Code Caving WoW [With Code (C++)] menu

User Tag List

Results 1 to 11 of 11
  1. #1
    blizzo's Avatar Member
    Reputation
    6
    Join Date
    Jun 2008
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Code Caving WoW [With Code (C++)]

    ** If anything is unclear, I'm sorry. The code isn't great cos i hacked it together this afternoon just a PoC. Enjoy! **

    I dunno if anyone has posted anything about using a code cave to run functions in Wow instead of injecting a DLL, but I'm going to now.

    First, for those that don't know what a code cave is:
    It is somewhere in a remote process' memory where you put your own code, maybe some space that isn't used or some space that you allocate with VirtualAllocEx and free with VirtualFreeEx

    You can insert code in to this space and then run it!

    After you insert your code you can pause the current thread, change the instruction pointer to where your code is, then resume the thread. This will run your code.
    Of course, if you jump to some code that uses registers/flags and you don't restore them bad things will happen. The easiest way to do that is just to push them on the stack at the start of the injected code and pop them off at the end.
    Also you'll probably want to return to where the thread was before your code ran, so you'll need to push the return address on to the stack first.

    Code:
    		push 0xDEADBABE		//   Placeholder for the return address
    		pushfd				//   Save the flags and registers
    		pushad
    		//-- Something useful goes here :)
    		popad				//   Restore the registers and flags
    		popfd
    		ret					//   Return control to the hijacked thread
    Something like that would be a good start.

    So... HOWTO:
    Here's what i did:
    1. Find the target Window Handle
    2. Find the main thread ID
    3. Open the process PID
    4. Open the thread
    5. Allocate space for the code
    6. Make any changes to the "to-be-injected" code (return address, etc.)
    7. Write the code to the allocated space
    8. Pause the thread
    9. Update the instruction pointer to point the allocated space
    10. Resume the thread
    11. Wait a bit for the code to run
    12. De-allocate the memory allocated for the code
    13. Have a beer


    In you code you could call a function or whatever, but you won't be able to get any return values... unless you allocate some space for the result and have you code write that result to that known location and then read it later. So in addition to the above you must:
    1. Allocate space for the result
    2. Edit your code to write to the allocated location
    3. Read the result after the thread is resumed


    I have produced some code (in C++) that will do all of this, it can be found here: Nopaste - Wow CodeCave.
    It calls the CompareUnitFaction function to get the reaction of one unit's faction to another.
    It doesn't do anything fancy and the Unit 1 and Unit 2 base addresses are hardcoded in. But if you don't know how to find them this really isn't for you

    *
    Credit here to kynox and Shynd for info about CompareUnitFaction
    Finding the functions and working out the arguments takes some time and a good disassembler/debugger, personally I like IDA (cos I can do other things - mega drive hehe)
    *

    The CompareUnitFaction (as it's being called) function takes two arguments, a pointer to the current Unit and a pointer to the second Unit. The current Unit is in the register ECX and the second Unit is pushed on to the stack. In my code it is called by doing:
    Code:
    		push 0xDEADBABE		//	Place holder for Unit2
    		mov ecx, 0xDEADBABE	//	Place holder for Unit1
    		mov eax, 0x005D4AB0	//	Offset for the CompareUnitFaction function
    		call eax
    This will run and return the faction's reaction to you in EAX, I used this code to right that value in to memory where it could be read:
    Code:
    		mov ebx, 0xDEADBABE	//	Offset to read result from :)
    		mov dword ptr [ebx], eax
    In the program the place holders are replaced with memcpy after the memory protection has been changed.
    injectCode is the function with the asm in it :
    void __declspec(naked) injectCode(void){ _asm { ... } }
    naked means no prologue or epilogue
    Code:
    		// Return address
    		memcpy((LPVOID)((DWORD)injectCode + 0x01),	&oldIP, 4);
    		// Unit2 base address
    		memcpy((LPVOID)((DWORD)injectCode + 0x08),	&dwUnit2, 4);
    		// Unit1 base address
    		memcpy((LPVOID)((DWORD)injectCode + 0x0D),	&dwUnit1, 4);
    		// Result address
    		memcpy((LPVOID)((DWORD)injectCode + 0x19),	&dwResutlAddress, 4);
    OK, think that covers everything. I have NOT tested this on a live server only on an emulated server so I dunno if you'll get disconnected or whatever. I didn't on the emulated server i was on (OpenAscent TRUNK r334/Release-Win-X86).
    If i have missed anything or you have any question I will try to answer them as best I can

    Edit: Here is an output from the program very verbose hehe
    Code:
    [?] PID:        2980
    [?] TID:        3012
    [?] HWND:       0x00460816
    [?] Handle:     0x7A4
    [?] Code to inject: 0x00401000 - 0x00401030 (0x00000030)
    [?] Thread Paused...
    [?] Old Instruction Pointer : 0x7C90EB94
    [?] Enabled modify for inject-code...OK!
    [?] Updating return address (0x00401001 -> 0x7C90EB94)...OK
    [?] Updating Unit2 address (0x00401008 -> 0x1070D0F0)...OK
    [?] Updating Unit1 address (0x0040100D -> 0x105F8008)...OK
    [?] Updating result address (0x00401018 -> 0x08FD0000)...OK
    [?] Writing code stub to 0x01710000...pass.
    [?] Updating the thread context...pass.
    [?] Thread Resumed at 0x01710000...done!
    [?] GetFactionHostility(0x105F8008, 0x1070D0F0) = 0x00000004
    [?] Closing thread...done
    [?] Freeing memory...done.
    [?] Closing process...done.
    Last edited by blizzo; 06-18-2008 at 11:04 AM.

    Code Caving WoW [With Code (C++)]
  2. #2
    Shynd's Avatar Contributor
    Reputation
    97
    Join Date
    May 2008
    Posts
    393
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Link seems to be dead. Nice work, though.

  3. #3
    blizzo's Avatar Member
    Reputation
    6
    Join Date
    Jun 2008
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, link is fixed. Thanks for pointing that out Shynd

  4. #4
    Shynd's Avatar Contributor
    Reputation
    97
    Join Date
    May 2008
    Posts
    393
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only suggestion I'd make is instead of sleeping a static 2000ms while waiting for it to execute, I'd do a loop while reading memory on your dwResult address, waiting for the result to != 0 (or initialize it as 0xFFFFFFFF and sleep until it != 0xFFFFFFFF).
    Code:
    DWORD dwResult = 0xFFFFFFFF;
    WriteProcessMemory(hProcess, pInjectResult, (LPVOID)dwResult, sizeof(DWORD), NULL);
    for (int i = 0; i < 200 && dwResult == 0xFFFFFFFF; i++)
    {
        if (!ReadProcessMemory(hProcess, pInjectResult, &dwResult, sizeof(DWORD), &dwBytesRead ))
            break;
        Sleep(10);
    }
    Slightly more overhead, but you'll get the result as soon as it's available.

  5. #5
    blizzo's Avatar Member
    Reputation
    6
    Join Date
    Jun 2008
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, that is a good idea I have something similar in my new code already. But you're code looks better
    However, you do have to wait a bit longer after it has finished to make sure that the flags and registers are popped off the stack and ret is called otherwise Wow will crash cos the memory is deallocated while it's still being executed hehe. The Wow send error report is pretty useful for debugging (no surprise) I don't know enough (anything) about writing a debugger but some kind of break point would be a useful thing, at the return address so you read the result and de-allocate the memory then. Maybe when it's not 4AM

  6. #6
    Shynd's Avatar Contributor
    Reputation
    97
    Join Date
    May 2008
    Posts
    393
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could also always do: (pseudo code)
    Code:
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)codecaveaddress, NULL, NULL, NULL);
    WaitForObject(hThread, INFINITE);
    DWORD dwExit;
    GetExitCodeThread(hThread, &dwExit); //dwExit is now the value of EAX when RETN is hit
    Little more overhead but it makes it much easier to handle. If you're only calling it every once in a while, it shouldn't cause any problems.


    And writing a debugger isn't too difficult. DebugActiveProcess API for the win. You just have to handle the breakpoints in the correct manner, something that's not documented very many places (if you're still interested, even after understanding how easily debuggers can be detected, let me know and I'll make a post about it).


    Edit: Oh yeah, +Rep
    Last edited by Shynd; 06-18-2008 at 11:31 PM.

  7. #7
    kynox's Avatar Member
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Shynd View Post
    You could also always do: (pseudo code)
    Code:
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)codecaveaddress, NULL, NULL, NULL);
    WaitForObject(hThread, INFINITE);
    DWORD dwExit;
    GetExitCodeThread(hThread, &dwExit); //dwExit is now the value of EAX when RETN is hit
    Little more overhead but it makes it much easier to handle. If you're only calling it every once in a while, it shouldn't cause any problems.


    And writing a debugger isn't too difficult. DebugActiveProcess API for the win. You just have to handle the breakpoints in the correct manner, something that's not documented very many places (if you're still interested, even after understanding how easily debuggers can be detected, let me know and I'll make a post about it).


    Edit: Oh yeah, +Rep
    This method won't work for any functions that read from the TLS (Being that its Thread local storage). Opening another thread won't have the TLS data in it, though you can put it in yourself

  8. #8
    Shynd's Avatar Contributor
    Reputation
    97
    Join Date
    May 2008
    Posts
    393
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good catch, was still thinking in terms of other gamehacking I've done in the past. Hadn't really thought about it =p.

  9. #9
    kynox's Avatar Member
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Haha, Yeah, it gave me a real run around when i first started out. In the end though i just hacked up some code to set the TLS in my thead to the s_curMgr pointer. Works a treat

  10. #10
    blizzo's Avatar Member
    Reputation
    6
    Join Date
    Jun 2008
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks good, I will have a go with create remote thread and setting the TLS.
    Thanks for the rep Shynd

  11. #11
    blizzo's Avatar Member
    Reputation
    6
    Join Date
    Jun 2008
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not an X86 ASM expert so I dunno if this is the best way to do it, but it appears to work:

    This code will load the address of the Object Manager in to EAX. Not really of any use but easy to check to see if it worked.

    0x00153C60 is the linear address of the thread-local storage array for the main thread.
    FS:0x2C is where the linear address of the thread-local storage is stored, so if you over write it it should be good. Please correct me if i am wrong :]

    Code:
    AT&T Style
    push %fs:0x2C
    movl $0x00153C60, %fs:0x2C
    movl %fs:0x2C, %eax
    movl (%eax), %eax
    movl 0x10(%eax), %eax
    pop %fs:0x2C
    Code:
    Intel Style (Untested)
    PUSH FS:0x2C
    MOV FS:0x2C, 0x00153C60
    MOV EAX, FS:0x2C
    MOV EAX, DWORD PTR [EAX]
    MOV EAX, DWORD PTR [EAX + 0x10]
    POP FS:0x2C
    I'm not that exactly how you write it in Intel style asm, i have been using GCC and that uses AT&T syntax which is pretty different.

Similar Threads

  1. [Control WoW with your voice] Voice Commander
    By Alkhara Majere in forum World of Warcraft Bots and Programs
    Replies: 330
    Last Post: 10-24-2008, 10:20 AM
  2. Play WoW with your Xbox 360 Controller!
    By jimmbo506 in forum World of Warcraft Bots and Programs
    Replies: 95
    Last Post: 11-19-2007, 04:46 PM
  3. WoWPad - Play WoW with GamePad
    By Nightfel in forum World of Warcraft Bots and Programs
    Replies: 13
    Last Post: 09-03-2007, 02:00 PM
  4. [Program] Play WoW with your GamePad !!! (so much more fun)
    By Flying Piggy in forum World of Warcraft Bots and Programs
    Replies: 24
    Last Post: 02-21-2007, 01:39 PM
  5. Play WoW with Wii Remote!
    By Glynbeard in forum World of Warcraft General
    Replies: 10
    Last Post: 02-07-2007, 08:58 PM
All times are GMT -5. The time now is 10:20 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search