Mithra
asked on
madCodeHook question for Madshi
Please bear with me as I explain what I want to do in layman's terms :
I'm coding in C++.
I'd like to learn how to hook into another application so that when a specific function is called, my function is called instead.
Basically I want to be able to do some pre-processing on the data being passed as parameters before passing them on to the original function that was to receive them.
I don't currently know how to 'hook into' another application, nor do I know how to initially determine the name of the function I want to hook.
Is there any simple example anywhere of how this can be done?
Thx,
Mithra
I'm coding in C++.
I'd like to learn how to hook into another application so that when a specific function is called, my function is called instead.
Basically I want to be able to do some pre-processing on the data being passed as parameters before passing them on to the original function that was to receive them.
I don't currently know how to 'hook into' another application, nor do I know how to initially determine the name of the function I want to hook.
Is there any simple example anywhere of how this can be done?
Thx,
Mithra
ASKER
Madshi is the developer who wrote the madCodeHookLib available on http://www.madshi.net . His website advises I ask questions in this forum and he will answer them as he has time.
As I understand it allows you to, as you say, hijack a function call and call your own instead. I'm not trying to learn to write a trojan, No. I have a 3rd party tool in mind that I'd like to write for a video game I play, and it would be helpful if I could hook into the client executable somehow. I've seen this done with this particular library for a game called Anarchy Online. I'd like write a similar app for Ultima Online. The application itself is an exe.
This is an area I have no practice in since its more akin to hacking than programming, and there is woefully little professional documentation on it that I can find. My area of proficiency is Windows programming and GUI's.
As I understand it allows you to, as you say, hijack a function call and call your own instead. I'm not trying to learn to write a trojan, No. I have a 3rd party tool in mind that I'd like to write for a video game I play, and it would be helpful if I could hook into the client executable somehow. I've seen this done with this particular library for a game called Anarchy Online. I'd like write a similar app for Ultima Online. The application itself is an exe.
This is an area I have no practice in since its more akin to hacking than programming, and there is woefully little professional documentation on it that I can find. My area of proficiency is Windows programming and GUI's.
Ah, thanks. There is a safer and saner way to do what you want: Rather than trying to win at Ultima Online by cheating, just practice until you are very good at playing it. You'll have accomplished something worthwhile and you'll feel better about yourself.
-- Dan
-- Dan
ASKER
Well, cheating is not the objective, but rather to write a useful utility that enhances the product. Take a look at UOAssist over a http://www.tugsoft.com . Thats an approved utility that hooks into the client exe AND which the game company doesn't regard as a cheat. There are lots of apps like this for many games, I don't think its a shameful pursuit so long as it contributes to the player community. Anyway, I feel like I'm back in the commodore 64 days where no one wants to share their Elite knowledge with the Lamers.
ASKER
Not to appear hostile or anything, please understand my position: this forum appears to be very professional and worth my fees if in fact I can get bonafide answers to my programming questions. That disincludes an ethical judgement regarding the utility of a hypothetical app I'd like to write. I'm not trying to write something malicious anyway - I'm trying to learn a coding technique I consider very arcane, one that I currently see in use by several recognized and legitimate 3rd party utilities available on the market.
If anyone can answer my questions it would be greatly appreciated.
Thanks,
- Bob
If anyone can answer my questions it would be greatly appreciated.
Thanks,
- Bob
The thing is... if you have to ask, it is too hard to explain.
There is no API or anything one can look up in MSDN. You use a low-level debugger to break into the program, and then since there is no source code avialable, you single-step trace until you get to something recognizable, like a system call or the message pump, or a particular output .... you get a toehold into the program.
Then you try to locate the exact function that you want to steal. There really isn't any way to say it any other way: You use the skills you have developed after many years of examining program code at a machine language level and, like a skillful detective, working from a few scanty clues, you track down the entry point to the function. Then you patch the function so that it calls your custom routine and then resumes in the patched code. You'll need to locate a seldom-used part of the code segment for a place to put your patch code (which will be written is machine opcodes -- it will probably access a DLL that you must write so you ccan minimize the footprint of the incursion. Then you have to locate the program code that does a CRC of the EXE and you must patch that so that it doesn't report that the program has been patched. Of course this code is highly disguised and heavily protected (it may actually be downloaded from the server with each connection so you will need to patch the routine that does the download of the CRC calculation code) ).
Having made your patch, you now need to access program variables and so forth, otherwise, what's the point? Alas, none of the variables have labels like "currentX" or "damageAmount" All of the variable are just binary values at some random locations in the data segment. So you use your low-level debugger to trap on changes to ranges of memory and you write special code to log timestamps and addresses and values. Then you execute the program and exercise one part of it and then you analyse the custom log to see if a particular area of memory changed in a particular way.
