Hooking internal function: How do the the parameters look like?

Question

I have already been using Easyhook in C# to hook functions of the WINAPI. Now I am trying to hook an internal function of a program to log a specific "event".

I have been able to discover the function call with the "Ultimap"-Function of Cheat Engine:

008AEC40   /$  6A FF             PUSH -1
008AEC42   |.  68 E37EC100       PUSH Progra.00C17EE3
008AEC47   |.  64:A1 00000000    MOV EAX,DWORD PTR FS:[0]
008AEC4D   |.  50                PUSH EAX
008AEC4E   |.  51                PUSH ECX
008AEC4F   |.  56                PUSH ESI
008AEC50   |.  A1 4093F600       MOV EAX,DWORD PTR DS:[F69340]
008AEC55   |.  33C4              XOR EAX,ESP
008AEC57   |.  50                PUSH EAX
008AEC58   |.  8D4424 0C         LEA EAX,DWORD PTR SS:[ESP+C]
008AEC5C   |.  64:A3 00000000    MOV DWORD PTR FS:[0],EAX
008AEC62   |.  8BF1              MOV ESI,ECX
008AEC64   |.  897424 08         MOV DWORD PTR SS:[ESP+8],ESI
008AEC68   |.  E8 033CFFFF       CALL Progra.008A2870
008AEC6D   |.  C74424 14 0000000>MOV DWORD PTR SS:[ESP+14],0
008AEC75   |.  8B4424 1C         MOV EAX,DWORD PTR SS:[ESP+1C]
008AEC79   |.  50                PUSH EAX
008AEC7A   |.  8D4E 24           LEA ECX,DWORD PTR DS:[ESI+24]
008AEC7D   |.  C706 18E8CD00     MOV DWORD PTR DS:[ESI],Progra.00CDE818
008AEC83   |.  E8 F8E7FFFF       CALL Progra.008AD480
008AEC88   |.  C74424 14 FFFFFFF>MOV DWORD PTR SS:[ESP+14],-1
008AEC90   |.  8BC6              MOV EAX,ESI
008AEC92   |.  8B4C24 0C         MOV ECX,DWORD PTR SS:[ESP+C]
008AEC96   |.  64:890D 00000000  MOV DWORD PTR FS:[0],ECX
008AEC9D   |.  59                POP ECX                             
008AEC9E   |.  5E                POP ESI                                  
008AEC9F   |.  83C4 10           ADD ESP,10
008AECA2   \.  C2 0400           RETN 4

The function gets called here:

008CAF5F    .  85F6              TEST ESI,ESI
008CAF61    .  74 29             JE SHORT Progra.008CAF8C
008CAF63    .  6A 32             PUSH 32
008CAF65    .  8D5424 4C         LEA EDX,DWORD PTR SS:[ESP+4C]
008CAF69    .  52                PUSH EDX
008CAF6A    .  8D8F DC120000     LEA ECX,DWORD PTR DS:[EDI+12DC]
008CAF70    .  E8 2BF4F4FF       CALL Progra.0081A3A0
008CAF75    .  C68424 A4000000 1>MOV BYTE PTR SS:[ESP+A4],13
008CAF7D    .  834C24 14 40      OR DWORD PTR SS:[ESP+14],40
008CAF82    .  50                PUSH EAX
008CAF83    .  8BCE              MOV ECX,ESI
008CAF85    .  E8 B63CFEFF       CALL Progra.008AEC40    #### FUNCTION CALL ####
008CAF8A    .  EB 02             JMP SHORT Progra.008CAF8E
008CAF8C    >  33C0              XOR EAX,EAX
008CAF8E    >  C78424 A4000000 1>MOV DWORD PTR SS:[ESP+A4],14
008CAF99    .  8B95 F0130000     MOV EDX,DWORD PTR SS:[EBP+13F0]
008CAF9F    .  6A 01             PUSH 1
008CAFA1    .  8D7424 38         LEA ESI,DWORD PTR SS:[ESP+38]

Right now I am trying to learn more about ASM (calling conventions etc.). This tutorial is very good but I still don' t know how to deal with the function above.

How might the function argument(s) look like?

When breaking at the function call, the information (a simple Integer) I try to "extract" via hooking is stored in EBX, which unfortunately isn' t accessed once. So I have look for a function, where this value is passed as an argument, right?

Answer 1

The function 008AEC40 appears to be using the thiscall calling convention. The first argument, the this pointer is passed in ECX. The rest of the arguments are pushed on the the stack in right to left order. This particular function, a method of C++ class, only takes one argument in addition to its implicit this pointer.