Solved Can't seem to use Detours 1.5 correctly

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Hello Guidedhacking members!

I have tried to use Detours 1.5 to learn how to detour functions.
But i cant seem to get the right address for the function or its something else that buggs for me.
HookMe.exe don't i have source code for, because my exe's gets encrypted, its Krampus exe.
GAFO666 Have tried to help me but we had no better results.


Code:

C++:
#include <windows.h>
#include "detours.h" // the detours 1.5 lib/h
#include <iostream>

#define ADDRESS 0x111509 // what address i have found

DWORD m_Address = reinterpret_cast <DWORD> (GetModuleHandleA("HookMe.exe")); // module address
DWORD f_Address = m_Address + ADDRESS; // Finish address

double(__cdecl* originalFunction)(double); // func proto

double hookedFunction(double a) // this is the function that should be called when the actual func is called.
{
	std::cout << "original function: argument = " << a << std::endl;   
	a = 69.69; // the new return val of the func
	return originalFunction(a);                                        
}


BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) // Main, I have tested so it does actualy inject my file.
{ 
	switch (dwReason)
	{
	case DLL_PROCESS_ATTACH:
		originalFunction = (double(__cdecl*)(double))DetourFunction((PBYTE)f_Address, (PBYTE)hookedFunction); // so this is the wrong part, what i think. Cant seem to find the wrong thing about it though.
		break;
	}
	return TRUE;
}
Pictures:

Picture of how it looks like @ the func in olly.



Thanks in advance and i hope someone will find a solution!
 

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Cryslacks, the whole function https://prntscr.com/6s0gl2

The offset from the HookMe.exe module looks like it's 0x4C0.
https://prntscr.com/6s0hgz
When putting the hook at PUSH EBP (0x1114C0) it kind of works. but not flawless.
Can't grab the first value. It will just become a randomized negative value.


C++:
#include <windows.h>
#include "detours.h"
#include <iostream>
#define p_Address 0x1114C0

double(__cdecl* originalFunction)(double);

double hookedFunction(double a)
{
	std::cout << "Start Value: " << a << std::endl;
	a = 69.69;
	return originalFunction(a);
}

void main()
{
	originalFunction = (double(__cdecl*)(double))DetourFunction((PBYTE)(p_Address), (PBYTE)hookedFunction);

}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{ 
	if (dwReason == DLL_PROCESS_ATTACH)
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)main, 0, 0, 0);
	
	return TRUE;
}

Thanks to you guys for helping me even though im a total retard. ;)
Thanks: Krampus, till0sch97 and GAFO666 for helping me!

NOTE: This only works for the one i have. lol :'(
 
Last edited:

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Add some console outputs to see whether you hook at the right place and your addresses are correct...


Also what i just noticed is that you get the base of HookMe.exe, then add 0x111509. But in your screenshot your address you want to hook at is 111509? :confused:
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
You don't use the address of the instruction, you use the offset from the module base.
 

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Now it seems to work but now it doesn't print out when its called, instead it just prints out rapidly after the first call.

I only changed the address to the module address, p_Address instead of p_Address + the module address.
C++:
#include <windows.h>
#include "detours.h" // the detours 1.5 lib/h
#include <iostream>

#define p_Address 0x111509 // what address i have found

//DWORD m_Address = reinterpret_cast <DWORD> (GetModuleHandleA("HookMe.exe")); // module address
//DWORD f_Address = m_Address + ADDRESS; // Finish address

double(__cdecl* originalFunction)(double); // func proto

double hookedFunction(double a) // this is the function that should be called when the actual func is called.
{
	std::cout << "original function: argument = " << a << std::endl;   
	a = 69.69; // the new return val of the func
	return originalFunction(a);                                        
}


BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) // Main, I have tested so it does actualy inject my file.
{ 
	originalFunction = (double(__cdecl*)(double))DetourFunction((PBYTE)p_Address, (PBYTE)hookedFunction); // so this is the wrong part, what i think. Cant seem to find the wrong thing about it though.
	return TRUE;
}
But if i just change the address and still have the:
C++:
switch (dwReason)
	{
		case DLL_PROCESS_ATTACH:
			originalFunction = (double(__cdecl*)(double))DetourFunction((PBYTE)p_Address, (PBYTE)hookedFunction);
		break;
	}
return TRUE;
It Crashes when calling the func!

Thanks for the previus help, i hope someone will have a good answer to this aswell.
(Not for the spamming because i know it loops the dll if it doesnt have the switch.)
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Try setting p_Address to 0x111560. That should make it hook at the start of the function. I don't know 100% how MS Detours works, so the constant non-stop calling of the function could be due to recursion from hooking the call instead of the start. No clue though, as I've never tried hooking on a call before. Try looking at the assembly after the hook is applied to see what is actually going on.

As for why it crashes when you have the switch, no clue. Hopefully someone with more knowledge can answer your question.
 

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Setting p_Address to 0x111560 instantly crashes it. (Exacly the same way the previous address did, Crash when switch() is used and NonStop print when not using it!)

How it looks at the func when detoured. My file name is TestDetour.dll thats why it says TestDeto.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Setting p_Address to 0x111560 instantly crashes it. (Exacly the same way the previous address did, Crash when switch() is used and NonStop print when not using it!)

How it looks at the func when detoured. My file name is TestDetour.dll thats why it says TestDeto.
Wait, is the screenshot on your first post inside of the HookMe function? If so, hook the start of it since you're taking parameters. Not sure how well taking parameters with a mid-funct hook works.
 

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Wait, is the screenshot on your first post inside of the HookMe function? If so, hook the start of it since you're taking parameters. Not sure how well taking parameters with a mid-funct hook works.
You made so it would say "FUNCTION IS HERE" and from there detour it.
I dont actualy know where the function start but when setting a breakpoint @ 111501 break's when pressing F1.

