[Out of Process] Calling functions in the VTable.

[cenron]

So I am trying to call GetObjectName(), VMT #47, but it keeps crashing wow.

So here is the code I got so far but I am stumped to why its crashing WoW.

Code:

void __declspec(naked) __start_GetObjName()
{
	__asm
	{
		MOV EDX, [0x011CA310]
		MOV EDX, [EDX+0x28A4]
		MOV EAX, FS:[0x2C]
		MOV EAX, [EAX]
		ADD EAX, 8
		MOV [EAX], EDX
		
		MOV ECX, [0xDEADBEEF] // WoW uses ECX to store class pointer?
		MOV EDX, [0xDEADBEEF] 
		MOV EAX, [EDX + 4 * 47] // Get the address of GetObjectName()
		CALL EAX
		RETN
	}
}
void __end_GetObjName() { }

Here is the injecting code.

Code:

// Create our injector
gpWoW->GetSyringe()->CreateInjector( (unsigned long)__start_GetObjName, dwFuncLen, "GetObjectName" );

// Inject our code into a code cave.
gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->Inject();
		
// Set the 0xDEADBEEF offsets to the correct class pointer.
gpWoW->GetSyringe()->GetMemory()->SetMem( ((unsigned long)gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->GetAllocAddr() + 0x19), m_dwObject  );
gpWoW->GetSyringe()->GetMemory()->SetMem( ((unsigned long)gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->GetAllocAddr() + 0x1E), m_dwObject  );		

// Execute returns the DWORD exit code of GetExitCodeThread();
dwLvl02 = gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->Execute();

Everything injects find and the memory gets changed correctly but when every it gets to the Execute() line. Wow just crashes. There is no crash dump or anything it just closes.

[shomoiog]

You try to call functions out of process. 'Nuff said.

[Sillyboy72]

Well, this isn't "out of process" that is just a poor choice of words. Injecting and calling a function should mostly work fine.

But really, you are gonna have to hook a debugger and figure out wtf is going on. could be a stack cleanup issue? could be all kinds of things.

The idea is that the DWORD returned (via eax/threadexitcode) will be the address to read in wow to grab the name? sounds possible enough

gotta say... injecting a dll and just staying in process is like 926x easier.

[bigtimt]

the get object name function has one parameter

Code:

GetObjectName(DWORD ObjectBaseAddress)

from what i think i remember, so you have to push ObjectBaseAddress onto the stack

and if it is a stack cleanup issue i believe you would add

Code:

add esp, (4 * Number of Parameters)

after call eax

[lanman92]

I'm not positive, but I think that GetObjName() has a static address, and all of the CG_XXX inherit it. You have to move ObjBase to ecx and then find the address. It should work.

[shomoiog]

Is not "bad choice of words" is ignorance, he has no damn clue what is he doing. If it crashes and you want help, provide the stack/registers snapshots. This is not voodoo, reproduce what you consider a sequence of magic words and symbols to find out why you get turned into to a chicken. The fact that wow "just crashes" and the OP is mesmerized about how this could be happening when he's tempering with it's execution flow says a lot.

This forum is in incredible resource, hat's off to those that actually added the useful stuff, but there is also a lot of "omgz I wanna haxxor wow, I don't know what "injecting" means or that a plane has two dimensions, but cat I has some sources to has imba haxxx?!!?? I learned at school to press F5 to compile/run, I am am so coool!"

I've been reading this forum for a few days now, and I found absolutely everything I could ever need to find out in order to get me started on this matter. I am an uber newb to wow reversing, I haven't seen mnemonics in years, and I am still annoyed by more than 70% of the posts. I have no idea how the "big" guys put up with it.

Thanks Cypher, Kynox and everyone else that made this a fun journey.

[Cypher]

Nope. GetObjectName is a virtual method.

// Virtual function 47.
virtual const char* GetObjectName();

[shomoiog]

I'm not positive, but I think that GetObjName() has a static address, and all of the CG_XXX inherit it. You have to move ObjBase to ecx and then find the address. It should work.

Wouldn't that negate the whole polymorphism idea? Not to mention that adding "virtual","static" and "inheritance" in the same sentence makes little baby Jesus cry...

[lanman92]

I said I'm not positive, no need to flame bro.

EDIT: I guess I was thinking about UpdateModel() or something.

[cenron]

Is not "bad choice of words" is ignorance, he has no damn clue what is he doing. If it crashes and you want help, provide the stack/registers snapshots. This is not voodoo, reproduce what you consider a sequence of magic words and symbols to find out why you get turned into to a chicken. The fact that wow "just crashes" and the OP is mesmerized about how this could be happening when he's tempering with it's execution flow says a lot.

This forum is in incredible resource, hat's off to those that actually added the useful stuff, but there is also a lot of "omgz I wanna haxxor wow, I don't know what "injecting" means or that a plane has two dimensions, but cat I has some sources to has imba haxxx?!!?? I learned at school to press F5 to compile/run, I am am so coool!"

I've been reading this forum for a few days now, and I found absolutely everything I could ever need to find out in order to get me started on this matter. I am an uber newb to wow reversing, I haven't seen mnemonics in years, and I am still annoyed by more than 70% of the posts. I have no idea how the "big" guys put up with it.

Thanks Cypher, Kynox and everyone else that made this a fun journey.

Are you done dude? All I am hearing from you is :cry2: :cry2: :cry2: :cry2:

Just STFU and GTFO! Your post is nothing but a waste of time. When I say out of process I am talking about the program that injects the code into WoW is a stand alone app. **** people hear one word and start crying like a little bitch!

You talk so much shit but then you go and say this.

You try to call functions out of process. 'Nuff said.

Your such a TARD!!!!!!

Well, this isn't "out of process" that is just a poor choice of words. Injecting and calling a function should mostly work fine.

But really, you are gonna have to hook a debugger and figure out wtf is going on. could be a stack cleanup issue? could be all kinds of things.

The idea is that the DWORD returned (via eax/threadexitcode) will be the address to read in wow to grab the name? sounds possible enough

gotta say... injecting a dll and just staying in process is like 926x easier.

Ya I agree the DLL injection much easier. I have a dll I wrote, with all the help i got from Cypher, Kynox, and Bobbysing, that does what I need it to.

I am doing this out of process thing just for fun and not really taking it to serious. Something to work on when I am tired of working on the normal projects.

I posted this right before going to work hoping maybe someone had the same problem. Ill run through it with a debugger now that I am home. Thanks for the tip and I am assuming that the GetThreadExitCode returns the address :X I haven't looked into it yet to see if thats how it works because I am on the ASM crashing wow. Think of it as a place holder.

[Xarg0]

Cenron, try to pause wow's mainthread before you execute your code cave and resume it afterwards.
SuspendThread is your friend
It's very likely to be a threading issue, WoW's Mainthread accesses the CurMgr Object and you do so too, this results in a crash.
If your code still doesn't work after implementing this, you messed up somewhere else and you'll need to debug your code, OllyDBG is your friend as well

[kynox]

Guys, think for a second. Why would GetObjectName even need to enumerate the linked object list? You pass it the fkn object.

[cenron]

THANKS FOR ALL THE HELPS GUYS! But with some time spent with Olly I figure out what the problem was. Anyway here is revised code that works currently.

Code:

// GetObjectName() VTable Function stub.
void __declspec(naked) __start_GetObjName()
{
	__asm
	{
		MOV EDX, [0x011CA310]
		MOV EDX, [EDX+0x28A4]
		MOV EAX, FS:[0x2C]
		MOV EAX, [EAX]
		ADD EAX, 8
		MOV [EAX], EDX
		MOV ECX, 0xDEADBEEF
		MOV EDX, [ECX]
		MOV EAX, [EDX + 4 * 47]
		CALL EAX
		RETN
	}
}
void __end_GetObjName() { }
unsigned long dwGetObjNameLen = ((unsigned long)__end_GetObjName - (unsigned long)__start_GetObjName);
// End of GetObjectName()

Injection code.

Code:

gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->Inject();
gpWoW->GetSyringe()->GetMemory()->SetMem( ((unsigned long)gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->GetAllocAddr() + 0x19), m_dwObject  );
	
dwLvl02 = gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->Execute();
gpWoW->GetSyringe()->GetInjectorByName( "GetObjectName" )->CleanUp();

Sillyboy72: So I did confirm that GetThreadExitCode() does return the address of EAX, which is where the name is stored.


Hope this helps someone out.