Timing inside WoW(ASM)

[lanman92]

Alright, I'm making a new hack that will have a bunch of movement modding stuff in it... I need a way to do looping in ASM, but I don't want to consume a lot of CPU power. I was thinking about hijacking WoW's Sleep method(at 0x97A140) but I highly doubt this will work. I'm not even sure if that's the actual method or just an array of the procedures' addresses in the external dll... Will this work? If it won't, I won't bother trying to do it. Also, the new movementState1 is offset 0x44, and the 2nd one is at 0x48. Just a little fun fact. Here's my code(I'd rather not hear complaints of ugliness =/)

Code:

 
onoff = bm.AllocateMemory(0x256);
bm.WriteByte(onoff, 0x0);
codecave = bm.AllocateMemory(0x1024);
bm.Asm.Clear();
bm.Asm.AddLine("Start:");
bm.Asm.AddLine("mov eax, {0}", onoff);
bm.Asm.AddLine("cmp eax, 0");
bm.Asm.AddLine("je Sleep");
bm.Asm.AddLine("cmp eax, 2");
bm.Asm.AddLine("je Quit");
bm.Asm.AddLine("mov eax, {0}", player.address);
bm.Asm.AddLine("mov eax, [eax + 0xD8]");
bm.Asm.AddLine("mov [eax + 0x40], 0x80000000");
bm.Asm.AddLine("Sleep:");
bm.Asm.AddLine("push 0x5");
bm.Asm.AddLine("call 0x97A140");
bm.Asm.AddLine("add esp, 0x4");
bm.Asm.AddLine("jmp Start");
bm.Asm.AddLine("Quit:");
bm.Asm.AddLine("xor eax, eax");
bm.Asm.AddLine("retn");
bm.Asm.InjectAndExecute(codecave);

[Robske]

That sounds like a fun concept going to test/play around with it once EU servers get back up. Can even register it as your own console command. /Console ToggleSkyWalk, hell yes!

It's going to lolcrash on zoning though.

Just noticed:

Code:

onoff = bm.AllocateMemory(0x256);
<snip>
bm.Asm.AddLine("mov eax, {0}", onoff);
bm.Asm.AddLine("cmp eax, 0")

Will always be false wont it?

[SKU]

bm.Asm.AddLine("mov eax, {0}", onoff);

This only moves the pointer to the codecave into eax, not it's value. Or did I get it's purpose wrong?

[Cypher]

Why do you need to hijack anything? Just call Sleep using the function pointer in the IAT....

[lanman92]

Whoops, messed up there. I guess I'll look on how to do that, Cypher.

[Oowafas]

Correct me if I'm wrong but the windows sleep function will always load at the same address (because it is in kernel32.dll) so you can just call it with it's address.

[SKU]

Whoops, messed up there. I guess I'll look on how to do that, Cypher.

mov eax, dword [0x97A140]
push 0xbeef ; ms
call eax ; sleep

If you're using Olly:

Click on the "M" button, scroll until you see "400000 | 1000 | WoW | | PE Header"
Double click that line, a new window should appear.
Scroll down till you see this:

Code:

00400110    50 45 00 00>ASCII "PE"           ; PE signature (PE)
00400114    4C01        DW 014C              ; Machine = IMAGE_FILE_MACHINE_I386
00400116    0600        DW 0006              ;  NumberOfSections = 6
00400118    F3A4D649    DD 49D6A4F3          ;  TimeDateStamp = 49D6A4F3
0040011C    00000000    DD 00000000          ;  PointerToSymbolTable = 0
00400120    00000000    DD 00000000          ;  NumberOfSymbols = 0
00400124    E000        DW 00E0              ;  SizeOfOptionalHeader = E0 (224.)
00400126    0301        DW 0103              ;  Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED
00400128    0B01        DW 010B              ; MagicNumber = PE32
0040012A    08          DB 08                ;  MajorLinkerVersion = 8
0040012B    00          DB 00                ;  MinorLinkerVersion = 0
0040012C    00885700    DD 00578800          ;  SizeOfCode = 578800 (5736448.)
00400130    0086AB00    DD 00AB8600          ;  SizeOfInitializedData = AB8600 (11240960.)
00400134    00000000    DD 00000000          ;  SizeOfUninitializedData = 0
00400138    00100000    DD 00001000          ;  AddressOfEntryPoint = 1000
0040013C    00100000    DD 00001000          ;  BaseOfCode = 1000
00400140    00A05700    DD 0057A000          ;  BaseOfData = 57A000
00400144    00004000    DD 00400000          ; ImageBase = 400000
00400148    00100000    DD 00001000          ;  SectionAlignment = 1000
0040014C    00020000    DD 00000200          ;  FileAlignment = 200

<snip>


004001DC    00000000    DD 00000000          ;  Load Config Table size = 0
004001E0    00000000    DD 00000000          ;  Bound Import Table address = 0
004001E4    00000000    DD 00000000          ;  Bound Import Table size = 0
004001E8    00A05700    DD 0057A000          ;  Import Address Table address = 57A000
004001EC    2C070000    DD 0000072C          ;  Import Address Table size = 72C (1836.)

The import address table address is relative to the base:

Code:

Image Base 			= 0x00400000
Import Address Table address 	= 0x0057A000
--------------------------------------------
sum:				= 0x0097A000

"Goto.." -> 0x0097A000

You're now at the start of the IAT.

If you scroll a while down you'll eventually find "DD kernel32.Sleep" (at 0x97A140 )

No idea if that's the correct way to interpret this though, keep your flames gentle!

[lanman92]

If that's right, thank you very much bro! It would seem like it is, but idk. Gonna go try it now...