first issue is getting a pointer to the method. The folowing inline assembly will do it for virtual and non virtual methods, however it won't do it if you only have an empty "shell interface" definiton of the class (i.e virtual BOOL Shutdown() = 0;

_asm { mov eax,Test: oIt; }

If you just have a 'shell interface' though, that won't compile, and maybe you want to rather get that address from C/C++, or actually maybe you know its a virtual method, and you want to rather get it from the pointer to the instance of the class. well first lets try getting it with C++ code..
first thing you need to do is use a method pointer..

//here is what the method actually looks like for reference virtual long DoIt(long x); ... // and now we need to declare a pointer to a method long (Test::*pfn2)(long x); //method pointer // and now set the method pointer. pfn2 = &Test: oIt; // now do the impossible, cast a method pointer as a function pointer void * ptr = *((void **)&pfn2 );

//00401EF0 8B 01 mov eax,dword ptr [ecx] //00401EF2 FF 60 04 jmp dword ptr [eax+4]

static BOOL ismethodptrvirtual(void * methodptr) { BOOL returnval; _asm { mov eax,methodptr; mov ebx,[eax] mov eax,TRUE cmp ebx,60FF018Bh je skip mov eax,FALSE skip: mov returnval,eax } return returnval; }

static PVOID virtualaddress(void* thisptr,int methodoffset) { PVOID returnval; _asm { mov eax,thisptr; mov eax,[eax] ; //point to the start of virtualtable mov ebx,methodoffset; mov eax,[eax+ebx*4] mov returnval,eax } return returnval; }

// to do the equivilant of the following // int mine = obj1.doIt(43); //where you allready have the pointer to doIt in PVOID doitptr; _asm { push43 mov ecx,obj1 call [doitptr] mov mine,eax }

//here is the definition of the method used in this example virtual BOOL Startup(HWND hPrimaryWnd, DWORD modeFlags); // and i know that it is the first method in the virtual table, //and we have an instance of this class called //m_pEngine //here is the structure containing the parameters to pass to the function struct { HWND wndhandle; DWORD c; } mystruct = {tmphwnd,VJEMODE_PRESENTATION}; //use the virtualaddress method we have already //covered to get the address from the instance. address = (DWORD) thiscall::virtualaddress(m_pEngine,1); //use the my callmethod passing in the instance of the object, //the adress, the structure containing //the arguments for the function and the size of the arugments (structure) thiscall::callmethod(m_pEngine,address,(const void*)&mystruct,sizeof(mystruct));

static DWORD callmethod(void* thisptr, DWORD address,const void* arguments,size_t argsize) { DWORD returnval; _asm { mov ecx, argsize // get size of arguments for the function sub esp, ecx // adjust the stack pointer to give room to copy these arguments there shr ecx, 2 // divide by 4 (because we'll copy DWORDS over at a time) mov esi, arguments // get the pointer to the start of the arguments buffer (Source) mov edi, esp // start of destination stack frame (destination) rep movsd // copy arugments to stack frame mov ecx, thisptr // THISCALL passes "this" in ecx call [address] // call the function mov returnval, eax // return value returns in eax, so we better save it } return returnval; }

static DWORD callvirtualmethod(void *thisptr,int methodoffset,const void* arguments,size_t argsize) { DWORD returnval; _asm { mov ecx, argsize // get size of arguments for the function sub esp, ecx // adjust the stack pointer to give room to copy these arguments there shr ecx,2 // divide by 4 (because we'll copy DWORDS over at a time) mov esi, arguments // get the pointer to the start of the arguments buffer (Source) mov edi, esp // start of destination stack frame (destination) rep movsd // copy arugments to stack frame mov eax, thisptr // get the "this" pointer mov eax, [eax] // point to the start of virtualtable mov ebx, methodoffset // offset into the virtualtable mov ecx, thisptr // THISCALL passes "this" in ecx call [eax+ebx*4] // call the function (the address of virtualtable+offset*4) mov returnval, eax // return value returns in eax, so we better save it } return returnval; }

which enables you do do the following

//instead of the following used in the last example address = (DWORD) thiscall::virtualaddress(m_pEngine,1); thiscall::callmethod(m_pEngine,address,(const void*)&mystruct,sizeof(mystruct)); //you can just do this directly thiscall::callvirtualmethod(m_pEngine,1,(const void*)&mystruct,sizeof(mystruct));

//00401EF0 8B 01 mov eax,dword ptr [ecx] //00401EF2 FF 60 04 jmp dword ptr [eax+4]

static PVOID dereferencemethodptr(void* thisptr,void * methodptr) { PVOID returnval; //issues if size of pointer is more than 4 bytes (multiple inheritance it might be different) //if a method pointer points to a nonstatic (but not virtual) function, then it points directly //to that function //if it points to a nonstatic VIRTUAL function, then it points to a stub that C++ creates that looks //the the following //00401EF0 8B 01 mov eax,dword ptr [ecx] //00401EF2 FF 60 04 jmp dword ptr [eax+4] //as far as i've seen , irregardless of anything i've seen so far , or compiler optomisation options //it seems to be exactly the same as above, other than the last byte (the +4) //which is actually the information //we need to be able to look up the function in the vtable.. so we can read it directly from this code. //so first we check to see if the first 4 bytes are 8b01FF60 (or is it 60FF018B?) and if it is grab the //address + 4.. otherwise just treat the address as what it is. _asm { mov eax,methodptr; mov ebx,[eax] cmp ebx,60FF018Bh jne skip //if its a virtual method xor ebx,ebx mov bl,byte ptr [eax + 4]; //grab the 5th byte which is the +4 (or +whatever) offset in the virtual table mov eax,thisptr; //ptr to the instance of the class mov eax,[eax] ;//start of virtual table mov eax,[eax+ebx];//get the address of the method from getting it from the virtual table with offset skip: mov returnval,eax } return returnval; }

------------------
Karl /GODCENTRIC
Visionary Media
the creative submitted to the divine.
Husband of my amazing wife Aleshia
Klumsy@xtra.co.nz

Though I sort of had to get back into it for graphics.

_asm
{
mov eax,myclass::mymethod;
mov myptr,eax
}
or such like, but other than that they could just use the library..
sometime later when it is all finished, there will be a 'use' article with examples of being able to hook any method of any class.. (as well as any API, or dll call , process or system wide..
very powerful stuff, wanna see how some game calles openGL or directX, just hook some calls and see.. wanna change how some game or whatever uses openGL then hook those methods, make slight algo changes based on the info they pass in, and call the original.
wanna capture the output of a DX, hook the rendering methods of DX/GL, use dx to bring the rendered data back to memory to save or whatever..
want to rather divert the visual output from one program to another (without it being on screen) hook the rendering stuff, getting it to render off screen, but still on the video card, get all the neccisary references to the rendertotexture texture to pass on to the 2nd program..

you can do anything.
want to add features to a commercial program without changing its binary file, well use same techinques, finding hte objects, hooking methods, first of all makign a stub app that loads the original exe, first injecting a dll into its process space with all your hook code.. possibilities are endless.

------------------
Karl /GODCENTRIC
Visionary Media
the creative submitted to the divine.
Husband of my amazing wife Aleshia
Klumsy@xtra.co.nz

------------------
proverbs 17:28
Even a fool, when he holdeth his peace, is counted wise: and he that shutteth his lips is esteemed a man of understanding.

Seriously, you have some really good stuff there, even though a lot of it is somewhat esoteric and not something I'll be using everyday. Definitely going into my "cool code" file.

------------------
Brian