Virtual functions

[Fraak]

Ok here we go, my first post and cry for help I am affraid.

First of all, I probebly dont know half as much as I should before trying this but imho the best way to learn things is just go and try. Then when you get a problem start reading..... and then read some more and maby if you realy realy cant find it. Well then start asking.

The asking part, yep thats where I am now.

I got the following code: (more or less shamefully ripped from these forums)

Code:

        public uint CallFunction(uint baseAddr, uint vFunc)
        {
            Console.WriteLine("Client CallFunc.");

            wowObj.Asm.Clear();
            uint codeCave = wowObj.AllocateMemory(0x1000);

            wowObj.Asm.AddLine("mov EDX, [0x011CA260]");
            wowObj.Asm.AddLine("mov EDX, [EDX+0x2864]");
            wowObj.Asm.AddLine("FS mov EAX, [0x2C]");
            wowObj.Asm.AddLine("mov EAX, [EAX]");
            wowObj.Asm.AddLine("add EAX, 8");
            wowObj.Asm.AddLine("mov [EAX], edx");
            wowObj.Asm.AddLine("mov ecx, {0}", baseAddr);
            wowObj.Asm.AddLine("call {0}", vFunc);
            wowObj.Asm.AddLine("retn");

            Console.WriteLine("BaseAddress: {0:X}", baseAddr);
            Console.WriteLine("CodeCave: {0:X}", codeCave);
            Console.WriteLine("vFunc: {0:X}", vFunc);
            uint interact = wowObj.Asm.InjectAndExecute(codeCave);
            Console.WriteLine("Interact: {0:X}", interact);
            wowObj.FreeMemory(codeCave);

            return interact;
        }

wowObj is a BlackMagic object. Also I have set the debug privileges to true for the object and directly with Process.EnterDebugMode();

now everything uptill "uint interact = wowObj.Asm.InjectAndExecute(codeCave);" flawless.
At that line I get the following exception: "Exception: 0xC0000005 (ACCESS_VIOLATION) at 0023:0ADD0000" As suggested by the ACCESS_VIOLATION part I asume this is some compiler setting. However I have NO idea wat it could be.

Btw I got the memory reading part working flawless (wich was hard enough )

I hope that I gave enough information to get a sensible answer or a kick in the right direction.

P.s. forgot to mention I am programming in c# (as you might see).

[cenron]

EDIT: Info not related to this post. Can someone please delete this.

[Nesox]

Ok here we go, my first post and cry for help I am affraid.

First of all, I probebly dont know half as much as I should before trying this but imho the best way to learn things is just go and try. Then when you get a problem start reading..... and then read some more and maby if you realy realy cant find it. Well then start asking.

The asking part, yep thats where I am now.

I got the following code: (more or less shamefully ripped from these forums)

Code:

        public uint CallFunction(uint baseAddr, uint vFunc)
        {
            Console.WriteLine("Client CallFunc.");

            wowObj.Asm.Clear();
            uint codeCave = wowObj.AllocateMemory(0x1000);

            wowObj.Asm.AddLine("mov EDX, [0x011CA260]");
            wowObj.Asm.AddLine("mov EDX, [EDX+0x2864]");
            wowObj.Asm.AddLine("FS mov EAX, [0x2C]");
            wowObj.Asm.AddLine("mov EAX, [EAX]");
            wowObj.Asm.AddLine("add EAX, 8");
            wowObj.Asm.AddLine("mov [EAX], edx");
            wowObj.Asm.AddLine("mov ecx, {0}", baseAddr);
            wowObj.Asm.AddLine("call {0}", vFunc);
            wowObj.Asm.AddLine("retn");

            Console.WriteLine("BaseAddress: {0:X}", baseAddr);
            Console.WriteLine("CodeCave: {0:X}", codeCave);
            Console.WriteLine("vFunc: {0:X}", vFunc);
            uint interact = wowObj.Asm.InjectAndExecute(codeCave);
            Console.WriteLine("Interact: {0:X}", interact);
            wowObj.FreeMemory(codeCave);

            return interact;
        }

wowObj is a BlackMagic object. Also I have set the debug privileges to true for the object and directly with Process.EnterDebugMode();

now everything uptill "uint interact = wowObj.Asm.InjectAndExecute(codeCave);" flawless.
At that line I get the following exception: "Exception: 0xC0000005 (ACCESS_VIOLATION) at 0023:0ADD0000" As suggested by the ACCESS_VIOLATION part I asume this is some compiler setting. However I have NO idea wat it could be.

Btw I got the memory reading part working flawless (wich was hard enough )

I hope that I gave enough information to get a sensible answer or a kick in the right direction.

P.s. forgot to mention I am programming in c# (as you might see).

you need to move the adress of the call into eax before you call it
ie.

Code:

__asm
{
       mov ecx, baseadress
       mov eax, vmt36
       call eax
}

[Shynd]

First tip: pay no ****ing attention to cenron. Naked functions in C#, handle the stack clean up on a __thiscall, incremental linking in managed code... shut the buttfack up.

Now then, what are you passing to the second parameter, vFunc?

If you're passing the actual address of the virtual function, I would suggest single-stepping through your code past where fasmdll_managed injects the code but before it creates the execution thread, then look at your codecave in OLLYDBG. Set a breakpoint on the first line of your codecave, then F5 in your C# IDE to allow the thread to be created. Single-step through your code in OLLY until you figure out where the exception is being thrown, then re-post with how your codecave appears and tell us where the exception happens. Most likely, however, you'll be able to figure it out before then.


Edit: No you don't, Nesox. FASM takes care of that as long as you use .Asm.Inject(AndExecute[Ex]). He's doing it correctly as long as he's passing the correct address.

[Fraak]

What does your codecave code look like? You know your functions have to be naked. Also you need to handle the stack clean up. Also turn on incremental linking.

Allthough I am not sure what
uint interact = wowObj.Asm.InjectAndExecute(codeCave); does with my codecave but my guess would be that it uses that space to load the ASM in the memory.

About cleaning I have no idea and allthough I found quite a bit about incremental linking for c++ I cant seem to find anything to enable that in c# if it even exists for managed code (wich I think it doesnt).

[cenron]

Allthough I am not sure what
uint interact = wowObj.Asm.InjectAndExecute(codeCave); does with my codecave but my guess would be that it uses that space to load the ASM in the memory.

About cleaning I have no idea and allthough I found quite a bit about incremental linking for c++ I cant seem to find anything to enable that in c# if it even exists for managed code (wich I think it doesnt).

As Shynd so nicely stated ignore my post. Its not info that relates to you and your question. Sorry if I confused you.

[hypnodok]

How do you call the function (Callfunction(uint,uint))?

[Shamun]

Code:

CallFunction(obj_baseAddress, 36 * 4);

Here is an example of how I use this function in my code.
It interacts with an object. (I've a familiar function)

My function recalcuates the VFunc like this:

Code:

VFunc = ReadUInt(ReadUInt(obj_baseAddress) + VFunc);

[Fraak]

I Dont have any expierence with OllyDBG but trying out now and trying to find some tutorials.

I got the following info so far (by printing to console)
I am running my code like this:

Code:

    uint vFunc = client.ReadUInt(client.ReadUInt(BaseAddress) + (method * 4));

Where method is 36 (Interact)

Alltough they chance ofcourse but in this case
vFunc addr: 00672100
Base addr: 17892C10
Codecave addr: 06870000

Do they look valid?

[lanman92]

Why don't you just try it yourself? That's probably the easiest way to find out if 'they're right'.

[Fraak]

Well I am trying, I am the only one who can. You cant force those address to be the Interact method (well you can but that would be silly).

The question is not to try them, its if they look correct? I have no idea wat those adresses "should" look like. If you even can see anything from them.

