stevemk14ebr
commented
1 year ago looks like a mistake to me, thanks!
Closed BritishPiper closed 1 year ago
stevemk14ebr
commented
1 year ago looks like a mistake to me, thanks!
wongsyrone
commented
1 year ago @stevemk14ebr
~I think this PR also fixes the issue I have before, you can revert changes on setIsFollowCallOnFnAddress in sources/ADetour.{h,c}pp~
EDIT: 0xE8 is not covered.
wongsyrone
commented
1 year ago @stevemk14ebr
Never mind. Not all cases are covered. 0xE8 is the case.
.text:0000000181305187 48 8B 8D 00 12 00 00 mov rcx, [rbp+1250h+var_50]
.text:000000018130518E 48 33 CC xor rcx, rsp ; StackCookie
.text:0000000181305191 E8 2A B8 91 01 call __security_check_cookie ; <<<< --- here
.text:0000000181305191
.text:0000000181305196 48 81 C4 18 13 00 00 add rsp, 1318h
.text:000000018130519D 41 5F pop r15
.text:000000018130519F 41 5E pop r14
.text:00000001813051A1 41 5D pop r13
.text:00000001813051A3 41 5C pop r12
.text:00000001813051A5 5F pop rdi
.text:00000001813051A6 5E pop rsi
.text:00000001813051A7 5B pop rbx
.text:00000001813051A8 5D pop rbp
.text:00000001813051A9 C3 retn
Fix to #180. I was also having trouble hooking some WinAPI functions in my system. After some debugging, I found out Detour::followJmp was not following the jump because Instruction::m_isIndirect was not being correctly set to true, so Instruction::getDestination() failed. The jmp opcode is 0x25 and not 0x15, as shown by x64dbg's disassembler:
