.I'm fairly new to this RCE stuff, and relatively new to C++. I probably should have started with a simple project, but diving in seemed like a good idea.
My issue is: I'm detouring a function to investigate it. I know it has something to do with resizing the processes window and viewport. If I detour it, and don't call the trampoline, then resize my processes window the graphics get all distorted and stretched out. My ultimate goal is to SetWindowPos, then call a process function to reconfigure the viewport and graphics to prevent the distortion. I think this is the function that does it.
I've got a working detour setup, but my issue is calling the trampoline from my own function.
IDA prototypes this function as, and I don't have the assembly in front of me, but it looks like this:
int _fastcall sub_701120(LPARAM lParam);in IDA when I double click lParam it shoots me over to 0x00B112AC. There is see a large data structure.
When I run the following code:
int __fastcall Trampoline(LPARAM);
int __fastcall Detour(LPARAM lParam)
{
Outf("%08x",lParam);
return Trampoline(lParam);
}
DETOUR_TRAMPOLINE_EMPTY(int __fastcall Trampoline(LPARAM));
#define MyFunction 0x701120
void enter()
{
QuickDetour(MyFunction,Detour,Trampoline);
}
void exit();
{
RemoveDetour(MyFunction);
}My chat output is not the "00B112AC" that I expected, I get something like "0041102B". When going through the fastcall function I see several "call [ecx + 4Ch]" instructions, which makes me want to think 00B112AC is a prototyped class with pointers to the member functions.
is "0041102B" a pointer of the type "00B112A"? If so... how do I fire off 701120 on my own?
I'm picturing something like
#define pInstance 0x0041102B
LPARAM mylParam;
mylParam = (LPARAM)pInstance;
Trampoline(mylParam);
Am I barking up the right tree?
Sorry for the length/spelling, I wish I could say english isn't my native tongue, and sorry if i've violated some kind of standard etiquete of this forum that I was unnaware of.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}