1

Will try to reword the actual question so it is hopefully more descriptive and clear of what I am after:

So, there is a function main, which I have successfully hooked. The hooked version looks like this:

__int64 __fastcall gamemainHooked(gladius::Game* thisptr, int param_1, char** param_2, char** param_3)
    {       

        gladius::get().initialize(thisptr, param_1, param_2, param_3);

        gladius::gui::get().guiRun(*(GUI**)(thisptr + 0x28));

        gladius::get().quit(thisptr);

        return gladius::get().gamemain(thisptr, param_1, param_2, param_3);
    }

Now, see there is a Game* thisptr, which is passed in to that function.

When the function is running it populates Game* thisptr instance with

thisptr->GameConstructor (0x0x00000271704c6ec0)
thisptr->gamemain (0x00000271788a94f0)
thisptr->initialize(0x000002716d523b90)
thisptr->quit(0x000002716fdebdd0)

he original main function and the hooked one have a function called guiRun, which takes thisptr + 0x28 offset and which from the code below is the 5th element of the constructor (Game).

Game * __thiscall gladius::Game::Game(Game *this)

{
  *(undefined8 *)this = 0;
  *(undefined8 *)(this + 8) = 0;
  *(undefined8 *)(this + 0x10) = 0;
  *(undefined8 *)(this + 0x18) = 0;
  *(undefined8 *)(this + 0x20) = 0;
  *(undefined8 *)(this + 0x28) = 0;
  *(undefined8 *)(this + 0x30) = 0;
  *(undefined8 *)(this + 0x38) = 0;
  *(undefined8 *)(this + 0x40) = 0;
  *(undefined8 *)(this + 0x48) = 0;
  *(undefined8 *)(this + 0x50) = 0;
  return this;
}

Now, what's the best way to reverse this, so that I can have a handle on that 5th element of the Game instance? How should the code look like so that calling guiRun with thisptr+0x28 succeeds.

Should I reverse constructor completely with all of the pointers inside and then point to it?

The point is that calling guiRun (thisptr + 0x28) doesn't work as thisptr + 0x28 is not pointing to 5th element of the Game* instance...

The current reversed Game struct looks like this:

 namespace gladius {
        struct Game {
            //virtual int __thiscall main(gladius::Game* thisptr, int param_1, char** param_2, char** param_3);
    
            using GameConstructor = Game * (__fastcall*) (Game* thisptr);
            GameConstructor gameConstructor;
    
            using GameMain = __int64(__fastcall*) (gladius::Game* thisptr, int param_1, char** param_2, char** param_3);
            GameMain gamemain;
    
            using Initialize = void(__fastcall*) (gladius::Game* thisptr, int a2, char** a3, char** a4);
            Initialize initialize;
    
            using Quit = void(__fastcall*) (gladius::Game* thisptr);
            Quit quit;
        };
    
        Game& get();
    
    } /

P.S. It seems that guiRun wants to accept *thisptr and not thisptr. But this will mean that the original signature of the function has to be changed. Not sure if that will lead to the hook not working.

Improve this question

1 Answer 1

Reset to default
1

This is been resolved here: Link

So, the solution is to introduce the class structure functionally the same as the original one and then use the original constructor function to populate it.

If the objects of the other classes, i.e. GUI object as a 5th element of the above structure needs to be initialised, then GUI object has to have a proper class constructor as described in the link.

You might need a similar structure as described there to initialise any of the objects you want to populate.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.