[Fraak]

Ok i managed to get the content of my codeCave. It contains the following.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
06560000    8B15 5AA2C6FA   MOV EDX,DWORD PTR DS:[FAC6A25A]
06560006    67:8B92 6428    MOV EDX,DWORD PTR SS:[BP+SI+2864]
0656000B    0000            ADD BYTE PTR DS:[EAX],AL
0656000D    64:8B05 1800AAF MOV EAX,DWORD PTR FS:[F9AA0018]
06560014    67:8B00         MOV EAX,DWORD PTR DS:[BX+SI]
06560017    83C0 08         ADD EAX,8
0656001A    67:8910         MOV DWORD PTR DS:[BX+SI],EDX
0656001D    B9 484D9D17     MOV ECX,179D4D48
06560022    E8 D92011FA     CALL 00672100
06560027    C3              RETN

Where 00672100 leads to
CPU Disasm (MY guess the Interact method)
Address   Hex dump          Command                                  Comments
00672100  /.  55            PUSH EBP
00672101  |.  8BEC          MOV EBP,ESP
00672103  |.  81EC A8020000 SUB ESP,2A8
00672109  |.  56            PUSH ESI
0067210A  |.  57            PUSH EDI
0067210B  |.  8BF9          MOV EDI,ECX
0067210D  |.  E8 FE99DFFF   CALL 0046BB10
00672112  |.  68 86000000   PUSH 86
00672117  |.  68 C8BF9600   PUSH OFFSET Wow.0096BFC8                 ; ASCII "f:\buildserver\bs2\work\wow-code\branches\wow-patch-3_0_3-branch\wow\source\object\objectclient\Player_C.h"
0067211C  |.  6A 10         PUSH 10
0067211E  |.  52            PUSH EDX
0067211F  |.  50            PUSH EAX
00672120  |.  E8 9BB2DFFF   CALL 0046D3C0
00672125  |.  8BF0          MOV ESI,EAX
00672127  |.  83C4 14       ADD ESP,14
0067212A  |.  85F6          TEST ESI,ESI
0067212C  |.  0F84 31030000 JE 00672463
00672132  |.  8B86 08010000 MOV EAX,DWORD PTR DS:[ESI+108]
00672138  |.  8378 44 00    CMP DWORD PTR DS:[EAX+44],0
0067213C  |.  0F8E 21030000 JLE 00672463
00672142  |.  F686 C8250000 TEST BYTE PTR DS:[ESI+25C8],01
00672149  |.  53            PUSH EBX
0067214A  |.  74 26         JE SHORT 00672172
0067214C  |.  8B16          MOV EDX,DWORD PTR DS:[ESI]
0067214E  |.  8B42 30       MOV EAX,DWORD PTR DS:[EDX+30]
00672151  |.  8BCE          MOV ECX,ESI
00672153  |.  FFD0          CALL EAX
00672155  |.  8BCE          MOV ECX,ESI
00672157  |.  8BD8          MOV EBX,EAX
00672159  |.  8955 FC       MOV DWORD PTR SS:[LOCAL.2],EDX
0067215C  |.  E8 1F21E3FF   CALL 004A4280                            ; [Wow.004A4280
00672161  |.  3BC3          CMP EAX,EBX
00672163  |.  0F85 A8020000 JNE 00672411
00672169  |.  3B55 FC       CMP EDX,DWORD PTR SS:[LOCAL.2]
0067216C  |.  0F85 9F020000 JNE 00672411
00672172  |>  8BCE          MOV ECX,ESI
00672174  |.  E8 7771FBFF   CALL 006292F0                            ; [Wow.006292F0
00672179  |.  0FB6D8        MOVZX EBX,AL
0067217C  |.  85DB          TEST EBX,EBX
0067217E  |.  0F84 F9010000 JE 0067237D
00672184  |.  8B87 08010000 MOV EAX,DWORD PTR DS:[EDI+108]
0067218A  |.  8378 44 00    CMP DWORD PTR DS:[EAX+44],0
0067218E  |.  0F8F C6010000 JG 0067235A
00672194  |.  8B90 20010000 MOV EDX,DWORD PTR DS:[EAX+120]
0067219A  |.  C1EA 05       SHR EDX,5
0067219D  |.  F6C2 01       TEST DL,01
006721A0  |.  0F85 B4010000 JNE 0067235A
