[TUTORIAL] Detouring notepad

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.
Post Reply
TeamRetox
Allie
Allie
Posts: 222
Joined: Sat Jun 06, 2009 3:48 pm

[TUTORIAL] Detouring notepad

Post by TeamRetox »

Stuff you need to download:
IDA(pro or demo, i'm using pro)
VC++(any version, ill use 2003.net as its my favorite)
Injector(winject works fine for this)

Open up IDA and select Work on your own:

http://img206.imageshack.us/i/idapic1.png/

Now go to C:\windows\ and drag notepad.exe into IDA and do as shown on these pictures:

http://img84.imageshack.us/i/idapic2.png/
http://img513.imageshack.us/i/idapic3.png/

Time to check the stuff notepad imports with IDA.
We know that it would need to get our systems time in order to print it out in notepad, please note that I put get in bold, since the import we need to find probably starts with get(e.g. gettime or something like that).
So order the imports by name and look at the commands that are time related and start with get:

Code: Select all

GetDateFormatW
GetLocalTime
GetTimeFormatW
double click any of these and you'll be taken to the following screen(I decided to pick GetLocalTime):
http://img206.imageshack.us/i/idapic4.png/

Now right click on it and select 'Chart of xrefs to' which should give you the following screen.
http://img529.imageshack.us/i/idapic5.png/

Sub_1006F10 and Sub_1006773

lets find them in the Functions list
http://img193.imageshack.us/i/idapic6.png/

Lets check out the Sub_1006773 first.
http://img262.imageshack.us/i/idapic7.png/

Hmm thats a lot of variables for just inserting time :o this might be something else so lets check out Sub_1006F10
http://img198.imageshack.us/i/idapic8.png/

That looks a lot more like it :D Lets put a breakpoint on it by clicking the function name so it becomes yellow and then pressing F2 to place a breakpoint
http://img188.imageshack.us/i/idapic9.png/

Press F9 to run notepad and once notepad is open press F5(to insert date/time). Hey! whats that?!?! notepad got stuck on our breakpoint! :D this means we breakpointed the right function :D
now press F9 to make notepad continue(or press the continue button in IDA), close notepad and disable the breakpoint by pressing F2 again.

now we're gonna need a header for this function so press right click on the function name and press 'Set function type' which should show this:

Code: Select all

int __stdcall sub_1006F10(int)
Create a new empty DLL project in VC++ and put the following code:

Code: Select all

#include <windows.h>
#include <detours.h>

int (__stdcall * InsertDateTime_original)(int x);
int __stdcall InsertDateTime_hooked(int x)
{
    MessageBox(NULL, L"Inserting Date and Time", L"ERROR - SUCCES", MB_OK); //create a messagebox
    return InsertDateTime_original(x);
}

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
    case DLL_PROCESS_ATTACH:
        InsertDateTime_original = DetourFunction((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
        break;
    case DLL_PROCESS_DETACH:
        DetourRemove((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
		break;
	}
    return TRUE;
}
now if you compile this it will give this error
'error C2440: '=' : cannot convert from 'PBYTE' to 'int (__stdcall *)(int)'
which is because we need to typecast DetourFunction so replace the DetourFunction line with the following line:

Code: Select all

InsertDateTime_original = (int (__stdcall *)(int))DetourFunction((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
Compile it again once you replaced the above.
Now you need to inject it into notepad with your favorite injector and its done :)


P.S. I'm tired so picture 7 to 9(and written text there) is bullshit :D place a breakpoint on Sub_1006773 and run notepad, insert date/time and it wont break(thats why its wrong function not because of the bs I wrote there :))
Attachments
winject.rar
Winject
(83.39 KiB) Downloaded 440 times
DetourNotepad.rar
Source file
(475 Bytes) Downloaded 455 times
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: [TUTORIAL] Detouring notepad

Post by Sethioz »

could you reupload screens here, using [attachment] brackets ? imageshack didn't load for me at all.
TeamRetox
Allie
Allie
Posts: 222
Joined: Sat Jun 06, 2009 3:48 pm

Re: [TUTORIAL] Detouring notepad

Post by TeamRetox »

i deleted the screens already :(

Here's a link to someone elses video tutorial on the exact same thing(but already named the functions)
http://wille.freepgs.com/tutorials/detour/
Post Reply