Nofalldmg Detour causes wow to crash

[Xarg0]

Code:

#include <windows.h>
#include <cstring>
DWORD DetourAddress = 0x760D90;
DWORD dwOrig = DetourAddress+6;
typedef struct callsturct
{
       BYTE opCode;
       DWORD adress;
       }Tcallstruct;
       
void __declspec(naked) NoFallDamage_Detour()
{
	__asm
	{
		TEST DWORD PTR [ESI + 0x10], 0x1000
		JNE RESET
		MOV ECX, DWORD PTR [EDI + 0x7C]
		CMP ECX, 0x38D
		JGE RETURN
		MOV DWORD PTR [ESI + 0x3C], ECX
	RETURN:
		PUSH dwOrig
		RET
	RESET:
		MOV ECX, DWORD PTR [EDI + 0x7C]
		MOV DWORD PTR [ESI + 0x3C], ECX
		JMP RETURN
	}
}
void nofalldmg(void)
{
	Tcallstruct call={0xE8, PtrToUlong(NoFallDamage_Detour)};
	DWORD oldprotect;
	VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, sizeof(call),PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy((PVOID)DetourAddress, &call, sizeof(call));
	VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, sizeof(call), oldprotect, &oldprotect);
     
 }


BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           nofalldmg();
        break;

      case DLL_PROCESS_DETACH:
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }

    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}

When I move after I injected this dll into wow, wow crashes with a memory error, the instruction at the offset XXXXXXXX referenced memory at XXXXXXXXX, the memory could not be read.
Edit:
I tried injecting the dll while ollydbg was attached to wow, olly told me that my dll is outside of the code segment of the PE or something like that, I'm quite sure my that's causing the crash, yet I've no Idea how to fix that issue :/.

[suicidity]

Recheck your math and asm, it sounds like your detour is going out of wow's memory or that your detour is not set up right.

[Xarg0]

I double checked every thing, yet I can't find a mistake in my code, maybe I'm doing something wrong when injecting my dll.
I use a createremotethread injection with a LoadLibaryA call, I tried my dll injection on both Linux and Windows, with Linux the detour doesn't work at all, it doesn't write the function call to wows memory, with Windows I'll get an error because the function I want to call is outside of wows code segment :/
wtf am I doing wrong >.<

[Cursed]

If you are using it on Retail Servers: I think Warden checks for CreateRemoteThread (Could be wrong... Just what I remember) :P

[Xarg0]

Knyox WoWObjectdumper worked with my loader ^^

[Shynd]

Inside your nofalldmg function, put in some code that helps you check the size of call. Make sure call is only 5 bytes long, not 9. If that's not the problem, I have no idea.

[Xarg0]

Shynd, you're right, the call struct is bigger than 5 bytes, I tried to fix that problem by writing the call instruction without the call struct like this

Code:

BYTE opcode=0xE8;
DWORD nofall=PtrToUlong(NoFallDamage_Detour);
VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, 5,PAGE_EXECUTE_READWRITE, &oldprotect);

memcpy((PVOID)DetourAddress, &opcode, 1);
memcpy((PVOID)(DetourAddress+0x1), &nofall, 4);
VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, 5, oldprotect, &oldprotect);

this will give me a memory write error instead of a memory read error, I think the problem is the size of DWORD, it should be 4byte but it isn't, maybe I need to convert the DWORD into a BYTE Array, yet I've no Idea how to do this.

[Shynd]

How about changing it to look like so:

Code:

BYTE opcode = 0xE8;
DWORD nofall = (DWORD)NoFallDamage_Detour;

VirtualProtect((LPVOID)DetourAddress, 5, PAGE_EXECUTE_READWRITE, &oldprotect);
memcpy((PVOID)DetourAddress, opcode, 1);
memcpy((PVOID)(DetourAddress+1), nofall, 4);
VirtualProtect((LPVOID)DetourAddress, 5, oldprotect, &oldprotect);

I don't know, I just typed that out without testing, but it seems to me that your PtrToULong function returns an 8-byte LONG-type variable, or something. I'm not sure.

[Xarg0]

DWORD = unsigned long
and it should be only 4bytes long, yet your code causes another memory error, the memory referenced at 0x0000001 could not be read or something like that.
Maybe I'll just change the Nofalldmgdetour a bit and write the call instruction to another place

[suicidity]

why don't you do what I did for CS:S, write it byte by byte, do what you have to then rewrite it back?

might work.

[Cypher]

You didn't write that code, I'm not saying you said you did, but still, credit where credit's due.

[WoW] No Falling Damage - Game Deception - Forums

[Xarg0]

Yeah sry forgot the credits
btw I think I've done a big mistake in my code, the call offset is just wrong, I need to dynamical calculate it...
I'll try if it works later and maybe upload a dll with a working nofalldmg hook ^^

[Xarg0]

Code:

#include <windows.h>
#include <cstring>
DWORD DetourAddress = 0x760D90;
DWORD dwOrig = DetourAddress+6;
typedef struct callsturct
{
       BYTE opCode;
       unsigned long adress;
	   }Tcallstruct;
       
inline void __declspec(naked) NoFallDamage_Detour()
{
	__asm
	{
		TEST DWORD PTR [ESI + 0x10], 0x1000
		JNE RESET
		MOV ECX, DWORD PTR [EDI + 0x7C]
		CMP ECX, 0x38D
		JGE RETURN
		MOV DWORD PTR [ESI + 0x3C], ECX
	RETURN:
		PUSH dwOrig
		RET
	RESET:
		MOV ECX, DWORD PTR [EDI + 0x7C]
		MOV DWORD PTR [ESI + 0x3C], ECX
		JMP RETURN
	}
}
void nofalldmg(void)
{
	
	DWORD oldprotect;
	BYTE opcode=0xE8;
	DWORD nofall=PtrToUlong(NoFallDamage_Detour)-DetourAddress;
	VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, 5,PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy((PVOID)DetourAddress, &opcode,1);
	memcpy((PVOID)(DetourAddress+1), &nofall,4);
	VirtualProtectEx(GetCurrentProcess(),(LPVOID) DetourAddress, 5, oldprotect, &oldprotect);
	return;
     
 }


BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           nofalldmg();
        break;

      case DLL_PROCESS_DETACH:
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }

    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}

still doesn't work for me
Here's the a link to the compiled dll
RapidShare: Easy Filehosting

[Shynd]

It should be uh... DetourAddress-(NoFallDamage_Detour+5) or something, I think. Something like that.

[beagle]

This is probably a REALLY noob question, but is it possible to get the address for fall damage using a memory editor for say, Age of Conan? Sorry for asking here but theres nothing really about fall damage on the Conan forums. The reason I ask here is because i thought maybe it might be similar to this game, plus you are all very knowledgable on these kinds of things, so i thought i might as well ask .