[C++] Endscene hook and dostring code inject and wow crashed....

**yangken** · 12-14-2010

base on

HTML Code:

http://www.mmowned.com/forums/world-of-warcraft/bots-programs/memory-editing/305473-sample-code-endscene-hook-asm-blackmagic.html

i turned asm code to machine code, checked for several times, still may have some error bytes.
when excute fun: writeprocessmemory(), the wow crashed, and never recover again

reboot the system still invaild, execute wow.exe, the thread was created, but no window displays.

somebody help me~~~

Here's my code

Code:

LONG	pDevicePtr_1 = DX_DEVICE;
	LONG	pDevicePtr_2 = DX_DEVICE_IDX;
	LONG	oEndScene = ENDSCENE_IDX;
	BOOL	b_success = FALSE;
	DWORD	endsceneaddr = 0;
	DWORD	injectcodelen = 0;
	if (m_wowhandle == NULL)	return b_success;
	b_success = ReadProcessMemory(m_wowhandle, (LPVOID)(m_wowbaseaddr+pDevicePtr_1), &endsceneaddr, 4, NULL);
	if (!b_success)	return b_success;
	b_success = ReadProcessMemory(m_wowhandle, (LPVOID)(endsceneaddr+pDevicePtr_2), &endsceneaddr, 4, NULL);
	if (!b_success)	return b_success;
	b_success = ReadProcessMemory(m_wowhandle, (LPVOID)endsceneaddr, &endsceneaddr, 4, NULL);
	if (!b_success)	return b_success;
	b_success = ReadProcessMemory(m_wowhandle, (LPVOID)(endsceneaddr+oEndScene), &endsceneaddr, 4, NULL);
	LPVOID injectcode = VirtualAllocEx(m_wowhandle, NULL, 64, MEM_COMMIT, PAGE_READWRITE);
	ASSERT(injectcode);
	(LPVOID)m_injectcodeaddr = VirtualAllocEx(m_wowhandle, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
	ASSERT(m_injectcodeaddr);
	LPVOID retinjectaddr = VirtualAllocEx(m_wowhandle, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
	ASSERT(retinjectaddr);
	BYTE hookjmp[5] = {0xE9, (BYTE)injectcode, (BYTE)(((DWORD)injectcode)>>8), (BYTE)(((DWORD)injectcode)>>16), (BYTE)(((DWORD)injectcode)>>24)};
	BYTE injectprecodedata[50] = {0x60, 0x9C, 0xA1, (BYTE)((DWORD)m_injectcodeaddr), (BYTE)(((DWORD)m_injectcodeaddr)>>8),
		(BYTE)(((DWORD)m_injectcodeaddr)>>16), (BYTE)(((DWORD)m_injectcodeaddr)>>24), 0x85, 0xC0, 0x74, (BYTE)((((DWORD)injectcode))+38),
		(BYTE)(((((DWORD)injectcode))+38)>>8), (BYTE)(((((DWORD)injectcode))+38)>>16), (BYTE)(((((DWORD)injectcode))+38)>>24), 0xA1, 
		(BYTE)((DWORD)m_injectcodeaddr), (BYTE)(((DWORD)m_injectcodeaddr)>>8), (BYTE)(((DWORD)m_injectcodeaddr)>>16), 
		(BYTE)(((DWORD)m_injectcodeaddr)>>24), 0xFF, 0xD0, 0xA3, (BYTE)(((DWORD)retinjectaddr)), (BYTE)(((DWORD)retinjectaddr)>>8),
		(BYTE)(((DWORD)retinjectaddr)>>16), (BYTE)(((DWORD)retinjectaddr)>>24), 0xBA, (BYTE)((DWORD)m_injectcodeaddr), 
		(BYTE)(((DWORD)m_injectcodeaddr)>>8), (BYTE)(((DWORD)m_injectcodeaddr)>>16), (BYTE)(((DWORD)m_injectcodeaddr)>>24), 0xB9, 0x00,
		0x00, 0x00, 0x00, 0x89, 0x0A, 0x9D, 0x61, 0x89, 0xFF, 0x55, 0x89, 0xE5, 0xE9, (BYTE)((DWORD)endsceneaddr+5), 
		(BYTE)(((DWORD)endsceneaddr+5)>>8), (BYTE)(((DWORD)endsceneaddr+5)>>16), (BYTE)(((DWORD)endsceneaddr+5)>>24)};
	WriteProcessMemory(m_wowhandle, injectcode, injectprecodedata, 50, &injectcodelen);
	WriteProcessMemory(m_wowhandle, (LPVOID)endsceneaddr, hookjmp, 5, NULL);

**Cypher** · 12-15-2010

Holy sweet jesus. What the ****?

**Syltex** · 12-15-2010

An suggestion: clean up your ****nig code b4 posting.

**Azzie2k8** · 12-15-2010

Originally Posted by Cypher

Holy sweet jesus. What the ****?

Exactly my thoughts...and also include the offsets you are using + make it readable...and remember that adresses are relative to wows base address

**suicidity** · 12-15-2010

Uhm.. someone likes C style casting..

**Viano** · 12-15-2010

Muahaha... thanks... that made my brilliant day.

**mindwalkr** · 12-15-2010

There is a reason why people use on-the-fly ASM compiling. Injecting runstream opcode's inline is just not readable (except by one guy I know, but he could read asm from a hex dump and that is JUST NOT NORMAL)..

**Flushie** · 12-19-2010

I automatically felt degraded after looking at your code and thought "****, so this is what being a programmer is like", then I read Cyphers comments and thought "Nope this is what failure is like."

**yangken** · 12-20-2010

，i am a loser.....

**hamburger12** · 12-23-2010

Code:

int LuaDoString(System::String ^Command)
{
	int WowId = aProcess::GetProcessIdByName("Wow");
	Console::WriteLine(WowId.ToString());
	Hook ^EndScene = gcnew Hook(WowId);

	System::UInt32 pDevicePtr = EndScene->BlackMagic->ReadUInt(0x00D7F7F4);
	pDevicePtr = EndScene->BlackMagic->ReadUInt(pDevicePtr + 0x27C4);

	System::UInt32 EndSceneAddr = EndScene->BlackMagic->ReadUInt(pDevicePtr);
	EndSceneAddr = EndScene->BlackMagic->ReadUInt(EndSceneAddr + 0xA8);
	Console::WriteLine(EndSceneAddr.ToString());
	EndScene->Hook_Install(EndSceneAddr);

	// Command to send using LUA
	//System::String ^Command = "print(\"EndScene hooked! Mit C++!\");";

	// Allocate memory for command
	System::UInt32 DoString_space = EndScene->BlackMagic->AllocateMemory(Encoding::UTF8->GetBytes(Command)->Length + 1);

	// Write command in the allocated memory
	EndScene->BlackMagic->WriteBytes(DoString_space, Encoding::UTF8->GetBytes(Command));

	// Write the asm stuff for Lua_DoString
	EndScene->Hook_AsmAddLine("mov eax, " + DoString_space);
	EndScene->Hook_AsmAddLine("push 0");
	EndScene->Hook_AsmAddLine("push eax");
	EndScene->Hook_AsmAddLine("push eax");
	EndScene->Hook_AsmAddLine("mov eax, 0x79D8C0"); // Lua_DoString
	EndScene->Hook_AsmAddLine("call eax");
	EndScene->Hook_AsmAddLine("add esp, 0xC");
	EndScene->Hook_AsmAddLine("retn");

	// Inject the shit
	EndScene->Hook_AsmInject();

	// Free memory allocated for command
	EndScene->BlackMagic->FreeMemory(DoString_space);

	// Uninstall the hook
	EndScene->Hook_Remove();

	//Console::ReadLine();
	return 1;
}

**Cypher** · 12-23-2010

Originally Posted by hamburger12

Code:

int LuaDoString(System::String ^Command)
{
	int WowId = aProcess::GetProcessIdByName("Wow");
	Console::WriteLine(WowId.ToString());
	Hook ^EndScene = gcnew Hook(WowId);

	System::UInt32 pDevicePtr = EndScene->BlackMagic->ReadUInt(0x00D7F7F4);
	pDevicePtr = EndScene->BlackMagic->ReadUInt(pDevicePtr + 0x27C4);

	System::UInt32 EndSceneAddr = EndScene->BlackMagic->ReadUInt(pDevicePtr);
	EndSceneAddr = EndScene->BlackMagic->ReadUInt(EndSceneAddr + 0xA8);
	Console::WriteLine(EndSceneAddr.ToString());
	EndScene->Hook_Install(EndSceneAddr);

	// Command to send using LUA
	//System::String ^Command = "print(\"EndScene hooked! Mit C++!\");";

	// Allocate memory for command
	System::UInt32 DoString_space = EndScene->BlackMagic->AllocateMemory(Encoding::UTF8->GetBytes(Command)->Length + 1);

	// Write command in the allocated memory
	EndScene->BlackMagic->WriteBytes(DoString_space, Encoding::UTF8->GetBytes(Command));

	// Write the asm stuff for Lua_DoString
	EndScene->Hook_AsmAddLine("mov eax, " + DoString_space);
	EndScene->Hook_AsmAddLine("push 0");
	EndScene->Hook_AsmAddLine("push eax");
	EndScene->Hook_AsmAddLine("push eax");
	EndScene->Hook_AsmAddLine("mov eax, 0x79D8C0"); // Lua_DoString
	EndScene->Hook_AsmAddLine("call eax");
	EndScene->Hook_AsmAddLine("add esp, 0xC");
	EndScene->Hook_AsmAddLine("retn");

	// Inject the shit
	EndScene->Hook_AsmInject();

	// Free memory allocated for command
	EndScene->BlackMagic->FreeMemory(DoString_space);

	// Uninstall the hook
	EndScene->Hook_Remove();

	//Console::ReadLine();
	return 1;
}

That's not C++... That's C++/CLI, a totally different language.

**hamburger12** · 12-23-2010

Sry you are right

Shout-Out

User Tag List

Thread: [C++] Endscene hook and dostring code inject and wow crashed....

Thread Tools

Search Thread

[C++] Endscene hook and dostring code inject and wow crashed....

Similar Threads

[Sample Code] EndScene Hook with ASM and blackmagic

C# code that automatically gets Endscene (DirectX9) and Present (DirectX 11) offsets

Understanding Detours and EndScene Hooking

Injection, Hooking and the Bottleneck

[Test Theory] EndScene hook without Native Code (Kinda)

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino