Some Classes and Functions from 2012.09.09

[Ankharlyn]

Use IDA and diff 2 binary

Perfect! Thanks

Somewhat unrelated, but say I wanted to call getTLS from my code with BlackMagic and get the value of EAX.

I currently have something like this:

Code:

                    memory.Asm.Clear();
                    memory.Asm.AddLine("call {0}", 0x00655BB0);
                    memory.Asm.AddLine("mov [{0}], eax", tls_address);
                    memory.Asm.AddLine("retn");
                    byte[] p = memory.Asm.Assemble();
                   
                    memory.Asm.InjectAndExecute(guild_wars_two_process.Handle, codecave);

                    uint tls_value_address = memory.ReadUInt(tls_address);

Which assembles and executes fine (apparently, no crash or error code), but tls_value_address is always zero. Any ideas?

(I am allocating codecave and the tls_address from BlackMagic as well, just snipped it for brevity.)

[z0m]

Isn't it so that your second line is doing the opposite of what you want to achieve (well not really the opposite, but you know)? I'd do a test eax, eax first btw, just incase to avoid crashes.

[Ankharlyn]

Isn't it so that your second line is doing the opposite of what you want to achieve (well not really the opposite, but you know)? I'd do a test eax, eax first btw, just incase to avoid crashes.

I think it's right. It's copying eax to the value pointed by (brackets for dereference) the address I got from ManagedFasm Allocate. mov is dst then src, right?

I'm the first to admit my assembly knowledge is not up to snuff, so excuse newbish questions.

[piotr55]

BIG BIG THANKS to zom, Ankharlyn & JuJuBoSc.
With your help i managed to update my GW2Radar

regards & best wishes
piotr

[JuJuBoSc]

Perfect! Thanks

Somewhat unrelated, but say I wanted to call getTLS from my code with BlackMagic and get the value of EAX.

I currently have something like this:

Code:

                    memory.Asm.Clear();
                    memory.Asm.AddLine("call {0}", 0x00655BB0);
                    memory.Asm.AddLine("mov [{0}], eax", tls_address);
                    memory.Asm.AddLine("retn");
                    byte[] p = memory.Asm.Assemble();
                   
                    memory.Asm.InjectAndExecute(guild_wars_two_process.Handle, codecave);

                    uint tls_value_address = memory.ReadUInt(tls_address);

Which assembles and executes fine (apparently, no crash or error code), but tls_value_address is always zero. Any ideas?

(I am allocating codecave and the tls_address from BlackMagic as well, just snipped it for brevity.)

You need to run it from main thread anyway, TLS = Thread Local Storage, so getting the TLS of another thread than the main thread is useless in this case.

[Ankharlyn]

You need to run it from main thread anyway, TLS = Thread Local Storage, so getting the TLS of another thread than the main thread is useless in this case.

Erm, how would I do that? I was under the impression I was running it from the main thread.

[JuJuBoSc]

Erm, how would I do that? I was under the impression I was running it from the main thread.

memory.Asm.InjectAndExecute <--- this use CreateRemoteThread, so it's called from another main thread, your best choice is to hook the game function or your choice and execute your code from it

[thisflora]

Hi all.

I'm experiencing issues with the offsets from z0m's archive right now. I'm in a into Guild Wars 2 injected DLL and executing this code:

Code:

	DWORD pMyCharacterPointer = *(DWORD*)(0x16B366C + 0x38); //GetControlledCharacter
	boolean isAlive = (*(boolean*)(pMyCharacter + 0xA0) == 0); //Bitcheck on HealthStatus

isAlive continously is zero, no matter what. Does anyone know whats wrong?
I also tried the CurrentHealth and Position (yes, got the AgentPtr first). But none of them worked.

greetz, flora

[Ankharlyn]

Hi all.

[snip]
isAlive continously is zero, no matter what. Does anyone know whats wrong?
I also tried the CurrentHealth and Position (yes, got the AgentPtr first). But none of them worked.

greetz, flora

I'll take a look into this tonight.

memory.Asm.InjectAndExecute <--- this use CreateRemoteThread, so it's called from another main thread, your best choice is to hook the game function or your choice and execute your code from it

Ahhhh right! Forgot that it uses CreateRemoteThread.

Any tips on hooking a game function like that?

[thisflora]

I'll take a look into this tonight.




Ahhhh right! Forgot that it uses CreateRemoteThread.

Any tips on hooking a game function like that?

Thanks.

You can use any function that is in the mainthread. It really doesn't matter. Pick one thats called very often and obtain the TLS value whenever you need it.

[Ankharlyn]

Thanks.

You can use any function that is in the mainthread. It really doesn't matter. Pick one thats called very often and obtain the TLS value whenever you need it.

Never actually done anything like that, any links to info on how to go about it? If it matters, I'm using C#.

[thisflora]

Code:

void Detour(byte* location, byte* newFunction, int NOPS = 0)
{
	DWORD dwOldProtection;
	VirtualProtect(location, 5+NOPS, PAGE_EXECUTE_READWRITE, &dwOldProtection);
	if( NOPS > 0 )
		memset((void*)location, 0x90, 5+NOPS);
	location[0] = 0xE9;
	*((DWORD*)(location + 1)) = (DWORD)(newFunction - location) - 5;
	VirtualProtect(location, 5+NOPS, dwOldProtection, &dwOldProtection);
}

thats the function i use when hooking something from a dll. i guess you can translate that to c#
what u basically do is writing a jmp (0xe9) to the first byte and the address of your code (gotta be naked) - yourfunc - 5 to the next 4 bytes.
since u need 5 bytes for that u need to NOP x bytes if the overwritten instruction(s) had more than 5 bytes in total.
you then execute your code + the overwritten one. after that all you gotta do is jump back to yourfunc+x (the number of bytes the overwritten instructions had)

if you are executing anything that would modify the registers to something thats not planned in the programs schedule you need to save and restore the registers. you can do that by adding a 'pushad' at the start and a 'popad' at the end.

since you are doing it in c# you may have to use virtualallocex to allocate memory in the target process and then write your naked code to there.

[thisflora]

i kept trying. but i still cant get it to work. this doesnt work either:

0x16B366C is the current chCliContext as posted by z0m.

Code:

	DWORD pChar = Ptr.ReadDoubleWord(hProcess, 0x16B366C + 0x38);
	printf("0x%X\n", pChar);
	DWORD pAgent = Ptr.ReadDoubleWord(hProcess, pChar + 0x44);
	printf("0x%X\n", pAgent);
	float posx = Ptr.ReadFloat(hProcess, pAgent+0x20);
	printf("%f\n", posx);

Code:

	float Pointer::ReadFloat(HANDLE hProcess, DWORD dwAddress)
	{
		float buffer;
		if( ReadProcessMemory(hProcess, (void*)dwAddress, &buffer, 4, NULL) )
			return buffer;
		return 0;
	}

	DWORD Pointer::ReadDoubleWord(HANDLE hProcess, DWORD dwAddress)
	{
		DWORD buffer;
		if( ReadProcessMemory(hProcess, (void*)dwAddress, &buffer, 4, NULL) )
			return buffer;
		return 0;
	}

[JuJuBoSc]

i kept trying. but i still cant get it to work. this doesnt work either:

0x16B366C is the current chCliContext as posted by z0m.

Code:

	DWORD pChar = Ptr.ReadDoubleWord(hProcess, 0x16B366C + 0x38);
	printf("0x%X\n", pChar);
	DWORD pAgent = Ptr.ReadDoubleWord(hProcess, pChar + 0x44);
	printf("0x%X\n", pAgent);
	float posx = Ptr.ReadFloat(hProcess, pAgent+0x20);
	printf("%f\n", posx);

Code:

	float Pointer::ReadFloat(HANDLE hProcess, DWORD dwAddress)
	{
		float buffer;
		if( ReadProcessMemory(hProcess, (void*)dwAddress, &buffer, 4, NULL) )
			return buffer;
		return 0;
	}

	DWORD Pointer::ReadDoubleWord(HANDLE hProcess, DWORD dwAddress)
	{
		DWORD buffer;
		if( ReadProcessMemory(hProcess, (void*)dwAddress, &buffer, 4, NULL) )
			return buffer;
		return 0;
	}

read 0x16B366C first, then add 0x38.

[thisflora]

Code:

	DWORD pChar = Ptr.ReadDoubleWord(hProcess, 0x16B366C) + 0x38;
	printf("0x%X\n", pChar);
	DWORD pAgent = Ptr.ReadDoubleWord(hProcess, pChar + 0x44);
	printf("0x%X\n", pAgent);
	float posx = Ptr.ReadFloat(hProcess, pAgent+0x20);
	printf("%f\n", posx);

still doesnt work :/