[Help][C++ / ASM] Framescript Execute sometimes crashes WoW 1.12.1

[prospectingemu]

So i'm quite new to both c++ and function hooking/asm. Currently I'm able to call a few functions without any problems however with this one (framescript execute) it will sometimes run for 5+mins and other times crash instantly. I've looked in olly and can see there are some issues when calling this (compared to when I call it from in-game using a macro - some of the values are diffrent).

My question is would it be 'safer (in terms of stability)' to learn to replicate the function and call that in ASM or should I continue to try to call it directly?

Any help/advice would be greatly appreciated thanks!

Code:

(in the header)

static auto const luaDoString = reinterpret_cast <uint32(__fastcall *)(
	char *)>(0x704CD0);

(in the .cpp)

void Functions::LuaDoString(std::string doWhat){
	
	//This causes crashes -> lots of crashes
	//VirtualProtect((LPVOID)0x0, 100, PAGE_EXECUTE_READWRITE, NULL);
	
	convertToASCII(doWhat, command);

	PDWORD dwOldProtect = (PDWORD)PAGE_EXECUTE;
	
        DWORD dwSize = 512; // Random size chosen

	//This is where I don't really know what happens
	//If this section does not have read/write/execute the program will crash
	//from a violation error.

	VirtualProtect((LPVOID)0x06FC9D7, dwSize, PAGE_EXECUTE_READWRITE, dwOldProtect);

	//Call the framescript execute
	//with our command as a param in ascii

	luaDoString(command);

	//Re-apply the previous protection on the crash command because
	//I have no idea what the function does.

	VirtualProtect((LPVOID)0x06FC9D7, dwSize, (DWORD)dwOldProtect, NULL);

}

[SKU]

I have no idea what your VirtualProtects are supposed to achieve here (the function - assuming your address is correct - is in an executable section already, and you don't need write access to call a function). In any case, you are using VirtualProtect incorrectly.

Code:

DWORD dwOldProtect;
BOOL const success = VirtualProtect(reinterpret_cast<LPVOID>(address), dwSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
// check return value, handle failure

You should also not pass NULL for the 4th argument:

"A pointer to a variable that receives the previous access protection value of the first page in the specified region of pages. If this parameter is NULL or does not point to a valid variable, the function fails." ( VirtualProtect function (Windows) )

The way you are currently calling VirtualProtect (the first call), you are passing a dword pointer that points to 0x10 (PAGE_EXECUTE); this will blow up in your face.

[prospectingemu]

Thanks, I removed the virtual protects and fixed them where I was using them in other places.

The reason I was trying to use them like that was this:

Code:

Exception:	0xC0000005 (ACCESS_VIOLATION) at 0023:006FC9D7

This is the error which will randomly occur when calling the function

[SKU]

The access violation happens here: .text:006FC9D7 repne scasb; so the pointer in edi is garbage (which looks like it's supposed to be a pointer to a string). You (correctly) declared the dostring function as a __fastcall, but you are not providing the second argument that is supposed to go into edx. Sometimes your function calls work out if edx happens to point to valid memory, and sometimes it does not and you crash. Change dostring to:

Code:

static auto const luaDoString = reinterpret_cast<uint32 (__fastcall *)(char*, char* )>(0x704CD0);

and then call it like this:

Code:

luaDoString("print('hi')", "somestring");

IIRC, the second string is usually the file name, but any null terminated string should do.

[prospectingemu]

Thankyou for all the help!

I see what you are saying but the changed doString (with 2 char pointers) isn't working atm.

This is what is still happening (still)


(On a 'healthy' call the ESI pushed is 0000000000)

Is there an easy way to set ESI to 0 prior to me calling the function? (And could this actually fix the problem?)

[SKU]

The value in esi should not matter there, it's pushed onto the stack to preserve its value and then immediately overwritten with ecx, the first __fastcall argument. Can you show your entire calling code again, and possibly a stack trace / memory dump / register dump? (full screenshot of OllyDbg during a crash should work).

I'll see if I still have an old WoW install somewhere to see what's up.

Edit: Found my old 1.12.1 folder, woohoo; works fine. Here's a view as the function is entered: https://i.imgur.com/ulbVdSH.png - the call site looks like this:

Code:

63D51000 >  56              PUSH ESI
63D51001    8B35 8020D563   MOV ESI,DWORD PTR DS:[<&USER32.GetAsyncK>; USER32.GetAsyncKeyState
63D51007    6A 70           PUSH 70
63D51009    FFD6            CALL ESI
63D5100B    A8 01           TEST AL,1
63D5100D  ^ 74 F8           JE SHORT DoMe.63D51007
63D5100F    B8 D04C7000     MOV EAX,704CD0
63D51014    BA C820D563     MOV EDX,OFFSET DoMe.??_C@_08MPHLKIJO@DoM>; ASCII "DoMe.lua"
63D51019    B9 D420D563     MOV ECX,OFFSET DoMe.??_C@_0CH@BLDPCACM@D>; ASCII "DEFAULT_CHAT_FRAME:AddMessage("hello")"
63D5101E    FFD0            CALL EAX
63D51020 >^ EB E5           JMP SHORT DoMe.63D51007