006721A6  |.  8BCE          MOV ECX,ESI
006721A8  |.  E8 83A8DFFF   CALL 0046CA30                            ; [Wow.0046CA30
006721AD  |.  84C0          TEST AL,AL
006721AF  |.  0F84 A5010000 JE 0067235A
006721B5  |.  E8 66841500   CALL 007CA620
006721BA  |.  50            PUSH EAX                                 ; /Arg1
006721BB  |.  8BCF          MOV ECX,EDI                              ; |
006721BD  |.  E8 EE80FEFF   CALL 0065A2B0                            ; \Wow.0065A2B0
006721C2  |.  85C0          TEST EAX,EAX
006721C4  |.  74 5C         JE SHORT 00672222
006721C6  |.  8B06          MOV EAX,DWORD PTR DS:[ESI]
006721C8  |.  8B90 14010000 MOV EDX,DWORD PTR DS:[EAX+114]
006721CE  |.  8BCE          MOV ECX,ESI
006721D0  |.  FFD2          CALL EDX
006721D2  |.  85C0          TEST EAX,EAX
006721D4  |.  74 14         JE SHORT 006721EA
006721D6  |.  8BCE          MOV ECX,ESI
006721D8  |.  E8 F3B1FEFF   CALL 0065D3D0                            ; [Wow.0065D3D0
006721DD  |.  84C0          TEST AL,AL
006721DF  |.  74 2D         JE SHORT 0067220E
006721E1  |.  6A 00         PUSH 0                                   ; /Arg1 = 0
006721E3  |.  8BCE          MOV ECX,ESI                              ; |
006721E5  |.  E8 96C5FBFF   CALL 0062E780                            ; \Wow.0062E780
006721EA  |>  E8 11C8E2FF   CALL 0049EA00                            ; [Wow.0049EA00
006721EF  |.  50            PUSH EAX                                 ; /Arg1
006721F0  |.  8BCE          MOV ECX,ESI                              ; |
006721F2  |.  E8 D9F4FAFF   CALL 006216D0                            ; \Wow.006216D0
006721F7  |.  8BCE          MOV ECX,ESI
006721F9  |.  E8 C21FFFFF   CALL 006641C0
006721FE  |.  8BCE          MOV ECX,ESI
00672200  |.  50            PUSH EAX                                 ; /Arg2
00672201  |.  57            PUSH EDI                                 ; |Arg1
00672202  |.  E8 6999FBFF   CALL 0062BB70                            ; \Wow.0062BB70
00672207  |.  5B            POP EBX
00672208  |.  5F            POP EDI
00672209  |.  5E            POP ESI
0067220A  |.  8BE5          MOV ESP,EBP
0067220C  |.  5D            POP EBP
0067220D  |.  C3            RETN
0067220E  |>  68 8A000000   PUSH 8A
00672213  |.  E8 F884E3FF   CALL 004AA710
00672218  |.  83C4 04       ADD ESP,4
0067221B  |.  5B            POP EBX
0067221C  |.  5F            POP EDI
0067221D  |.  5E            POP ESI
0067221E  |.  8BE5          MOV ESP,EBP
00672220  |.  5D            POP EBP
00672221  |.  C3            RETN
00672222  |>  8B87 08010000 MOV EAX,DWORD PTR DS:[EDI+108]
00672228  |.  8B88 D0000000 MOV ECX,DWORD PTR DS:[EAX+0D0]
0067222E  |.  C1E9 1A       SHR ECX,1A
00672231  |.  F6C1 01       TEST CL,01
00672234  |.  0F84 28020000 JE 00672462
0067223A  |.  57            PUSH EDI                                 ; /Arg1
0067223B  |.  E8 50B2E5FF   CALL 004CD490                            ; \Wow.004CD490
00672240  |.  83C4 04       ADD ESP,4
00672243  |.  85C0          TEST EAX,EAX
00672245  |.  0F84 17020000 JE 00672462
