From 8ae6da7f18ff4b65ca4ee1c8fe88fa70a4495a0b Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin@dufour.io>
Date: Thu, 19 Oct 2017 21:08:33 +0200
Subject: [PATCH] Show content passed to our function

---
 Observer/dllmain.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Observer/dllmain.cpp b/Observer/dllmain.cpp
index afd827c..d03a714 100644
--- a/Observer/dllmain.cpp
+++ b/Observer/dllmain.cpp
@@ -2,6 +2,7 @@
 #include "stdafx.h"
 #include <iostream>
 #include <fstream>
+#include <string>
 
 /*
 Function to patch
@@ -23,8 +24,9 @@ Function to patch
 .text:00403B83 C2 08 00                          retn    8
 */
 
-void __stdcall LogMessageWrapperHook() {
-	std::cout << "[OK]  Message wrapped called :D :D :D" << std::endl;
+void __stdcall LogMessageWrapperHook(char* message, size_t message_length) {
+	std::string content(message, message_length);
+	std::cout << content << std::endl;
 }
 
 __declspec(naked) void TrampolineLogMessageWrapperHook()
@@ -34,6 +36,9 @@ __declspec(naked) void TrampolineLogMessageWrapperHook()
 		// Save registers
 		PUSHAD
 
+		PUSH [esp + 32 + 8 ] // PUSHAD + shift of 8
+		PUSH [esp + 32 + 4 + 4 ] // PUSHAD + prev. PUSH + shift of 4
+
 		// Call our hook
 		CALL LogMessageWrapperHook
 
@@ -81,7 +86,11 @@ void initDll() {
 	}
 
 	// Change the instruction by JMP Trampoline
-	*addressToPatch = 0xE9; // JMP INT32 --- char = 1 octet
+	
+	// JMP INT32 --- char = 1 octet
+	*addressToPatch = 0xE9; 
+
+
 	*(unsigned int*) (addressToPatch + 1) = (unsigned int) TrampolineLogMessageWrapperHook - ((unsigned int) addressToPatch + 5);
 	std::cout << "[OK]  Memory written." << std::endl;