Maybe this topic isn't allowed (maybe because of the illegal or "too broad" aspect of this topic), I would try to be very concise with this because I would like to implement this with the main objective of learning "tampering/hooking" techniques.
Anyway, the question is that some time ago, I found an application that inserted two entries into the %WinDir%/etc/hosts file to cancel the advertising from Spotify.
This glitch was fixed by Spotify recently, so now any new song that has to be played is not going to be heard unless the ads are played before.
Well, the thing is that not long ago I found this repository (Spotify1710), I look at it, since I do not understand C++ a lot and well, I tried to make it works and I saw that it did not work (Spotify crashed) so I started doing the same but in C#. (Maybe I should try an older version of Spotify?, since there are several releases...)
As I have seen how this utility works, what it does is to inject a (managed) DLL into an (unmanaged) process. This is possible thanks to a library called "SharpNeedle"...
The thing is that everything works perfectly... I've even created a socket system to receive messages from within the Spotify process to a console)...
Everything worked, until the moment I decided to reimplement the second part, it modifies a method within Spotify, the original project uses Detours. This is where I say that I think everything fails (both in my version and in the version made in C++ by Meik1710, as I say should try old versions of Spotify).
For this I use a wrapper for .NET called "detours.net", with which I would like to have some more documentation, as you can see: https://github.com/uta-org/SpotifySharper/blob/master/SpotifySharper.Injector/Tools/SpotifyPatchAds.cs#L186 (as you'll see I have no idea which pointer to pass as a parameter, I've been looking at the original code, but how is it possible to obtain a pointer from a "void"? I have recreated this with the class "GCHandleProvider", but I'm giving out of blind...)
Not all is lost, I have not reached a deadlock yet. (Or maybe yes, I do not know), the case is that Spotify has generated a *.dmp file for each crash, but the WinDbg does not show me anything... It shows me the following error:
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(30e0.4a58): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
Note: Which I do not understand...
With VS2017 the thing changes, it shows me "The thread tried to read from to write to a virtual address for which it does not have the appropriate access.", which means that the pointer that I used to read and modify the method through the delegate was wrong. (In other words, this is the same as this, but in C++, supposedly I implemented it right?)
How can I get the pointer to a function? Or how can I get to which module a specific memory address belongs? (at least to know what I should try to decompile), the truth is I'm not sure about anything... To be honest, I need help close up. I have been looking at the PInvoke for clues (since within the Kernel32.dll there are methods to obtain similar things, such as: "GetModuleHandle ", the idea is to try to obtain the memory address for each module, and to delimit a memory address between two modules, but I do not know if it would work, would it work?)
Another thing that bothers me is that with detours.net, apparently the operation is very simple:
namespace myplugin
{
public static class Logger
{
// Declare your delegate
public delegate int CoCreateInstanceDelegate(
Guid rclsid, IntPtr pUnkOuter,
int dwClsContext, Guid riid, ref IntPtr ppv
);
// And now declare your hook
[Detours("ole32.dll", typeof(CoCreateInstanceDelegate))]
public static int CoCreateInstance(
Guid rclsid, IntPtr pUnkOuter,
int dwClsContext, Guid riid, ref IntPtr ppv
)
{
// Call real function
int result = ((CoCreateInstanceDelegate)DelegateStore.GetReal(MethodInfo.GetCurrentMethod()))(rclsid, pUnkOuter, dwClsContext, riid, ref ppv);
Console.WriteLine(" {" + rclsid.ToString() + "} {" + riid.ToString() + "} " + result.ToString("x"));
return result;
}
}
}
But of course, as I say, the methods "CmdAddTextGAIA", "CreateTrackPlayer", "OpenTrack", "CloseTrack", must be defined in some of the modules that are running within Spotify, which are not few as shown by Process Explorer: https://pastebin.com/qp8pha3H
But as I say I do not know how to get this module, maybe this in Spotify.exe itself... I'm going to try to use something from here, because apparently Spotify has been updated to a new version, the "1.1.10.540".
So my questions are the following:
- Which steps should I follow? (trying to decompile the Spotify assembly is a good approach?)
- Maybe I should try an older version of Spotify?
- How is it possible to obtain a pointer from a "void"?
- Did I implemented it right? (This (delegates) && this (hooks with detours.net))
- How can I get the pointer to a function? Or how can I get to which module a specific memory address belongs? (Are those question in the right way?)