  • 4
  • 46
  • 72
  • The address of the function will change every time you build the program, but unless you rebuild the IDA database (the .IDB file) from IDA will still be using the version of the executable that existed the first time you used IDA on it. This is true even though that version of the executable no longer exits. – Ross Ridge Jan 09 '16 at 18:13
  • Also (unrelated but not less important) note you're just casting to `PBYTE` the EXE address. It should be `(PBYTE)(GetModuleHandle(NULL) + 0x1128a)`. – cdonts Jan 09 '16 at 18:15
  • And what would be a way to find an address that I could use to hook this function? It worked when I was reversing the same program but it was compiled with codeblocks instead of vs 2015 –  Jan 09 '16 at 18:15
  • @bouclier I never used IDA, but based on Ross' comment you should delete the .IDB file so your executable is disassembled again. – cdonts Jan 09 '16 at 18:19
  • Well I didn't have to do that when I was using code blocks as ide so I believe that there's another way to do it but thanks for the tip I'll try it –  Jan 09 '16 at 18:24
  • @bouclier , you can create debug information using VS and import it in ida, this would not only do the trick for you but also would give you far more detailed information about everything. – Carlos Cortez Jan 11 '16 at 12:46

0 Answers0