0067224B  |.  8B57 08       MOV EDX,DWORD PTR DS:[EDI+8]
0067224E  |.  8B42 08       MOV EAX,DWORD PTR DS:[EDX+8]
00672251  |.  C1E8 04       SHR EAX,4
00672254  |.  A8 01         TEST AL,01
00672256  |.  74 2B         JE SHORT 00672283
00672258  |.  6A 00         PUSH 0                                   ; /Arg2 = 0
0067225A  |.  57            PUSH EDI                                 ; |Arg1
0067225B  |.  8BCE          MOV ECX,ESI                              ; |
0067225D  |.  E8 BE75FFFF   CALL 00669820                            ; \Wow.00669820
00672262  |.  84C0          TEST AL,AL
00672264  |.  0F85 F8010000 JNE 00672462
0067226A  |.  6A 01         PUSH 1                                   ; /Arg3 = 1
0067226C  |.  8BCE          MOV ECX,ESI                              ; |
0067226E  |.  E8 4D1FFFFF   CALL 006641C0                            ; |
00672273  |.  8BCE          MOV ECX,ESI                              ; |
00672275  |.  50            PUSH EAX                                 ; |Arg2
00672276  |.  57            PUSH EDI                                 ; |Arg1
00672277  |.  E8 7465FBFF   CALL 006287F0                            ; \Wow.006287F0
0067227C  |.  5B            POP EBX
0067227D  |.  5F            POP EDI
0067227E  |.  5E            POP ESI
0067227F  |.  8BE5          MOV ESP,EBP
00672281  |.  5D            POP EBP
00672282  |.  C3            RETN
00672283  |>  8D8D 58FDFFFF LEA ECX,[LOCAL.171]
00672289  |.  33DB          XOR EBX,EBX
0067228B  |.  E8 90D41900   CALL 0080F720
00672290  |.  8D8D 58FDFFFF LEA ECX,[LOCAL.171]
00672296  |.  51            PUSH ECX                                 ; /Arg2 => OFFSET LOCAL.171
00672297  |.  57            PUSH EDI                                 ; |/Arg1
00672298  |.  E8 F3B1E5FF   CALL 004CD490                            ; |\Wow.004CD490
0067229D  |.  83C4 04       ADD ESP,4                                ; |
006722A0  |.  50            PUSH EAX                                 ; |Arg1
006722A1  |.  B9 40FBFC00   MOV ECX,OFFSET Wow.00FCFB40              ; |
006722A6  |.  E8 F559DFFF   CALL 00467CA0                            ; \Wow.00467CA0
006722AB  |.  33C0          XOR EAX,EAX
006722AD  |.  B9 5F000000   MOV ECX,5F
006722B2  |>  398C85 68FEFF /CMP DWORD PTR SS:[EAX*4+EBP-198],ECX
006722B9  |.  74 0A         |JE SHORT 006722C5
006722BB  |.  83C0 01       |ADD EAX,1
006722BE  |.  83F8 03       |CMP EAX,3
006722C1  |.^ 72 EF         \JB SHORT 006722B2
006722C3  |.  EB 21         JMP SHORT 006722E6
006722C5  |>  6A 00         PUSH 0                                   ; /Arg7 = 0
006722C7  |.  6A 00         PUSH 0                                   ; |Arg6 = 0
006722C9  |.  6A 00         PUSH 0                                   ; |Arg5 = 0
006722CB  |.  8D55 FC       LEA EDX,[LOCAL.2]                        ; |
006722CE  |.  52            PUSH EDX                                 ; |Arg4 => OFFSET LOCAL.2
006722CF  |.  8D4D F4       LEA ECX,[LOCAL.4]                        ; |
006722D2  |.  51            PUSH ECX                                 ; |Arg3 => OFFSET LOCAL.4
