Blackmagic / FASM

[peterwurst]

Heya guys,

I tried to dive into the world of injecting ASM code into the WoW process.
I used the blackmagic library in combination with the fasm_managed.dll.

No matter what ASM code I try to inject and execute my program crashs...


Example:

Code:

wow.Asm.Clear();
wow.Asm.AddLine("MOV  EAX, 0x004D1FE0");
wow.Asm.AddLine("CALL EAX");
wow.Asm.InjectAndExecute(wow.AllocateMemory());

Of course there exists a handle to the wow process...

Code:

System.Exception: Assembly failed!  Error code: -122;  Error Line: 3
   at Fasm.ManagedFasm.Inject(IntPtr hProcess, UInt32 dwAddress)
   at Fasm.ManagedFasm.InjectAndExecute(IntPtr hProcess, UInt32 dwAddress, UInt32 dwParameter)
   at Fasm.ManagedFasm.InjectAndExecute(UInt32 dwAddress)

Any hints on what I may be doing wrong?

[Robske]

Smells like FASM.DLL

Is it in your debug/release folder?

[Nesox]

Heya guys,

I tried to dive into the world of injecting ASM code into the WoW process.
I used the blackmagic library in combination with the fasm_managed.dll.

No matter what ASM code I try to inject and execute my program crashs...


Example:

Code:

wow.Asm.Clear();
wow.Asm.AddLine("MOV  EAX, 0x004D1FE0");
wow.Asm.AddLine("CALL EAX");
wow.Asm.InjectAndExecute(wow.AllocateMemory());

Of course there exists a handle to the wow process...

Code:

System.Exception: Assembly failed!  Error code: -122;  Error Line: 3
   at Fasm.ManagedFasm.Inject(IntPtr hProcess, UInt32 dwAddress)
   at Fasm.ManagedFasm.InjectAndExecute(IntPtr hProcess, UInt32 dwAddress, UInt32 dwParameter)
   at Fasm.ManagedFasm.InjectAndExecute(UInt32 dwAddress)

Any hints on what I may be doing wrong?

The function never returns.
wow.Asm.AddLine("retn");

also if ure using the new BlackMagic library you wont need FASM.dll i suggest you use that instead it's has some new functions for reading various data types etc.
You can find it on GameDeception and im sure a link has been posted here somewhere.

[Cypher]

GD is down atm unfortunately so you'll need to find a mirror.

[Nesox]

Here you go BlackMagic.rar i just uploaded it, it's the binaries the source and the documentation.

[jockel]

I want to throw in a OT question... can you give me any hints on how to unprotect a protected LUA function?
I know that there are for sure better ways around without unprotecting the functions, but I don't feel fit enough in ASM / C#.

[lanman92]

Just use Lua_DoString(). It owns.

[SKU]

I want to throw in a OT question... can you give me any hints on how to unprotect a protected LUA function?
I know that there are for sure better ways around without unprotecting the functions, but I don't feel fit enough in ASM / C#.

Code:

.text:005584A0 _Lua_JumpOrAscendStart proc near        ; DATA XREF: .data:off_FCE144o
.text:005584A0                 mov     eax, dword_11F20F4
.text:005584A5                 mov     ecx, dword_11F20F0
.text:005584AB                 push    esi
.text:005584AC                 push    9Eh
.text:005584B1                 push    offset a_Inputcontrol_ ; ".\\InputControl.cpp"
.text:005584B6                 push    8
.text:005584B8                 push    eax
.text:005584B9                 push    ecx
.text:005584BA                 call    _ClntObjMgrObjectPtr
.text:005584BF                 mov     esi, eax
.text:005584C1                 add     esp, 14h
.text:005584C4                 test    esi, esi
.text:005584C6                 jz      loc_5585B1
.text:005584CC                 push    ebx
.text:005584CD                 mov     ebx, dword_1178A44
.text:005584D3                 push    0
.text:005584D5                 call    0x4A4480
.text:005584DA                 add     esp, 4
.text:005584DD                 test    eax, eax
.text:005584DF                 jz      loc_5585B0 ; jump to the end of the function

Target: Lua function - JumpOrAscendStart

If you breakpoint that function and then do a normal jump ingame, the marked function returns one. If you try to call this function via /script JumpOrAscendStart() then this function will return 0, so test eax,eax will set the z flag -> jump to the end of the function is taken.

Now you can change each function, or simply make the protection function return 1. But I think it was mentioned that the protection check is being watched. I might be wrong though.