Problems calling VMT Function 47

[djvoid]

So I'm stumped (and still new), so I thought I'd throw this out there. I've been setting up my framework and encountered The Strange(tm). About 30% of the code is your tasty copypasta, for the parts that I dont fully understand (I cant write assembly yet).

The code for calling VMT 47 was pulled from wowbasic2.0, and I just updated the VMT GetName offset per Cyphers post to 0x2f. I also updated the AllocateMemory to 0x1000 - per a suggestion I read on Shynds blog (I'm pretty sure it was Synds blog, its all a blur, been reading a ton).

Code:

public static object GetName(cObject Obj)
        {
           Trace.WriteLine(string.Format("Getting name for GUID: {0}", Obj.GUID));
           
            ProcessMemory memory = Obj.Owner.Memory;
            int number = memory.AllocateMemory(0x1000);
            Clipboard.SetText(Conversion.Hex(number));
            int num2 = number + 100;
            int num = number + 200;
            int vTableFuncPtr = Obj.GetVTableFuncPtr(0x2f);
            int num4 = number + 300;
            string asmStr = "8B-15-18-33-D4-00-8B-92-18-22-00-00-64-A1-2C-00-00-00-3E-8B-00-05-08-00-00-00-3E-89-10-8B-0D-I1-FF-15-I2-89-05-I3-C3";
            asmStr = asmStr.Replace("I1", BitConverter.ToString(BitConverter.GetBytes(num))).Replace("I2", BitConverter.ToString(BitConverter.GetBytes(num2))).Replace("I3", BitConverter.ToString(BitConverter.GetBytes(num4)));
            memory.WriteInt32(num2, vTableFuncPtr);
            memory.WriteInt32(num, Obj.BaseAddress);
            memory.WriteBytes(number, StrToBytes(asmStr));
            memory.CallFunction(number);
            int address = memory.ReadInt32(num4);
            return memory.ReadString(address, 0x20);
        }

CallFunction, also ripped from wowobasic2.0

Code:

internal void CallFunction(int FuncAddress)
        {
            int hObj = _CreateRemoteThread(hProcess, 0, 0, FuncAddress, 0, 0, 0);
            WaitForSingleObject(hObj, 0x2710);
            CloseHandle(hObj);
        }

What is interesting, is that after updating the offset, it worked great, and did for a couple days. Then all of a sudden, it starts throwing a memory read exception in WoW. I thinker with things (blindly for the most part), then its working again. Then its not. Its not a consistent failure which worries me.

I also threw in a trace write to confirm is always the same object being checked, and it indeed is.

Code:

ERROR #132 (0x85100084) Fatal Exception
Program:	C:\Program Files\World of Warcraft\WoW.exe
Exception:	0xC0000005 (ACCESS_VIOLATION) at 0023:06480006

The instruction at "0x06480006" referenced memory at "0xEB7B008E".
The memory could not be "read".

I could do without being able to access this function, but I'd like to be able to use other VMT methods as well - can anyone point me in the right direction to investigate? Or maybe just tell me whats going on here? Clearly its trying to read where it shouldnt, but why shouldnt it?

Too bad I ordered Reversing with painfully-slow 'Super Saver Shipping' lol

Oh, and I <3 IDA (even though I dont know how to really take advantage of it yet)

[djvoid]

I suspect it may be a threading issue - as I'm going the event-driven approach.

[Shynd]

Wow. I mean, I just want to say right now that I honestly know where you're coming from, having been a big fan of the copy pasta for a long time, but that code is just ugly (and it's most likely not your fault, as the guy who wrote WoWBasic didn't really know what he was doing too much).

http://www.mmowned.com/forums/wow-me...ml#post1162121. Use something like that. The 'as-yet unreleased memory library' or whatever I referenced in that post has been alpha-released here.

[djvoid]

Alright I'll do that, I did download that memory library, but I still have my unfounded nervousness surrounding dll injection - and looking at the code, it seemed like it was doing that heavily.

I guess the truth of it is, I don't mind if I get caught/banned - I don think I care nearly as much as I used to, and this is just way too interesting/fun.

Thanks

[Shynd]

It's not injecting a dll any more than WoWBasic is, just provides the functionality if you were to do that. Both WoWBasic and that link I sent you inject a code stub into the WoW address space to call the GetName function. That's all.

[djvoid]

Alright, thank you - I appreciate your help

[bigtimt]

sorry to revive the old thread but i'm really don't think you have the right to bash me shynd seeing as half your ideas from black magic you got from looking at my source code. just because you executed my ideas better, don't make them yours.

[Shynd]

Yes, I definitely took your stupid ****ing ideas and made them my own. The only thing I did that's even remotely similar to your dumbass WoWBasic piece of crap is the FASM implementation, and even that I took further than you did and wrote entirely without looking at your code. HOLY GOD THEY SHARE AN 'AddLine' METHOD THEY OBVIOUSLY MUST BE EXACTLY THE SAME AND SINCE HE WROTE HIS AFTER MINE IT MUST BE A DIRECT RIP. Stop ****ing talking, moron.

To be entirely clear, the only thing I got from you was the idea to re-look at FASM as a JIT assembler. I never looked at your code other than to explain how you did things to others when you couldn't be ****ed to do so yourself and I certainly never would have stolen anything from you, seeing as you do not know what you are doing.

[bigtimt]

they share more than .Addline. that is all i have to say, ur further comments will be ignored, shouldn't have payed any attention to you downing me anyhow. even cypher and kynox didn't insult me.

[Shynd]

Exactly what do they share, other than the AddLine method? What? What's that? Nothing? That's what I thought. Anything else they share is coincidental based on how things work. Of course they're going to share some sort of OpenProcess method or maybe even an InjectDll method or something similar, but your WoWBasic POS was WoW-specific, whereas BlackMagic had no WoW-specific things in it and was built, by me, from the ground up, as a culmination of about 8-10 other classes that I had written on a by-need basis over the past 3 or 4 years. In fact, I have documented progression sitting in my projects folder. So, seriously, **** off you whiny bastard.

[luciferc]

/waits for Shynd to knife him and bigtimt why bump a ****ing 2 month old thread?

Wow seriously stop being a retard.

Your just like those guys who say they got a patent for Games that operate from Mulitpile Stations and or Networks Interconnected allowing play with eachother.

[Apoc]

they share more than .Addline. that is all i have to say, ur further comments will be ignored, shouldn't have payed any attention to you downing me anyhow. even cypher and kynox didn't insult me.

From looking at the source... the only similarities is the AddLine method and the Win32 imports. The methods to actually read memory are the same. Why? Because there's really only 1 way to do it. Both of you get your heads out of your asses.

[bigtimt]

lol i'm gonna get laughed at for saying this but i just have sensitive feelings and do not like the way that shynd has treated me when i was just trying to help

[arigity]

the Internet is full of retards, you'd be better off just ignoring them.

[luciferc]

lol i'm gonna get laughed at for saying this but i just have sensitive feelings and do not like the way that shynd has treated me when i was just trying to help

Wow.... Just wow