Minimal working example (with the injector of your choice):

Code:

#include <Windows.h>
#include <process.h>


void RunForever(void*)
{
	auto const luaDoString = reinterpret_cast<int (__fastcall *)(char const*, char const*)>(0x00704CD0);

	for (;;)
	{
		if (GetAsyncKeyState(VK_F1) & 1)
		{
			luaDoString("DEFAULT_CHAT_FRAME:AddMessage(\"hello\")", "DoMe.lua");
		}
	}

	_endthread();
}

extern "C" __declspec(dllexport) void DoMe()
{
	_beginthread(&RunForever, 0, nullptr);
}

BOOL WINAPI DllMain(HINSTANCE, DWORD, LPVOID)
{
	return TRUE;
}

[prospectingemu]

Here are the breakpoints from calling in-game and from the dll. I'll edit in a crash once one occurs

Code:

/script DoEmote("Sit"); //From ingame.

00704CD0   56               PUSH ESI       // ESI = 000000000         ; Framescript execute
00704CD1   6A 00            PUSH 0
00704CD3   8BF1             MOV ESI,ECX    //ECX = 1416AEF8, (ASCII "DoEmote("Sit");" // ESI = 00000000
00704CD5   52               PUSH EDX       //EDX = 1416AEF8, (ASCII "DoEmote("Sit");"
00704CD6   56               PUSH ESI	   //ESI = 1416AEF8, (ASCII "DoEmote("Sit");"
00704CD7   E8 145AF4FF      CALL WoW.0064A6F0 //0064A6F0 = WoW.0064A6F0
00704CDC   8BD0             MOV EDX,EAX    //EAX = 0000000F // EDX = 1416AE00
00704CDE   8BCE             MOV ECX,ESI    //ESI = 1416AEF8, (ASCII "DoEmote("Sit");" // ECX = 1416AEF8, (ASCII "DoEmote("Sit");"
00704CE0   E8 FBFDFFFF      CALL WoW.00704AE0 // 00704AE0 = WoW.00704AE0
00704CE5   5E               POP ESI        // Stack[0018FC30] = 00000000 // ESI = 1416AEF8, (ASCII "DoEmote("Sit");"
00704CE6   C3               RETN    // Return to 0048B9D0 (WoW.0048B9D0)

function->LuaDoString("DoEmote(\"Sit\");");

00704CD0   56               PUSH ESI       // ESI = 117EFEFC        ; Framescript execute
00704CD1   6A 00            PUSH 0
00704CD3   8BF1             MOV ESI,ECX    //ECX = 1B924438, (ASCII "DoEmote("Sit");" // ESI = 117EFEFC 
00704CD5   52               PUSH EDX       //EDX = 1B924438, (ASCII "DoEmote("Sit");"
00704CD6   56               PUSH ESI	   //ESI = 1B924438, (ASCII "DoEmote("Sit");"
00704CD7   E8 145AF4FF      CALL WoW.0064A6F0 //0064A6F0 = WoW.0064A6F0
00704CDC   8BD0             MOV EDX,EAX    //EAX = 0000000F // EDX = 1B924400
00704CDE   8BCE             MOV ECX,ESI    //ESI = 1B924438, (ASCII "DoEmote("Sit");" // ECX = 1B924438, (ASCII "DoEmote("Sit");"
00704CE0   E8 FBFDFFFF      CALL WoW.00704AE0 // 00704AE0 = WoW.00704AE0
00704CE5   5E               POP ESI        // Stack[117EFEF4] = 117EFEFC // ESI = 1B924438, (ASCII "DoEmote("Sit");"
00704CE6   C3               RETN    // Return to 561D2AC9 (vanillaE.561D2AC9) // my dll

[SKU]

It's likely the error is somewhere else, the call looks okay. What does your convertToASCII(doWhat, command); function do exactly? std::string::c_str() should work here, I don't think dostring performs any writes to its arguments: luaDoString(doWhat.c_str(), "blah");

Edit: You'll have to change the function signature to take const char* arguments instead or your compiler will complain.

[prospectingemu]

I just used your code, again it worked but I got a crash a few seconds afterwards. Is it possible my dll is causing this? Could the client be trying to reference one of the variables in the stack frame after the function has finished?

Code:

void Functions::convertToASCII(std::string letter, char x[255])
{
	for (int j = 0; j <= 255; j++){
		x[j] = 0x0;
	}
	for (int i = 0; i < letter.size(); i++)
	{
		x[i] = letter.at(i);
	}
}

[SKU]

If the function is well behaved (which it should be), then it should not touch your stack frames. However, there could be lots of different reasons as to why it is crashing. It's unlikely that your conversion function is the culprit (unless your string happens to be very long), nevertheless I'd suggest you use the std::string's c_str() function to get a const char* pointer back to the raw string.

It's going to be difficult to resolve the problem like this. If you want, you can send me your entire code base (PM) and I'll have a look when I get a chance, but I'll have to go now.

[prospectingemu]

Thank you so much for your help, ill keep working at it during the week and if I think I get any closer i'll send you a pm - thanks again

[jpeg2000]

This helps me,Thanks