Question Problem with ByteFunction

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
Yo Guys,
got a little problem with a byte function.
just tried to figure out howto use the byte sig of an function as the function itself

C++:
int Func(int a, int b, int c)
{
	return a + b + c;
}
C++:
char byteFunc[] = {
	0xE9, 0x70, 0xA1, 0x00, 0x00, 0xE9, 0x87, 0xC1, 0x00, 0x00,
	0xE9, 0xD6, 0xC1, 0x00, 0x00, 0xE9, 0xFD, 0xEC, 0x00, 0x00,
	0xE9, 0xDC, 0xBF, 0x00, 0x00, 0xE9, 0xE1, 0xE1, 0x00, 0x00,
	0xE9, 0xB6, 0xC1, 0x00, 0x00, 0xE9, 0x5D, 0x9E, 0x00, 0x00,
	0xE9, 0x56, 0xED, 0x00, 0x00, 0xE9, 0xC3, 0x54, 0x00, 0x00,
	0xE9, 0xFC, 0xE3, 0x00, 0x00, 0xE9, 0xE7, 0xC4, 0x00, 0x00,
	0xE9, 0x04, 0xBF, 0x00, 0x00, 0xE9, 0x9F, 0x38, 0x00, 0x00,
	0xE9, 0x0A, 0x5F, 0x00, 0x00, 0xE9, 0x65, 0xC1, 0x00, 0x00,
	0xE9, 0xDE, 0xC1, 0x00, 0x00, 0xE9, 0x9B, 0x8D, 0x00, 0x00,
	0xE9, 0xAC, 0xEC, 0x00, 0x00, 0xE9, 0x81, 0x52, 0x00, 0x00,
	0xE9, 0x14, 0xC5, 0x00, 0x00, 0xE9, 0xE7, 0xD8, 0x00, 0x00,
	0xE9, 0x96, 0xC1, 0x00, 0x00, 0xE9, 0x5B, 0xC1, 0x00, 0x00,
	0xE9, 0x98, 0x93, 0x00, 0x00, 0xE9, 0x33, 0xC2, 0x00, 0x00,
	0xE9, 0x70, 0xC1, 0x00, 0x00, 0xE9, 0x29, 0x95, 0x00, 0x00,
	0xE9, 0x94, 0xB9, 0x00, 0x00, 0xE9, 0x1F, 0xA1, 0x00, 0x00,
	0xE9, 0x2A, 0x9E, 0x00, 0x00, 0xE9, 0xC5, 0xD5, 0x00, 0x00,
	0xE9, 0x00, 0x48, 0x00, 0x00, 0xE9, 0xBB, 0xD9, 0x00, 0x00,
	0xE9, 0xF6, 0x3C, 0x00, 0x00, 0xE9, 0x81, 0x32, 0x00, 0x00,
	0xE9, 0x5C, 0xC7, 0x00, 0x00, 0xE9, 0xB7, 0xC7, 0x00, 0x00,
	0xE9, 0xB2, 0xDE, 0x00, 0x00, 0xE9, 0xA5, 0xBE, 0x00, 0x00,
	0xE9, 0x88, 0x28, 0x00, 0x00, 0xE9, 0x85, 0xC1, 0x00, 0x00,
	0xE9, 0x7E, 0x5E, 0x00, 0x00, 0xE9, 0xB9, 0x83, 0x00, 0x00,
	0xE9, 0xC2, 0xE2, 0x00, 0x00, 0xE9, 0xEF, 0xC6, 0x00, 0x00,
	0xE9, 0x7A, 0x24, 0x00, 0x00, 0xE9, 0xA5, 0x70, 0x00, 0x00,
	0xE9, 0x60, 0x3A, 0x00, 0x00, 0xE9, 0x7B, 0x82, 0x00, 0x00,
	0xE9, 0x96, 0x7E, 0x00, 0x00, 0xE9, 0x01, 0xD1, 0x00, 0x00,
	0xE9, 0xEC, 0x32, 0x00, 0x00, 0xE9, 0x67, 0x8F, 0x00, 0x00,
	0xE9, 0xB2, 0x29, 0x00, 0x00, 0xE9, 0x9B, 0xC4, 0x00, 0x00,
	0xE9, 0x62, 0xC0, 0x00, 0x00, 0xE9, 0xF9, 0xC0, 0x00, 0x00,
	0xE9, 0x00, 0xC1, 0x00, 0x00, 0xE9, 0x21, 0xEC, 0x00, 0x00,
	0xE9, 0x74, 0x44, 0x00, 0x00, 0xE9, 0xC9, 0xEB, 0x00, 0x00,
	0xE9, 0xCA, 0x3A, 0x00, 0x00, 0xE9, 0x65, 0x30, 0x00, 0x00,
