IP relative memory operand is too far away and isn't currently supported

[Olivki]

Hello, I tried using the injection library to hook the CreateWindowExW function of a game, but it fails with the exception System.InvalidOperationException: IP relative memory operand is too far away and isn't currently supported. Try to allocate memory close to the original instruction (+/-2GB).. The same happens when I try to inject into the CreateDirectoryW function for the same game.

I'm not quite sure if this is something I could fix from my end, as it seems to be related to where the jump calls are inserted in the game process if I understood it correctly from the little information I could find related to that exception?

[alexrp]

My suspicion is that the original instructions in those functions contain IP-relative operands, and they're failing to assemble when copied over to the trampoline due to range issues, but it's hard to say for sure without a full stack trace. It would also be helpful if you could disassemble those functions (at run time, not statically) to verify.

[alexrp]

Related: #33, #34, #35

[Olivki]

My suspicion is that the original instructions in those functions contain IP-relative operands, and they're failing to assemble when copied over to the trampoline due to range issues, but it's hard to say for sure without a full stack trace. It would also be helpful if you could disassemble those functions (at run time, not statically) to verify.

This is the stack trace from the the FunctionHook.Create method fails:

System.InvalidOperationException: IP relative memory operand is too far away and isn't currently supported. Try to allocate memory close to the original instruction (+/-2GB).
   at Iced.Intel.Assembler.Assemble(CodeWriter writer, UInt64 rip, BlockEncoderOptions options)
   at Vezel.Ruptura.Memory.Code.CodeAssembler.Assemble(CodeWriter writer, UInt64 rip) in /_/src/memory/Code/CodeAssembler.cs:line 14
   at Vezel.Ruptura.Memory.Code.FunctionHook.Create(CodeManager manager, Void* target, Void* hook, Object state) in /_/src/memory/Code/FunctionHook.cs:line 318
   at InjectionTest.InjectedProgram.TestHooking() in REDACTED\InjectedProgram.cs:line 166

I'm relatively new to injection and reverse engineering, so sorry if I'm gonna ask some dumb stuff, but for disassembling the function, do you mean disassembling the function in which CreateWindowExW / CreateDirectoryW are called? The executable for the game seems to have been packed with Thermida, and unlicense fails to find the version it was packed with, and I'm not really sure how to find it out myself. So I can't easily step through them with a debugger.

[alexrp]

This is the stack trace from the the FunctionHook.Create method fails:

Thanks. This is strong evidence for my suspicion that the original instructions in those functions contain IP-relative operands that are failing to be relocated.

I'm relatively new to injection and reverse engineering, so sorry if I'm gonna ask some dumb stuff, but for disassembling the function, do you mean disassembling the function in which CreateWindowExW / CreateDirectoryW are called?

I mean disassembling CreateWindowExW and CreateDirectoryW themselves, since those are the functions you're trying to hook. What's likely happening here is that they contain instructions with IP-relative operands in the prologue; disassembling will help confirm that.

Iced (which Ruptura depends on) has a disassembly API that you can use to do so in C# code from within the target process: https://github.com/icedland/iced/blob/master/src/csharp/Intel/README.md#disassemble-decode-and-format-instructions

It would also be useful to know how you're obtaining the function pointers to CreateWindowExW and CreateDirectoryW.