The detour jumps to TestDetour.dll + 0x57D8847. I dont think thats anything of value but i just want to let you know.

When using Switch() once again it prints out:
"Original func...... arg = 7.16319*10^263 (aka 7.16319e+263)

Dont think this post make the thread question go any more further but this is all the info i got right now.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
You made so it would say "FUNCTION IS HERE" and from there detour it.
I dont actualy know where the function start but when setting a breakpoint @ 111501 break's when pressing F1.

The detour jumps to TestDetour.dll + 0x57D8847. I dont think thats anything of value but i just want to let you know.

When using Switch() once again it prints out:
"Original func...... arg = 7.16319*10^263 (aka 7.16319e+263)

Dont think this post make the thread question go any more further but this is all the info i got right now.
I put the "FUNCTION IS HERE" inside of the function so it would be easier to find :p. Scroll up and examine the code. Try to find a spot where it looks like it's popping off a value, or where there are INT3s. Visual Studio puts INT3s between functs afaik. You can try to mid-funct hook before the output and change the register that's holding the number to something else.

I think you may need a bit more time to learn these topics, they can be a bit hard if you don't have the necessary reversing and ASM knowledge to tackle them.
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
also tried

C++:
typedef double(__cdecl* tFunction)(double);
tFunction oFunction;

double hkFunction(double a)
{
 a = 999;
 return oFunction(a);
}

----
oFunction = (tFunction)DetourFunction((PBYTE)Adress, (PBYTE)hkFunction);
with HookMe.exe + 0x111509 hmmm // 0x111560

thought It would work like e.g. an dx hook but doesnt work somehow Oo
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
also tried

C++:
typedef double(__cdecl* tFunction)(double);
tFunction oFunction;

double hkFunction(double a)
{
 a = 999;
 return oFunction(a);
}

----
oFunction = (tFunction)DetourFunction((PBYTE)Adress, (PBYTE)hkFunction);
with HookMe.exe + 0x111509 hmmm // 0x111560

thought It would work like e.g. an dx hook but doesnt work somehow Oo
Not sure what .exe you're using unless it's the old HookMe I wrote, or Cryslacks gave you the one I wrote for him :p. In any case, it wouldn't be HookMe.exe + 0x111509. That isn't the start of the function, and 0x111509 was the modulebase + offset (Which could possibly change upon restarting due to the module base changing). Afaik you can't mid-funct hook a function and use parameters (Unless you know what you're doing, I'd guess it would be to grab things off the stack?).
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
my codenz:

C++:
#include <Windows.h>
#include <iostream>

double hookThisFunction(double a)
{
        std::cout << a << std::endl;
        std::string Marker = "THE FUNCTION IS HERE";
        return a;
}
 
int main()
{
        while (1)
        {
                if (GetAsyncKeyState(VK_NUMPAD1) & 1)
                        hookThisFunction(3.14);
        }
 
        return 0;
}

C++:
#include <Windows.h>
#include <iostream>
#include "detours.h"

double(__cdecl* originalFunction)(double);

double hookedFunction(double a)
{
	std::cout << "original: " << a << std::endl;
	return originalFunction(a);
}

void Main()
{
	DWORD base = (DWORD) GetModuleHandle(0);
	originalFunction = (double(_cdecl*)(double)) DetourFunction((PBYTE)(base+0x1000),(PBYTE) hookedFunction);
}

BOOL WINAPI DllMain ( HMODULE hModule, DWORD dwReason, LPVOID lpvReserved )
{
	if (dwReason==DLL_PROCESS_ATTACH)
	{
		CreateThread(0,0,(LPTHREAD_START_ROUTINE) Main,0,0,0);
	}
    return TRUE;
}


Console output:
original: 3.14
3.14


Notice that this isn't hooking the middle of the function which calls the other function but the beginning of the other function. For me it's not static but at +0x1000



Also would you mind uploading the Exe Cryslacks
 
Last edited:

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
my codenz:

C++:
#include <Windows.h>
#include <iostream>

double hookThisFunction(double a)
{
        std::cout << a << std::endl;
        std::string Marker = "THE FUNCTION IS HERE";
        return a;
}
 
int main()
{
        while (1)
        {
                if (GetAsyncKeyState(VK_NUMPAD1) & 1)
                        hookThisFunction(3.14);
        }
 
        return 0;
}

C++:
#include <Windows.h>
#include <iostream>
#include "detours.h"

double(__cdecl* originalFunction)(double);

double hookedFunction(double a)
{
    std::cout << "original: " << a << std::endl;
    return originalFunction(a);
}

void Main()
{
    DWORD base = (DWORD) GetModuleHandle(0);
    originalFunction = (double(_cdecl*)(double)) DetourFunction((PBYTE)(base+0x1000),(PBYTE) hookedFunction);
}

BOOL WINAPI DllMain ( HMODULE hModule, DWORD dwReason, LPVOID lpvReserved )
{
    if (dwReason==DLL_PROCESS_ATTACH)
    {
        CreateThread(0,0,(LPTHREAD_START_ROUTINE) Main,0,0,0);
    }
    return TRUE;
}


Console output:
original: 3.14
3.14


Notice that this isn't hooking the middle of the function which calls the other function but the beginning of the other function. For me it's not static but at +0x1000



Also would you mind uploading the Exe @Cryslacks
This is the original download link from @Krampus
https://virusscan.jotti.org/en/scanresult/297d128c800e791ad235532435d8bebdf7630b08
https://www.virustotal.com/en/file/...57c5d67bf5e7f88422e6b442/analysis/1428674663/
 

Attachments

Last edited by a moderator:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods