On Thu Feb 1 19:54:53 2024 +0000, Paul Gofman wrote:
I had a quick look at HotPatch function in hotpatch.cpp and it has two paths. One under #ifdef USEMINHOOK which ends up CreateTrampolineFunction and doesn't assume exact hotpatch prologue, it does some disassembly and minds different instruction sizes. Such things were usually breaking under Wine before PE builds but with PE builds usually just work without DECLSPEC_HOTPATCH. Another path is checking this (it is the failure condition, i. e., to succeed it needs one of memcmp to match; patch_address is 5 bytes before function start): 'if(memcmp( "\x90\x90\x90\x90\x90\x8B\xFF", patch_address, 7) && memcmp( "\x90\x90\x90\x90\x90\x89\xFF", patch_address, 7)){' That is going to fail even with DECLSPEC_HOTPATCH because we usually have 0xcc (int3) instead of 0x90 (nop) as padding between functions. So I didn't try how that actually works nor studied that code completely, but are you sure that it doesn't work without DECLSPEC_HOTPATCH on all those functions and does work with DECLSPEC_HOTPATCH added?
Thanks for looking into it Paul. I didn't see how the code could possibly work without the `mov %edi %edi` prologue, but I missed the part where DxWnd does disassembly. I will have to figure out which checkboxes in the user interface enable which hooks and then test them individually. For now, I've downgraded the 5 patches I sent to "Draft" status.