	0xE9, 0x90, 0x95, 0x00, 0x00, 0xE9, 0xCB, 0x2F, 0x00, 0x00,
	0xE9, 0x36, 0x4C, 0x00, 0x00, 0xE9, 0x61, 0x73, 0x00, 0x00,
	0xE9, 0xFA, 0xC3, 0x00, 0x00, 0xE9, 0x77, 0x80, 0x00, 0x00,
	0xE9, 0xD2, 0x8D, 0x00, 0x00, 0xE9, 0x1D, 0xE0, 0x00, 0x00,
	0xE9, 0x68, 0x82, 0x00, 0x00, 0xE9, 0x33, 0x6F, 0x00, 0x00,
	0xE9, 0x1E, 0x8A, 0x00, 0x00, 0xE9, 0x19, 0x2A, 0x00, 0x00,
	0xE9, 0x74, 0x74, 0x00, 0x00, 0xE9, 0x3F, 0x55, 0x00, 0x00,
	0xE9, 0xBA, 0x25, 0x00, 0x00, 0xE9, 0x85, 0x81, 0x00, 0x00,
	0xE9, 0xD2, 0xBD, 0x00, 0x00, 0xE9, 0xDB, 0x91, 0x00, 0x00,
	0xE9, 0x56, 0x52, 0x00, 0x00, 0xE9, 0xB1, 0x46, 0x00, 0x00,
	0xE9, 0xFC, 0x5E, 0x00, 0x00, 0xE9, 0x07, 0x87, 0x00, 0x00,
	0xE9, 0x52, 0xAD, 0x00, 0x00, 0xE9, 0x3D, 0x90, 0x00, 0x00,
	0xE9, 0xB6, 0xBF, 0x00, 0x00, 0xE9, 0x05, 0xC6, 0x00, 0x00,
	0xE9, 0x62, 0xC3, 0x00, 0x00, 0xE9, 0x99, 0xAE, 0x00, 0x00,
	0xE9, 0x14, 0x63, 0x00, 0x00, 0xE9, 0x9F, 0x38, 0x00, 0x00,
	0xE9, 0x36, 0xC3, 0x00, 0x00, 0xE9, 0x45, 0x2E, 0x00, 0x00,
	0xE9, 0xB6, 0xEB, 0x00, 0x00, 0xE9, 0x6B, 0xDA, 0x00, 0x00,
	0xE9, 0x58, 0xC3, 0x00, 0x00, 0xE9, 0x91, 0xBF, 0x00, 0x00,
	0xE9, 0x9C, 0xC1, 0x00, 0x00, 0xE9, 0x57, 0x68, 0x00, 0x00,
	0xE9, 0x32, 0x5E, 0x00, 0x00, 0xE9, 0x07, 0xC0, 0x00, 0x00,
	0xE9, 0x8C, 0xC0, 0x00, 0x00, 0xE9, 0x13, 0xC8, 0x00, 0x00,
	0xE9, 0x4A, 0xBD, 0x00, 0x00, 0xE9, 0xA9, 0x79, 0x00, 0x00,
	0xE9, 0x44, 0x3C, 0x00, 0x00, 0xE9, 0x2F, 0x1F, 0x00, 0x00,
	0xE9, 0x9A, 0x52, 0x00, 0x00, 0xE9, 0x65, 0xEB, 0x00, 0x00,
	0xE9, 0x4C, 0xC0, 0x00, 0x00, 0xE9, 0x7B, 0x73, 0x00, 0x00,
	0xE9, 0x36, 0x9B, 0x00, 0x00, 0xE9, 0xB1, 0x82, 0x00, 0x00,
	0xE9, 0x7C, 0x42, 0x00, 0x00, 0xE9, 0x57, 0x75, 0x00, 0x00,
	0xE9, 0x92, 0xAA, 0x00, 0x00, 0xE9, 0x5D, 0x9E, 0x00, 0x00,
	0xE9, 0x38, 0x4E, 0x00, 0x00, 0xE9, 0xF3, 0x82, 0x00, 0x00,
	0xE9, 0xFE, 0x17, 0x00, 0x00, 0xE9, 0xB9, 0xD9, 0x00, 0x00,
	0xE9, 0x44, 0xE1, 0x00, 0x00, 0xE9, 0x2F, 0xAF, 0x00, 0x00,
	0xE9, 0xE8, 0xBF, 0x00, 0x00, 0xE9, 0x85, 0x4F, 0x00, 0x00,
	0xE9, 0xB0, 0x6C, 0x00, 0x00, 0xE9, 0xEB, 0x54, 0x00, 0x00,
	0xE9, 0x76, 0x24, 0x00, 0x00, 0xE9, 0xB1, 0x71, 0x00, 0x00,
	0xE9, 0xD6, 0xBF, 0x00, 0x00, 0xE9, 0xE5, 0xC2, 0x00, 0x00,
	0xE9, 0xB2, 0xB5, 0x00, 0x00, 0xE9, 0x0D, 0xCB, 0x00, 0x00,
	0xE9};

and now the tricky part, cuz i tried following to call the byte array as a function itself without using the function "Func"

C++:
int main()
{
        int ret = 0;
        void* buf = foo_alloc(byteFunc, sizeof(byteFunc));
	int(*test)(int, int, int) = static_cast<int(*)(int, int, int)>(buf);	
	ret = test(1,2,3);
 return 0;
}
and foo_alloc is a tiny function which I tried to build for using that byte array :Q___

C++:
void *foo_alloc(void *dump, int dumpsz) {
	int     pagesz;
	void    *ret;

	pagesz = (dumpsz + 4095) & (~4095); // useful for pages? 

#ifdef WIN32
	ret = VirtualAlloc(
		NULL,
		pagesz,
		MEM_COMMIT | MEM_RESERVE,
		PAGE_EXECUTE_READWRITE);    // write for memcpy
#else
	ret = malloc(pagesz);
	mprotect(
		ret,
		pagesz,
		PROT_EXEC | PROT_WRITE);    // write for memcpy
#endif
	memcpy(ret, dump, dumpsz);
	return(ret);
}
aaaand well yeh ... it crashes directly at the call of " ret = test(1,2,3); " , any ideas ? :q__


and just in case that someone comes to the clever result to tell me to debug it .... FUCK YOU, I DID xD
Only thing I could maybe imagine is the access to the allocated space but well, the permissions are set Oo
or maybe I miss the entry point of the function or do not allocate enougt or miss something else :yo:

,greez



ps:
bytes are grabbed with the bytesgrabber func of Krampus I think
here its as a reminder, just in case that it misses some end-bytes or so <_<

C++:
int grabBytes(DWORD funct, std::list<BYTE>& lst)
{
	for (int i = 0;; i++)
	{
		//If we come across an INT instruction, return the number of bytes found
		if ((*(BYTE*)(funct + i)) == 0xCC)
		{
			return i;
		}

		//Push the byte into our list
		lst.push_back(*(BYTE*)(funct + i));
	}
}
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Did you turn off incremental linking? If not, that's your issue. You read a giant jmp table.
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
C++:
char byteFunc[] = {
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,
0x56,0x57,0x8D,0xBD,0x40,0xFF,0xFF,0xFF,0xB9,0x30,
0x00,0x00,0x00,0xB8};
 
 
void *foo_alloc(void *dump, int dumpsz) {
        int     pagesz;
        void    *ret;
 
        pagesz = (dumpsz + 4095) & (~4095); // useful for pages? mah
 
#ifdef WIN32
        ret = VirtualAlloc(
                NULL,
                pagesz,
                MEM_COMMIT | MEM_RESERVE,
                PAGE_EXECUTE_READWRITE);    // write for memcpy
#else
        ret = malloc(pagesz);
        mprotect(
                ret,
                pagesz,
                PROT_EXEC | PROT_WRITE);    // write for memcpy
#endif
        memcpy(ret, dump, dumpsz);
        return(ret);
}
 
int main()
{
        int ret = 0;   
        void* buf = foo_alloc(byteFunc, sizeof(byteFunc));
        int(*test)(int, int, int) = static_cast<int(*)(int, int, int)>(buf);
        ret = test(1,2,3);     
        getchar();
        return 0;
}

normaly debugging tells me wether im out of a memory region, or access violations or whatever, in this case not, otherwise i wouldnt ask and it would be easier <_>

edit:
only thing i know that it crashes at "ret = test(1,2,3);" .. outcommented .. no crash but if i call it .. crash
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Solution:
C++:
int grabBytes(DWORD funct, std::vector<BYTE>& lst)
{
    for (int i = 0;; i++)
    {
        //If we come across an INT instruction, return the number of bytes found
        if ((*(BYTE*)(funct + i)) == 0xCC && (*(BYTE*)(funct + i - 1)) == 0xC3)
        {
            return i;
        }

