Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/danielkrupinski/x86retspoof

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.
https://github.com/danielkrupinski/x86retspoof

anticheat-bypass assembly-language assembly-x86 cpp17 game-hacking reverse-engineering single-header x86

Last synced: 10 months ago
JSON representation

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Awesome Lists containing this project

README 

          
# x86RetSpoof [![Windows](https://github.com/danielkrupinski/x86RetSpoof/actions/workflows/windows.yml/badge.svg?event=push)](https://github.com/danielkrupinski/x86RetSpoof/actions/workflows/windows.yml)

Invoke functions with a spoofed return address. For 32-bit Windows binaries.



# How to use

1. Include x86RetSpoof.h in your project.

2. Find `FF 23` byte sequence (`gadget`, machine code equivalent of `jmp dword ptr [ebx]`) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the `gadgetAddress` and the invoked function will see it as the return address.

3. Call the function with `x86RetSpoof::invoke...()` matching the calling convention of the target function.



## Example

Calling [MessageBoxW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxw) function:

```cpp

x86RetSpoof::invokeStdcall(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);

```