C++ to assembly

**Lolrapa** · 05-29-2015, 01:59 PM

Hello! today I bring you a doubt about c++ asm and the stack
since I couldn't find the anwer in google.

Let's assume I have a function in c++

Code:

void foo(){
    //do something
}

this function will be comiled into a asm function like this

0 //some code
1 //some code
2 //some code
3 //some code
4 //some code
5 //some code
6 ret

My question is: c++ compiler gives me the warranty that the STACK in 0 will be exactly as the stack in 6?
(I will not use any asm instruction so discard human errors like pushing something without poping it later)

If I'm not wrong ret instruction returns to the firt element of the stack and then it pops it, right?
So the stack should be the same in 0 and 6?

This is to hook a function, but Tibia freezes so I think Im not seting the values back to the registers properly.
So Im thinking in doing something like this:

1) find some free bytes in the program memory
2) make a function like this:

Code:

push ebp
push esp
push edi
push esi

call foo

pop esi
pop edi
pop esp
pop ebp

push ebp
mov esp, ebp
push -1
ret

Note: the last 3 instructions before the ret are the ones I relplaced with the call to this function in the original function

3)
replace this code in the original function with a call to my asm function

Code:

push ebp
mov esp, ebp
push -1

What do you think about this method?
There is any error/miss concept I'm doing?

Thanks for your feedback!

**DarkstaR** · 05-29-2015, 05:07 PM

It depends on the calling convention. If you see something like this

RETN 0x10

It means execution will be returned to the value on the top of the stack, and 0x40 bytes (0x10 * 0x04) will be cleared off of it (0x10 would represent the number of parameters, and each parameter is 4 bytes). This will typically be an __stdcall.

If you see simply this

RETN

It means the stack is probably being cleared by the calller instead. So, basically, this is what happens:

1. The top of the stack is POPed and that address is returned to
2. The code at the return address clears the stack, typically with something like ADD ESP, 0x40

This will typically be a __cdecl.

Keep in mind, though, that Tibia also uses __fastcall (like a __stdcall, but ECX and EDX can hold the first 2 arguments) and members functions are called with __thiscall (like __stdcall, except ECX holds *this for the class instance)

https://msdn.microsoft.com/en-us/lib...v=vs.100).aspx

**Lolrapa** · 05-30-2015, 02:39 AM

Hee!! thank you darkstar, I decided to use __stdcall so I dont have to worry about the stack, and it works when I set the addresses manually but I have a problem now,

When I get a pointer to my function (the one in c++) and I write a call to that address in my asm function it writes the bytes correctly but when I look at the asm code with cheat engine it interpret the address incorrectly

I write {0xE8, 0xF9, 0x11, 0xF1, 0x05} and cheat engine show me call 0E474086

This must be some kind of offset, I've been researching about memory structure but I can´t fix it

Oh, maybe I'm doing all this for nothing, but if I manage to make this work, if I read OUTGOINGPACKETDATALEN and OUTGOINPACKETDATABUFFER when my function is called, will I get the packet structure?

Thank you!

edit: ooh! nvm it keeps crashing, it crashes in the first push eax
edit2: nevermind the nerverminding, the call works when I set the addresses manually, but I'm still having this problem with the addresses...

**DarkstaR** · 05-30-2015, 07:27 AM

The addresses are relative, not absolute. The value you put should be relative to the return address. So, something like FunctionAddress - (HookAddress + 5)

Thread: C++ to assembly

Thread Tools

Search Thread

Display

C++ to assembly

Posting Permissions