hey,

i got this function from IDA.

int __thiscall sub_412236(int this, int a2, unsigned int a3)

and i detoured this function but it always crashes. i think problem is with "int this". i have just replaced "int this" with a "int a1". could that be the problem? what should i put for "int this" in my detoured function? please help. thanks

my detoured function
int sub_412236_det(int a1 , int a2, unsigned int a3)

'this' is the C++ class self pointer with the same name. You cannot just substitute for it, it must be a pointer to the base class that the function is a member of. It is sometimes passed in ECX.

Git

thx for info git. but still couldnt find a n exact solution. can some 1 provide an example or something if they have soem experience about this please? coz im stuck with this for weeks now.:(

Say you have a C++ class called CString which has some member functions like Init(), Concatenate() etc. Maybe the source code has a line like this :

CString Str;
char b[] = "Hello world";

Str.Init(b); // Initialize value of string to"Hello world"
Str.Concatenate("people"); // add "people" to the end of the string
etc...

If you disassemble the exe and look at both member function Init() and member function Concatenate() in the disassembly you will find they both are passed a pointer to the class instance Str usually in register ECX. So 'this' is just a pointer to Str (the base class).

Maybe you should write a small C++ program and disassemble it so you can see for yourself. I suggest you make a console app and compile in Debug mode then all the source function and variable names will appear in the disassembly and make it easier to follow.

BTW, what on earth does "detour" mean?

Git