006722D3  |.  50            PUSH EAX                                 ; |Arg2
006722D4  |.  8D95 58FDFFFF LEA EDX,[LOCAL.171]                      ; |
006722DA  |.  52            PUSH EDX                                 ; |Arg1 => OFFSET LOCAL.171
006722DB  |.  E8 805E0F00   CALL 00768160                            ; \Wow.00768160
006722E0  |.  8B5D F4       MOV EBX,DWORD PTR SS:[LOCAL.4]
006722E3  |.  83C4 1C       ADD ESP,1C
006722E6  |>  8B87 08010000 MOV EAX,DWORD PTR DS:[EDI+108]
006722EC  |.  8B80 BC000000 MOV EAX,DWORD PTR DS:[EAX+0BC]
006722F2  |.  83F8 0A       CMP EAX,0A
006722F5  |.  7F 07         JG SHORT 006722FE
006722F7  |.  B8 01000000   MOV EAX,1
006722FC  |.  EB 10         JMP SHORT 0067230E
006722FE  |>  83F8 14       CMP EAX,14
00672301  |.  7D 08         JGE SHORT 0067230B
00672303  |.  8D4480 CE     LEA EAX,[EAX*4+EAX-32]
00672307  |.  03C0          ADD EAX,EAX
00672309  |.  EB 03         JMP SHORT 0067230E
0067230B  |>  8D0480        LEA EAX,[EAX*4+EAX]
0067230E  |>  3BD8          CMP EBX,EAX
00672310  |.  7D 24         JGE SHORT 00672336
00672312  |.  8B4D 84       MOV ECX,DWORD PTR SS:[LOCAL.32]
00672315  |.  50            PUSH EAX
00672316  |.  51            PUSH ECX
00672317  |.  68 EA000000   PUSH 0EA
0067231C  |.  E8 EF83E3FF   CALL 004AA710
00672321  |.  83C4 0C       ADD ESP,0C
00672324  |.  8D8D 58FDFFFF LEA ECX,[LOCAL.171]
0067232A  |.  E8 B1CFFAFF   CALL 0061F2E0
0067232F  |.  5B            POP EBX
00672330  |.  5F            POP EDI
00672331  |.  5E            POP ESI
00672332  |.  8BE5          MOV ESP,EBP
00672334  |.  5D            POP EBP
00672335  |.  C3            RETN
00672336  |>  6A 01         PUSH 1                                   ; /Arg3 = 1
00672338  |.  8BCE          MOV ECX,ESI                              ; |
0067233A  |.  E8 811EFFFF   CALL 006641C0                            ; |
0067233F  |.  8BCE          MOV ECX,ESI                              ; |
00672341  |.  50            PUSH EAX                                 ; |Arg2
00672342  |.  57            PUSH EDI                                 ; |Arg1
00672343  |.  E8 A864FBFF   CALL 006287F0                            ; \Wow.006287F0
00672348  |.  8D8D 58FDFFFF LEA ECX,[LOCAL.171]
0067234E  |.  E8 8DCFFAFF   CALL 0061F2E0
00672353  |.  5B            POP EBX
00672354  |.  5F            POP EDI
00672355  |.  5E            POP ESI
00672356  |.  8BE5          MOV ESP,EBP
00672358  |.  5D            POP EBP
00672359  |.  C3            RETN
0067235A  |>  57            PUSH EDI                                 ; /Arg1
0067235B  |.  8BCE          MOV ECX,ESI                              ; |
0067235D  |.  E8 0E76FFFF   CALL 00669970                            ; \Wow.00669970
00672362  |.  84C0          TEST AL,AL
00672364  |.  74 17         JE SHORT 0067237D
00672366  |.  8BCE          MOV ECX,ESI
00672368  |.  E8 531EFFFF   CALL 006641C0
0067236D  |.  8BCE          MOV ECX,ESI
0067236F  |.  50            PUSH EAX                                 ; /Arg2
00672370  |.  57            PUSH EDI                                 ; |Arg1
