我有IDA的这个功能类型,我试图绕道而行:
int CTeamInfo__GetNumConnectedClients()
所以我将以下代码放入C ++ DLL中:
原始功能:
int(__stdcall * CTeamInfo__GetNumConnectedClients)() = (int(__stdcall*)(void))::GetProcAddress(GetModuleHandle(TEXT("game.dll")), "?GetNumConnectedClients@CTeamInfo@@QBEHXZ");
我的功能:
int myCTeamInfo__GetNumConnectedClients()
{
std::cout << "Called My Function" << std::endl;
return CTeamInfo__GetNumConnectedClients();
}
和我的弯路:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)CTeamInfo__GetNumConnectedClients, myCTeamInfo__GetNumConnectedClients);
DetourTransactionCommit();
然后我尝试调用myCTeamInfo__GetNumConnectedClients();它在控制台“Called My Function”中打印,但目标进程似乎崩溃了。
以下是IDA的伪代码:
int __thiscall CTeamInfo::GetNumConnectedClients(int this)
{
int v1; // edi@1
int result; // eax@1
int v3; // ebx@2
int v4; // ebp@2
int v5; // esi@3
int v6; // ecx@3
int v7; // edx@3
int *v8; // ecx@10
int v9; // ecx@12
int v10; // ecx@13
int v11; // [sp+4h] [bp-10h]@1
int v12; // [sp+8h] [bp-Ch]@8
int v13; // [sp+Ch] [bp-8h]@11
int v14; // [sp+10h] [bp-4h]@1
v1 = *(_DWORD *)(this + 140);
result = 0;
v11 = 0;
v14 = *(_DWORD *)(this + 144);
if ( v1 != v14 )
{
v3 = *(_DWORD *)(LODWORD(IGame::s_pGame) + 236);
v4 = *(_DWORD *)(v3 + 4);
do
{
v5 = *(_DWORD *)v1;
v6 = v4;
v7 = v3;
while ( !*(_BYTE *)(v6 + 21) )
{
if ( *(_DWORD *)(v6 + 12) >= v5 )
{
v7 = v6;
v6 = *(_DWORD *)v6;
}
else
{
v6 = *(_DWORD *)(v6 + 8);
}
}
v12 = v7;
if ( v7 == v3 || v5 < *(_DWORD *)(v7 + 12) )
{
v13 = v3;
v8 = &v13;
}
else
{
v8 = &v12;
}
v9 = *v8;
if ( v9 != v3 )
{
v10 = *(_DWORD *)(v9 + 16);
if ( v10 )
{
if ( !(*(_WORD *)(v10 + 592) & 0x81) )
++v11;
}
}
v1 += 4;
}
while ( v1 != v14 );
result = v11;
}
return result;
}
任何帮助表示赞赏!