Thread Synchronization

[hypnodok]

I attached the latest WowX release, you still need the DirectX SDK to compile (I use the December 2005 version).
Have fun.
Edit:
Someone (sorry, I forgot who) posted this method of obtaining the EndScene offset earlier, I havent tested it myself.

Code:

#include <windows.h>
#include <tlhelp32.h>
#include <iostream>


DWORD GetProcessByExeName(const CHAR *pExeName, DWORD *pPID, DWORD Size = 1)
{
    PROCESSENTRY32 PE;
    HANDLE hSnap;
    DWORD rVal;
    DWORD Cursor;
    DWORD ExeNameSize;

    Cursor = 0;
    ExeNameSize = strlen(pExeName);

    hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    rVal = Process32First(hSnap, &PE);

    while(rVal)
    {
        if( CSTR_EQUAL == CompareString(LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, pExeName, ExeNameSize, PE.szExeFile, strlen(PE.szExeFile)) )
        {
            if(Size > Cursor)
            {
                pPID[Cursor] = PE.th32ProcessID;
            }

            ++Cursor;
        }

        rVal = Process32Next(hSnap, &PE);
    }

    return Cursor;
}


#ifndef DIRECTX9SDK_INSTALLED
typedef DWORD D3DFORMAT;
typedef DWORD D3DMULTISAMPLE_TYPE;

const DWORD D3DADAPTER_DEFAULT = 0x00000000;
const DWORD D3DCREATE_HARDWARE_VERTEXPROCESSING = 0x00000040;
const DWORD D3DFMT_UNKNOWN = 0x00000000;
const DWORD SDK_VERSION = 32;

typedef enum D3DDEVTYPE
{
    D3DDEVTYPE_HAL = 1,
    D3DDEVTYPE_REF = 2,
    D3DDEVTYPE_SW = 3,
    D3DDEVTYPE_NULLREF = 4
};

typedef enum D3DSWAPEFFECT
{
    D3DSWAPEFFECT_DISCARD = 1,
    D3DSWAPEFFECT_FLIP = 2,
    D3DSWAPEFFECT_COPY = 3
};

struct D3DPRESENT_PARAMETERS
{
    DWORD    BackBufferWidth;
    DWORD    BackBufferHeight;
    DWORD    BackBufferFormat;
    DWORD    BackBufferCount;
    DWORD    MultiSampleType;
    DWORD    MultiSampleQuality;
    DWORD    SwapEffect;
    HWND    hDeviceWindow;
    BOOL    Windowed;
    BOOL    EnableAutoDepthStencil;
    DWORD    AutoDepthStencilFormat;
    DWORD    Flags;
    DWORD    FullScreen_RefreshRateInHz;
    DWORD    PresentationInterval;
};

class IDirect3DDevice9: public IUnknown {};

class IDirect3D9:
public IUnknown
{
public:
    virtual UINT32 __stdcall Function00(void) = 0;
    virtual UINT32 __stdcall Function01(void) = 0;
    virtual UINT32 __stdcall Function02(void) = 0;
    virtual UINT32 __stdcall Function03(void) = 0;
    virtual UINT32 __stdcall Function04(void) = 0;
    virtual UINT32 __stdcall Function05(void) = 0;
    virtual UINT32 __stdcall Function06(void) = 0;
    virtual UINT32 __stdcall Function07(void) = 0;
    virtual UINT32 __stdcall Function08(void) = 0;
    virtual UINT32 __stdcall Function09(void) = 0;
    virtual UINT32 __stdcall Function10(void) = 0;
    virtual UINT32 __stdcall Function11(void) = 0;
    virtual UINT32 __stdcall Function12(void) = 0;
    virtual UINT32 __stdcall CreateDevice(UINT32 Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, UINT32 BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface)  = 0;
};
#endif


typedef IDirect3D9* (__stdcall *Func_Direct3DCreate9)(UINT32 SDKVersion);


struct MODULEINFO
{
    LPVOID lpBaseOfDll;
    DWORD SizeOfImage;
    LPVOID EntryPoint;
};

BOOL GetModuleInformation(HANDLE hProcess, HMODULE hModule, MODULEINFO *lpmodinfo, DWORD cb)
{
    typedef BOOL (WINAPI *wapiGetModuleInformation)(HANDLE hProcess, HMODULE hModule, MODULEINFO *lpmodinfo, DWORD cb);

    HMODULE hLib;
    BOOL rVal;
    wapiGetModuleInformation fpGetModuleInformation;

    hLib = LoadLibrary("Psapi.dll");

    fpGetModuleInformation = (wapiGetModuleInformation)GetProcAddress(hLib, "GetModuleInformation");

    rVal = fpGetModuleInformation(hProcess, hModule, lpmodinfo, cb);

    FreeLibrary(hLib);

    return rVal;
}

DWORD EnableDebugPriviliges()
{
    HANDLE hProcess;
    HANDLE hToken;
    DWORD rVal;
    TOKEN_PRIVILEGES Priviliges;

    rVal = LookupPrivilegeValue(NULL, "SeDebugPrivilege", &Priviliges.Privileges[0].Luid);
    if(0 == rVal)
    {
        return 0;
    }

    hProcess = GetCurrentProcess();

    rVal = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
    if(0 == rVal)
    {
        return 0;
    }