00672371  |.  E8 9AD7FBFF   CALL 0062FB10                            ; \Wow.0062FB10
00672376  |.  5B            POP EBX
00672377  |.  5F            POP EDI
00672378  |.  5E            POP ESI
00672379  |.  8BE5          MOV ESP,EBP
0067237B  |.  5D            POP EBP
0067237C  |.  C3            RETN
0067237D  |>  57            PUSH EDI                                 ; /Arg1
0067237E  |.  8BCE          MOV ECX,ESI                              ; |
00672380  |.  E8 7B77FFFF   CALL 00669B00                            ; \Wow.00669B00
00672385  |.  84C0          TEST AL,AL
00672387  |.  0F84 CA000000 JE 00672457
0067238D  |.  57            PUSH EDI                                 ; /Arg1
0067238E  |.  8BCE          MOV ECX,ESI                              ; |
00672390  |.  E8 FB79FFFF   CALL 00669D90                            ; \Wow.00669D90
00672395  |.  84C0          TEST AL,AL
00672397  |.  0F84 BA000000 JE 00672457
0067239D  |.  8B47 08       MOV EAX,DWORD PTR DS:[EDI+8]
006723A0  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
006723A2  |.  8955 F8       MOV DWORD PTR SS:[LOCAL.3],EDX
006723A5  |.  8B40 04       MOV EAX,DWORD PTR DS:[EAX+4]
006723A8  |.  8BCE          MOV ECX,ESI
006723AA  |.  8945 FC       MOV DWORD PTR SS:[LOCAL.2],EAX
006723AD  |.  E8 0E1EFFFF   CALL 006641C0
006723B2  |.  0FB6C8        MOVZX ECX,AL
006723B5  |.  51            PUSH ECX                                 ; /Arg3
006723B6  |.  6A 00         PUSH 0                                   ; |Arg2 = 0
006723B8  |.  8D55 F8       LEA EDX,[LOCAL.3]                        ; |
006723BB  |.  52            PUSH EDX                                 ; |Arg1 => OFFSET LOCAL.3
006723BC  |.  8BCE          MOV ECX,ESI                              ; |
006723BE  |.  E8 2D1CFCFF   CALL 00633FF0                            ; \Wow.00633FF0
006723C3  |.  A1 3C101F01   MOV EAX,DWORD PTR DS:[11F103C]
006723C8  |.  8B0D 38101F01 MOV ECX,DWORD PTR DS:[11F1038]
006723CE  |.  68 EF360000   PUSH 36EF
006723D3  |.  68 88E59600   PUSH OFFSET Wow.0096E588                 ; ASCII ".\Unit_C.cpp"
006723D8  |.  6A 08         PUSH 8
006723DA  |.  50            PUSH EAX
006723DB  |.  51            PUSH ECX
006723DC  |.  E8 DFAFDFFF   CALL 0046D3C0
006723E1  |.  8BD8          MOV EBX,EAX
006723E3  |.  83C4 14       ADD ESP,14
006723E6  |.  85DB          TEST EBX,EBX
006723E8  |.  74 27         JE SHORT 00672411
006723EA  |.  8B43 08       MOV EAX,DWORD PTR DS:[EBX+8]
006723ED  |.  8B4E 08       MOV ECX,DWORD PTR DS:[ESI+8]
006723F0  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
006723F2  |.  3B11          CMP EDX,DWORD PTR DS:[ECX]
006723F4  |.  75 1B         JNE SHORT 00672411
006723F6  |.  8B40 04       MOV EAX,DWORD PTR DS:[EAX+4]
006723F9  |.  3B41 04       CMP EAX,DWORD PTR DS:[ECX+4]
006723FC  |.  75 13         JNE SHORT 00672411
006723FE  |.  8BCB          MOV ECX,EBX
00672400  |.  E8 EB21E4FF   CALL 004B45F0                            ; [Wow.004B45F0
00672405  |.  85C0          TEST EAX,EAX
00672407  |.  75 08         JNE SHORT 00672411