        //Push the byte into our list
        lst.push_back(*(BYTE*)(funct + i));
    }
}

//The example function to grab the bytes from
int ourFunct(int a, int b, int c)
{
    return a + b + c;
}

typedef int(*tOurFunct)(int, int, int);
tOurFunct oOurFunct;

int main()
{
    std::vector<BYTE> lst;
    grabBytes((DWORD)ourFunct, lst);

    BYTE * bytes = new BYTE[lst.size()];

    for (int i = 0; i < lst.size(); i++)
        bytes[i] = lst[i];

    oOurFunct = (tOurFunct)VirtualAlloc(NULL, lst.size(), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    VirtualProtect(oOurFunct, lst.size(), PAGE_EXECUTE_READWRITE, NULL);
    
    memcpy(oOurFunct, bytes, lst.size());

    printf("%d\n", oOurFunct(5, 10, 15));

    getchar();

    VirtualFree(oOurFunct, lst.size(), MEM_RELEASE);

    return 0;
}
It was the grabBytes function. It's not a good function at all, honestly.
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
oooh , so I will try it with that, ty :D

edit:

well it works with the function

C++:
int ourFunct(int a, int b, int c)
{
    return a + b + c;
}

//as Array:
BYTE byteFunc[] = {
	0x55, 0x8B, 0xEC, 0x81, 0xEC, 0xC0, 0x00, 0x00, 0x00, 0x53,
	0x56, 0x57, 0x8D, 0xBD, 0x40, 0xFF, 0xFF, 0xFF, 0xB9, 0x30,
	0x00, 0x00, 0x00, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xF3, 0xAB,
	0x8B, 0x45, 0x08, 0x03, 0x45, 0x0C, 0x03, 0x45, 0x10, 0x5F,
	0x5E, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3 };

but not with the function
C++:
void ourSecFunc()
{
	cout << "TROLOLO" << endl;
}

//as Array:
BYTE byteFunc2[] = { 
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,
0x56,0x57,0x8D,0xBD,0x40,0xFF,0xFF,0xFF,0xB9,0x30,
0x00,0x00,0x00,0xB8,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
0x8B,0xF4,0x68,0x50,0x26,0x95,0x00,0x68,0x8C,0xD6,
0x95,0x00,0xA1,0x20,0xD1,0x95,0x00,0x50,0xE8,0x0B,
0x9A,0xFF,0xFF,0x83,0xC4,0x08,0x8B,0xC8,0xFF,0x15,
0xFC,0xD0,0x95,0x00,0x3B,0xF4,0xE8,0x39,0x27,0x00,
0x00,0x5F,0x5E,0x5B,0x81,0xC4,0xC0,0x00,0x00,0x00,
0x3B,0xEC,0xE8,0x29,0x27,0x00,0x00,0x8B,0xE5,0x5D,
0xC3};
probably because theres a text or so (or because of the return ..) , the bytes grabbing is still buggy in that case :) means its not finished muahahaha :p

aaand by the way, if you use it very much for playing around, it would recommend to use macros :3

C++:
#define InitFunctionByteLinked(ffunc, ftype, fbytes) ffunc = (ftype)VirtualAlloc(NULL, sizeof(fbytes), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\
	VirtualProtect(ffunc, sizeof(fbytes), PAGE_EXECUTE_READWRITE, NULL); \
	memcpy(ffunc, fbytes, sizeof(fbytes));

#define ReleaseFunctionByteLinked(ffunc, fbytes) VirtualFree(ffunc, sizeof(fbytes), MEM_RELEASE);


//Examble:
InitFunctionByteLinked(tfunc, Function,byteFunc);
printf("%d\n", tfunc(5, 10, 15));
ReleaseFunctionByteLinked(tfunc, byteFunc);

,greez



edit:
probably not because of the return, cuz i inserted a return as a endpoint
C++:
void ourSecFunc()
{
	cout << "TROLOLO" << endl;
	return;
}
and tried this too
C++:
int ourSecFunc()
{
	cout << "TROLOLO" << endl;

	return 666;
}
weirdo grabbytes <_<
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods