1.12.1 - C#: Calling DoString from Main-Thread using EndScene-Hook?

[mskc33]

Hi there.

I am currently trying to call LUA's DoString. So far, I've been doing it with FrameScript_Execute which, as expected, can cause the game to shutdown/crash on occasion because I call it from outside the main thread.

Now, I use C# in combination with the MemorySharp library and do not want to inject my bot into the game for many reasons.
I understand how to allocate code caves and what they are for (atleast I think so!). My ASM knowledge is bad, just like my knowledge of reverse engineering. But I'm working on improving that right now.

What I am looking for: Is there a good, well commented example of calling LUA's DoString from inside the game by using C#, Code Caves and (I assume) hooking EndScene? I'm not looking for code I can copy, I want to understand how exactly it works and why it works and why we do it this way. Most of the code I found online is ... how do I put it ... less than optimal and not very well documented.

Just in case of anybody is wondering, this is the code I am using right now. I'm just putting it here for educational reasons, I do not recommend anybody to use this since like I mentioned above it will crash your game sometimes.

Code:

var command = "SendChatMessage(\"Hello, World:\");
var cmd = Encoding.UTF8.GetBytes(command);

var FrameScript_Execute = new IntPtr(0x00704CD0);

var lua_cave = Game.Memory.Allocate(cmd.Length + 1);
lua_cave.WriteString(command, Encoding.UTF8);

var asm_code = new[] {
    "mov ecx, " + lua_cave.BaseAddress,
    "mov edx, " + lua_cave.BaseAddress,
    "call " + FrameScript_Execute,
    "retn"
};

Game.Assembly.InjectAndExecute(asm_code);
Game.Memory.Deallocate(lua_cave);

[Corthezz]

/ [Bot] 1.12.1 WoW Bot Source Code does this

[mskc33]

Thank you! I already studied your code and tried to implement the same thing but I got confused about how exactly it works.
I added you on Skype and also joined your IRC but you didnt respond so I assume you were busy

Like I said before, I am looking for some well commented code. And while I like your overall coding style, you don't really have many comments that explain what exactly is going on. Of course, you know what is going on and therefore the code is self explanatory to you. But a good rule of thumb is, to code like the next person reading the code has no idea what it is doing.

No offense! But I would love if you could add some more structure and comments to the repository. It could be used by newbies like me trying to wrap their head around it

Thanks for reading!

[DarkLinux]

I don't think comments are going to help you. Try and learn asm, its simple as that. Then debug the function, see who calls it and how its called.

[mskc33]

That sounds like a plan! Thank you

Any specific books / online resources you could recommend off the top of your head?

[DarkLinux]

Assembly Programming Tutorial is a good start I guess.

[squiggy]

instead of the remote thread running the code in your codecave you want to detour some part of the program called by the main thread, like endscene. A common way to do this is by overwriting the first 5 bytes in a function with a jmp to your codecave. When i did this i began by studying the iHook library source code in order to understand what it did and how it did it. [C# DLL] iHook, EndScene ASM Injection!

edit: you might also find this article useful, i stumbled on it a couple of weeks ago: http://jbremer.org/x86-api-hooking-demystified/

[-Ryuk-]

Hi there.

I am currently trying to call LUA's DoString. So far, I've been doing it with FrameScript_Execute which, as expected, can cause the game to shutdown/crash on occasion because I call it from outside the main thread.

Now, I use C# in combination with the MemorySharp library and do not want to inject my bot into the game for many reasons.
I understand how to allocate code caves and what they are for (atleast I think so!). My ASM knowledge is bad, just like my knowledge of reverse engineering. But I'm working on improving that right now.

What I am looking for: Is there a good, well commented example of calling LUA's DoString from inside the game by using C#, Code Caves and (I assume) hooking EndScene? I'm not looking for code I can copy, I want to understand how exactly it works and why it works and why we do it this way. Most of the code I found online is ... how do I put it ... less than optimal and not very well documented.
[/CODE]

At this point, there is no reason not to be fully injected. Private servers do a much better job using Warden to its potential than Blizzard do. Hooking endscene/writing your own data to code caves IS enough to get you banned. Just inject you C# dll, bypass warden checks correctly, and call every function you want directly. It's not like in retail where they could(and do) add in "in-client" checks with content patches.

instead of the remote thread running the code in your codecave you want to detour some part of the program called by the main thread, like endscene. A common way to do this is by overwriting the first 5 bytes in a function with a jmp to your codecave. When i did this i began by studying the iHook library source code in order to understand what it did and how it did it. [C# DLL] iHook, EndScene ASM Injection!

edit: you might also find this article useful, i stumbled on it a couple of weeks ago: http://jbremer.org/x86-api-hooking-demystified/

Thanks for the mention, however this code is old and ugly, although it should still work keep in mind that there are MUCH better alternatives.

[squiggy]

Thanks for the mention, however this code is old and ugly, although it should still work keep in mind that there are MUCH better alternatives.

Well in either case when i started looking into code injection about half a year ago i wanted as few abstractions as possible to understand the process and your source code helped me a lot so thank you

Private servers do a much better job using Warden to its potential than Blizzard do. Hooking endscene/writing your own data to code caves IS enough to get you banned. Just inject you C# dll, bypass warden checks correctly, and call every function you want directly. It's not like in retail where they could(and do) add in "in-client" checks with content patches.

ok, now this surprised me, i would have thought that an endscene hook coupled with some memory writes to the heap would be a pretty safe method even for a public project. Would you mind me asking how theyre detecting that? can the warden module detect heap allocations or are they following the hook/jump and looking for known hashes or calls to the text area? Just throwing out some thoughts here, ive only got a very basic understanding of how warden works.

Im currently hooking endscene similarly to ihook with the exception that im overwriting the pointer in the dxdevice vtable to hook it, should i be concerned and start researching warden? none of my projects are public btw.

[namreeb]

Theoretically they could look for a JMP hook in EndScene with Warden, but I'm not aware of anyone doing that.

Edit: Also an INT3 or IAT hook or any other kind of hook which involves memory writing.

Edit 2: It is unlikely that you will see this unless they are looking for specific and unique modifications, because I'm pretty sure Fraps and similar programs hook EndScene too?

[tutrakan]

instead of the remote thread running the code in your codecave you want to detour some part of the program called by the main thread, like endscene. A common way to do this is by overwriting the first 5 bytes in a function with a jmp to your codecave. When i did this i began by studying the iHook library source code in order to understand what it did and how it did it. [C# DLL] iHook, EndScene ASM Injection!

edit: you might also find this article useful, i stumbled on it a couple of weeks ago: http://jbremer.org/x86-api-hooking-demystified/

Excellent response!

At this point, there is no reason not to be fully injected.

I second that.
At least you intend to learn the outside way of injection, you should consider injecting your logic inside the wow client and really have fun with the cool features offering to you from the inside world.

[mskc33]

bypass warden checks correctly.

Thanks for your response! Where would be the best place to learn this? After learning assembly, of course

[Corthezz]

Thanks for your response! Where would be the best place to learn this? After learning assembly, of course

wowdev, blizzhackers, any info dump thread with warden pointers/offsets, public botsources.
Easy start is to set an on access breakpoint on a scanned address and see where it is read from (you will land in one of wardens memscan function).