ASM function call?

[akh]

Hi.

I have been playing with some dll injection and stuff the last couple of days. I got the dll injected and I have set up a named pipe connection to commuicate with the injected dll. Now I would like to call certain functions in WoW by using ASM. One of the functions I have in mind is CastSpellById. I got the address from WoWX to be 0x006FC520. The functions that call this address seems to push 4 arguments to the stack whereas the first one is the spellId and then call the CastSpellById function.

This is an example on how the function is called (from OllyDbg):

Code:

00495810   A1 F8FAC600      MOV EAX,DWORD PTR DS:[C6FAF8]
00495815   6A 00                  PUSH 0
00495817   6A 00                  PUSH 0
00495819   6A 00                  PUSH 0
0049581B   50                       PUSH EAX
0049581C   E8 FF6C2600      CALL Wow.006FC520
00495821   83C4 10              ADD ESP,10

Now I have some ASM code that should do the same thing:

Code:

void CastSpellByID( int spellid )
{
	unsigned long dwCastSpellById = gpWoWX->GetFindPattern()->GetAddress( "CastSpellById" );
	__asm
	{
		MOV EAX, spellid
		PUSH 0
		PUSH 0
		PUSH 0
		PUSH EAX
		CALL dwCastSpellById
		ADD ESP,10
	}
}

The problem is that nothing happens in WoW when I try to execute the call, but when I set a breakpoint at the address in OllyDbg I can see that ASM code is being executed.
It might be a obvious error or something that I have missed, but as I said I just started a couple of days ago, and don't have much experience in this field.

[Xarg0]

I didn't take a look at the function but I'd say you need to copy WoWs Mainthreads TLS thingy, cause it handles the ObjectManagerClass and lot's of functions need it to work properly
I'm not shure but I think WoWX provides a function to do this, UpdateCurMngr it's named or something like this ^^

[akh]

Thanks for your reply Xarg0.

I tried hooking CurMgr, but still no luck.

[kynox]

Here:

Code:

void __forceinline UpdateCurMgr()
{
    DWORD    s_curMgr = *(DWORD*)(*(DWORD*)__ClientConnection + 0x2218);
    DWORD*    pTmp = NULL;
    _asm mov eax, DWORD PTR FS:[0x2C]
    _asm mov eax, DWORD PTR DS:[eax]
    _asm mov pTmp, eax
    *(DWORD*)((DWORD)pTmp + 0x10) = s_curMgr;
}

    DWORD GetSpellByName( char* szName )
    {
        UpdateCurMgr();
        DWORD dwUnknown = 0;
        __asm
        {
            LEA EAX, dwUnknown
            PUSH EAX
            PUSH szName
            MOV  EAX, __GetSpellIDByName
            CALL EAX
            ADD  ESP, 8
        }
    }

    void CastSpellById( DWORD dwSpellID)
    {
        UpdateCurMgr();
        __asm
        {
            PUSH 0
            PUSH 0
            PUSH 0
            PUSH dwSpellID
            MOV  EAX, __CastSpellByID
            CALL EAX
            ADD  ESP, 0x10
        }
    }

ClientConnection can be found in the WoW 2.4.3 offset dump, i posted it there.

[Cypher]

Your function is also returning void. It should be returning a DWORD like in kynox's code otherwise how are you going to get the result of the function call.

[akh]

Sorry for the late reply. I have tried to run the code Kynox posted but still nothing happens. Here is what I did:
Made a new dll32 project in Visual Studio.
Pasted the code from Kynox.
Injected the dll in WoW with an injector found on GameDeception.

The method is being called like it was before, but it does not cast any spell:

Here is the code:

SpellCastDLL.cpp:

Code:

#include "stdafx.h"

	void main() 
	{
		CastSpellById( 168 ); //Frost Armor (Rank 1)
	}

	void __forceinline UpdateCurMgr()
	{
		DWORD dwClientCon = 0x00D43318;
		DWORD s_curMgr = *(DWORD*)(*(DWORD*)dwClientCon + 0x2218);
		DWORD* pTmp = NULL;
		_asm mov eax, DWORD PTR FS:[0x2C]
		_asm mov eax, DWORD PTR DS:[eax]
		_asm mov pTmp, eax
		*(DWORD*)((DWORD)pTmp + 0x10) = s_curMgr;
	}

	void CastSpellById( DWORD dwSpellID )
	{
		DWORD dwCastSpellById = 0x006FC520;
		UpdateCurMgr();
		__asm
		{
			PUSH 0
			PUSH 0
			PUSH 0
			PUSH dwSpellID
			MOV  EAX, dwCastSpellById
			CALL EAX
			ADD  ESP, 0x10
		}
	}

dllmain.cpp:

Code:

#include "stdafx.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		{
			main();
			break;
		}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

stdafx.h:

Code:

#pragma once

#include "targetver.h"

#define WIN32_LEAN_AND_MEAN
#include <windows.h>

void main();
void CastSpellById( DWORD dwSpellID );

[Cypher]

On an aside you should make sure you don't do too much in DllMain on DLL_PROCESS_ATTACH because if your code doesn't return fast enough (or at all) then you'll cause a deadlock and no other modules can load. I had that problem a while back.

The easiest solution is to just create a new new thread if you need to do any actual real work in DllMain other than just some basic initialization.

eg This is the DLLMain from my DLL.

Code:

BOOL WINAPI DllMain(HINSTANCE hinstDLL, unsigned int fdwReason, LPVOID)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        {
            _beginthreadex(NULL,NULL,MyThread,hinstDLL,NULL,NULL);
            break;
        }
    case DLL_PROCESS_DETACH:
        {
            DeletePointers();
            break;
        }
    }
    return TRUE;
}

You'll notice I'm using _beginthreadex, make sure you always use that rather than CreateThread or you may run into some bugs that are very difficult to diagnose unless you already know you're not supposed to be calling it directly in most circumstances.

[kynox]

My best guess is the ID is wrong. Use CastSpellByID( GetSpellByName( "Frost Armor" ) )

[akh]

hi again.. I tried creating a new thread in my dll like Cypher suggested, and I checked the spellId, but still nothing happens. I have uploaded my project here, maybe you will have a look at it. I made a test, first it finds the spellId using GetSpellIdByName and after 5 sec it tries to cast the spell. Wow has to be running and logged in before you press inject.

I really appreciate that you are trying to help me

[kynox]

hi again.. I tried creating a new thread in my dll like Cypher suggested, and I checked the spellId, but still nothing happens. I have uploaded my project here, maybe you will have a look at it. I made a test, first it finds the spellId using GetSpellIdByName and after 5 sec it tries to cast the spell. Wow has to be running and logged in before you press inject.

I really appreciate that you are trying to help me

That's got me stumped :S. You are a Mage and you have that spell, yes?

[Cypher]

I'll write up some working code for you tomorrow or something, really tired atm.

[akh]

That's got me stumped :S. You are a Mage and you have that spell, yes?

I have tried it on a trial acc with a lvl 3 mage with rank 1 frost armor, and on my private server with a lvl 70 mage with rank 3.

The getSpellByName function works and returns the spellId of the spell with the highest rank.

[akh]

I just got it working.. It was the UpdateCurMgr() method that was the problem.
*(DWORD*)((DWORD)pTmp + 0x10) = s_curMgr; had to be changed to *(DWORD*)((DWORD)pTmp + 0x = s_curMgr;

Thanks for your help

[Cypher]

Ah **** the TLS slot was swapped. Hahaha, epic win, can't believe I missed that.

[kynox]

Haha, oh wow. Sorry; I pasted it from an older source!