00672409  |.  57            PUSH EDI                                 ; /Arg1
0067240A  |.  8BCB          MOV ECX,EBX                              ; |
0067240C  |.  E8 FFDBFFFF   CALL 00670010                            ; \Wow.00670010
00672411  |>  8BCE          MOV ECX,ESI
00672413  |.  E8 08C9FBFF   CALL 0062ED20                            ; [Wow.0062ED20
00672418  |.  8B8F 08010000 MOV ECX,DWORD PTR DS:[EDI+108]
0067241E  |.  8379 44 00    CMP DWORD PTR DS:[ECX+44],0
00672422  |.  7E 3E         JLE SHORT 00672462
00672424  |.  85C0          TEST EAX,EAX
00672426  |.  74 3A         JE SHORT 00672462
00672428  |.  57            PUSH EDI                                 ; /Arg1
00672429  |.  8BC8          MOV ECX,EAX                              ; |
0067242B  |.  E8 6079FFFF   CALL 00669D90                            ; \Wow.00669D90
00672430  |.  84C0          TEST AL,AL
00672432  |.  74 2E         JE SHORT 00672462
00672434  |.  8B7F 08       MOV EDI,DWORD PTR DS:[EDI+8]
00672437  |.  8B17          MOV EDX,DWORD PTR DS:[EDI]
00672439  |.  8955 F8       MOV DWORD PTR SS:[LOCAL.3],EDX
0067243C  |.  8B47 04       MOV EAX,DWORD PTR DS:[EDI+4]
0067243F  |.  8D4D F8       LEA ECX,[LOCAL.3]
00672442  |.  6A 01         PUSH 1
00672444  |.  51            PUSH ECX
00672445  |.  8945 FC       MOV DWORD PTR SS:[LOCAL.2],EAX
00672448  |.  E8 03E8E7FF   CALL 004F0C50
0067244D  |.  83C4 08       ADD ESP,8
00672450  |.  5B            POP EBX
00672451  |.  5F            POP EDI
00672452  |.  5E            POP ESI
00672453  |.  8BE5          MOV ESP,EBP
00672455  |.  5D            POP EBP
00672456  |.  C3            RETN
00672457  |>  85DB          TEST EBX,EBX
00672459  |.  74 07         JE SHORT 00672462
0067245B  |.  8BCF          MOV ECX,EDI
0067245D  |.  E8 1E89FFFF   CALL 0066AD80                            ; [Wow.0066AD80
00672462  |>  5B            POP EBX
00672463  |>  5F            POP EDI
00672464  |.  5E            POP ESI
00672465  |.  8BE5          MOV ESP,EBP
00672467  |.  5D            POP EBP
00672468  \.  C3            RETN

Now allthough this looks fine. I noticed that almost everytime the address of my vFunc is 00672100 Could this becouse i am always targetting the same object? and I didnt move or anything. Or should this be just plain wrong.

[lanman92]

You're doing this out of process, correct? If so, use this as a reference. It's the current patch. It sets the TLS and moves the object's base address to ecx, not sure why, I think it's __thiscall convention, but don't quote me on it. It then moves the function address to eax and calls it.

Interact(), GetName() and other virtual functions

EDIT: On your edit, I'm not sure about that. It isn't static, I'm almost positive of that. It's a Virtual Function.

[Shynd]

Your codecave looks very, very incorrect. I don't know what's garbling your injected code, but if you figure that out I bet it'll work.

[Cypher]

1. Code caves are for suckers.
2. You don't call vfuncs directly, you get the function pointer from the vtable pointer at offset 0x0 (ie the base) of your object.