    Priviliges.PrivilegeCount = 1;
    Priviliges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    rVal = AdjustTokenPrivileges(hToken, FALSE, &Priviliges, sizeof(Priviliges), NULL, NULL);

    CloseHandle(hToken);

    return (0 != rVal);
}

void* GetOffsetEndScene(void)
{
    DWORD PID;
    DWORD rVal;
    HMODULE hLib;
    Func_Direct3DCreate9 MyDirect3DCreate9;
    IDirect3D9 *pDirect3D;
    IDirect3DDevice9 *pDirect3DDevice;
    D3DPRESENT_PARAMETERS PP;
    HWND hWnd;
    void *pEndScene;
    MODULEINFO MI;
    HANDLE hProcess;

    rVal = GetProcessByExeName("wow.exe", &PID);
    if(0 == rVal)
    {
        return 0;
    }

    hWnd = CreateWindowEx(0, "BUTTON", "BUTTON", 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL);

    hLib = LoadLibrary("d3d9.dll");

    MyDirect3DCreate9 = (Func_Direct3DCreate9)GetProcAddress(hLib, "Direct3DCreate9");

    pDirect3D = MyDirect3DCreate9(SDK_VERSION);
    if(NULL != pDirect3D)
    {
        ZeroMemory(&PP, sizeof(PP));
        PP.Windowed = TRUE;
        PP.SwapEffect = D3DSWAPEFFECT_DISCARD;
        PP.BackBufferFormat = D3DFMT_UNKNOWN;

        pDirect3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hWnd, D3DCREATE_HARDWARE_VERTEXPROCESSING, &PP, &pDirect3DDevice);
        if(NULL != pDirect3DDevice)
        {
            pEndScene = (*reinterpret_cast<void***>(pDirect3DDevice))[42];
            pDirect3DDevice->Release();
        }

        pDirect3D->Release();
    }

    GetModuleInformation(GetCurrentProcess(), hLib, &MI, sizeof(MI));

    FreeLibrary(hLib);

    DestroyWindow(hWnd);

    pEndScene = (void*)((DWORD)pEndScene - (DWORD)MI.lpBaseOfDll);

    EnableDebugPriviliges();
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);

    GetModuleInformation(hProcess, hLib, &MI, sizeof(MI));

    CloseHandle(hProcess);

    pEndScene = (void*)((DWORD)pEndScene + (DWORD)MI.lpBaseOfDll);

    return pEndScene;
}

int main(void)
{
    std::cout << GetOffsetEndScene() << std::endl;

    return 0;
}

[hypnodok]

Allright, I just took the time to test it and I can confirm that the above code is working great.
Kudos go to whoever posted this here, this the the code Im using:

Code:

typedef HRESULT ( WINAPI * tEndScene )( IDirect3DDevice9 * pThis );
tEndScene oEndScene = 0;

HRESULT WINAPI hook_EndScene( IDirect3DDevice9 * pThis )
{
    return oEndScene(pThis);
}

void HotKeys(void)
{
    if (GetAsyncKeyState(VK_F8))
    {
        Debug("Trying to get Endscene offset");

        int endSceneOffset = (int)GetOffsetEndScene();
        char buffer[50];
        
        Debug(itoa(endSceneOffset,buffer,16));

        oEndScene = reinterpret_cast<tEndScene>(endSceneOffset);
        Debug("Detouring EndScene");
        PBYTE orig = DetourFunction((PBYTE)oEndScene,(PBYTE)hook_EndScene);
        Debug("EndScene detoured");
        oEndScene = reinterpret_cast<tEndScene>(orig);
        
        
    }    
    else if(GetAsyncKeyState(VK_F7))
    {
        Debug("Dll detached");
        DetourRemove((PBYTE)oEndScene,(PBYTE)hook_EndScene);
        FreeLibraryAndExitThread(dllModule,0);
    }
}

I removed nonrelevant parts, give me a shout if this doesnt compile.

[typedef]

Well, I dont wanna get to much in here, because I am not a Qualified, "WOW hackzor" correct me if I am wrong, which may very well be likely, But the World of Warcraft Scripts that are Private such as ones like /script WITH_GUILDBANK(99999); or so on, could not be run from a regular client, it is a private Member function. So you would have to change the Member function to A Public. I would mess around with those functions, thowe.

[Bobbysing]

This has nothing to do with private member functions. ( private / public doesn't mean anything at runtime )

What you mean is that some Lua functions are protected. You can easily get around the protection by having a look at a protected function in a disassembler. You will notice that there's an additional call that checks if the function was called from "signed" code. Patch / restore it before and after executing your Lua string and you are fine.

[Sillyboy72]

Since I am now crashing on injection, bringing this thread back...

Question: when people say "main thread"... wtf does that mean? Err, I mean... how do you choose which is the "main" thread?

I assume people just pick the first thread, but that seems rather arbitrary.

[Sillyboy72]

Hrm, I mostly take it back. While it certainly arbitrary, as a practical matter... the first thread that comes back from the toolhelp snapshot api's... really is the same thread that "does stuff" in wow. Suspending it made a big diff in my crash rate...