The bottom line is... with Quake and UT and most online gaming programs, there are documented ways to go about writing your own customizations (Mods). These are totally documented and you don't need to do any such thing as patching a program. So, if what you want to do is something that the game designers and producers thought was a good thing, there will be very clear documentation on how to do it. If what you want to do is somethoing else, then there won't be any documentation on how to do it and there won't be anything like a simple way to do it.
>>I feel like I'm back in the commodore 64 days where no one wants to share their Elite knowledge with the Lamers.
There is no secret handshake. What kind of answer would actually answer your question? Did you think I could say "just write a DLL named PatchOMatic and you are done"?
-- Dan
There is no API or anything one can look up in MSDN. You use a low-level debugger to break into the program, and then since there is no source code avialable, you single-step trace until you get to something recognizable, like a system call or the message pump, or a particular output .... you get a toehold into the program.
Then you try to locate the exact function that you want to steal. There really isn't any way to say it any other way: You use the skills you have developed after many years of examining program code at a machine language level and, like a skillful detective, working from a few scanty clues, you track down the entry point to the function. Then you patch the function so that it calls your custom routine and then resumes in the patched code. You'll need to locate a seldom-used part of the code segment for a place to put your patch code (which will be written is machine opcodes -- it will probably access a DLL that you must write so you ccan minimize the footprint of the incursion. Then you have to locate the program code that does a CRC of the EXE and you must patch that so that it doesn't report that the program has been patched. Of course this code is highly disguised and heavily protected (it may actually be downloaded from the server with each connection so you will need to patch the routine that does the download of the CRC calculation code) ).
Having made your patch, you now need to access program variables and so forth, otherwise, what's the point? Alas, none of the variables have labels like "currentX" or "damageAmount" All of the variable are just binary values at some random locations in the data segment. So you use your low-level debugger to trap on changes to ranges of memory and you write special code to log timestamps and addresses and values. Then you execute the program and exercise one part of it and then you analyse the custom log to see if a particular area of memory changed in a particular way.
The bottom line is... with Quake and UT and most online gaming programs, there are documented ways to go about writing your own customizations (Mods). These are totally documented and you don't need to do any such thing as patching a program. So, if what you want to do is something that the game designers and producers thought was a good thing, there will be very clear documentation on how to do it. If what you want to do is somethoing else, then there won't be any documentation on how to do it and there won't be anything like a simple way to do it.
>>I feel like I'm back in the commodore 64 days where no one wants to share their Elite knowledge with the Lamers.
There is no secret handshake. What kind of answer would actually answer your question? Did you think I could say "just write a DLL named PatchOMatic and you are done"?
-- Dan
Hi Mithra,
Do you have any additional questions? Do any comments need clarification?
-- Dan
Do you have any additional questions? Do any comments need clarification?
-- Dan
ASKER
What I needed to know was how to find the symbolic function name within an exe. Since you attempted to answer the question I'll close it. My friend has figured out how to do this, so I'll just work with him. Thanks.
ASKER
Interesting, I'm trying to 'Accept Comment As Answer' and I'm getting a 'Apache Tomcat/4.0.2 - HTTP Status 500 - Internal Server Error'
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Mithra,
I just located Madshi... he seems to spend his time in the Windows Programming TA:
https://www.experts-exchange.com/Programming/Programming_Platforms/Win%20Prog./
You might get a response from him by posting there. But don't forget to finalize this question. Thanks!
-- Dan
I just located Madshi... he seems to spend his time in the Windows Programming TA:
https://www.experts-exchange.com/Programming/Programming_Platforms/Win%20Prog./
You might get a response from him by posting there. But don't forget to finalize this question. Thanks!
-- Dan
Hello all, the Support tools have been down since this question was asked, and they have been repaired, and accepted this question for DanRollins.
Regards,
ComTech
Community Support
Administrator @ EE
Regards,
ComTech
Community Support
Administrator @ EE
Mithra,
Just a suggestion more than anything, I recently created a small app to use with uoassist, in my quest during its creation I found that tugsoft has a page specifically with developers in mind (information on app creation and uoassist in general), it is a page that is generally not known, I don't remember URI, but got it by writing to tug and asking him for the address...you can contact him at...
uoassist@tugsoft.com
hope this helps!
Just a suggestion more than anything, I recently created a small app to use with uoassist, in my quest during its creation I found that tugsoft has a page specifically with developers in mind (information on app creation and uoassist in general), it is a page that is generally not known, I don't remember URI, but got it by writing to tug and asking him for the address...you can contact him at...
uoassist@tugsoft.com
hope this helps!
The function that you want to hook: Is it in a DLL? If so, you can write your own version of that DLL and pass all calls directly on to the original, but do the preprocessing on the hooked one. There is also a way to patch just a single function jump in the inprocess copy of a DLL (I've seen this done with Kernel.dll and User.Dll, but it can easily lead to system corruption).
Or refer to the virus-maker's cookbook becasue hijacking a function call is one of the first things taught in Trojan Programming 101.
Please explain specifically what you want to accomplish, becasue there might be other -- safer and saner -- techniques to accomplish your goal.
-- Dan