onsdag den 14. december 2011

Game hacking: VTable hooking explanation and example

When hacking a game, you will sometimes need to hook some of the engine's functions. In case of the function that you want to hook is in a so called virtual method table(class with virtual functions), hooking the functions is very easy.
A virtual function is essentially a function in a class, that allows inherited classes to overwrite that function. On assembly level, this means that the compiler generates a table of pointers to functions, which are then called instead of calling the function directly. This allows inherited classes to easily overwrite the virtual function in the class instance. ex:

2521a783
2521a825
25220052
25228252
As you can see, it consists merely pointers, that point to the functions themselves.
(I am working on my paint skills):







With this information, we can actually easily replace the address that exists within the vmt with a pointer to our own function, while preserving the original function pointer for later use.
I've coded a little example code here just for the sake of consistency;

 
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
class VirtualTable
{
public:
 
virtual void VirtualFunction01( void );
};
 
 
void VirtualTable::VirtualFunction01( void )
{
cout << "VirtualFunction01 called" << endl;
}
 
//we use this to store and call the original function inside our custom one
typedef void ( __thiscall* VirtualFunction01_t )( void* thisptr );
VirtualFunction01_t g_org_VirtualFunction01;
 
//our custom function
void __fastcall hk_VirtualFunction01( void* thisptr, int edx )
{
cout << "Custom function called" << endl;
 
//call the original function
g_org_VirtualFunction01(thisptr);
}
 
 
int _tmain(int argc, _TCHAR* argv[])
{
VirtualTable* myTable = new VirtualTable();
 
//get the pointer to the actual virtual method table from our pointer to our class instance
void** base = *(void***)myTable;
 
DWORD oldProtection;
//one way to remove page protection(not the best but this is an example only)
VirtualProtect( &base[0], 4, PAGE_EXECUTE_READWRITE, &oldProtection );
//save the original function
g_org_VirtualFunction01 = (VirtualFunction01_t)base[0];
//overwrite
base[0] = &hk_VirtualFunction01;
//restore page protection
VirtualProtect( &base[0], 4, oldProtection, 0 );
 
//call the virtual function (now hooked) from our class instance
myTable->VirtualFunction01();
 
system("pause");
 
return 0;
}
Output:
Custom function called
VirtualFunction01 called
Indsendt af kl.

Ingen kommentarer:

Send en kommentar

Abonner på: Kommentarer til indlægget (Atom)