Interacting with object

[YetiHunter]

hmm strange =/ i don't have any other idea. this is my entire function. don't know if it helps

Code:

        public static void Interact(WowObject obj)
        {
            uint codeCave = wow.AllocateMemory();
            uint VMT38 = wow.ReadUInt((wow.ReadUInt(obj.BaseAddress)) + (38 * 4));
            wow.Asm.Clear();
            wow.Asm.AddLine("fs mov eax, [0x2C]");
            wow.Asm.AddLine("mov eax, [eax]");
            wow.Asm.AddLine("add eax, 0x10");
            wow.Asm.AddLine("mov dword [eax], {0}", ObjectManager.objectManagerBase);
            wow.Asm.AddLine("mov ecx, {0}", obj.BaseAddress);
            wow.Asm.AddLine("call {0}", VMT38);
            wow.Asm.AddLine("retn");

            suspendMainThread();
            wow.Asm.InjectAndExecute(codeCave);
            wow.FreeMemory(codeCave);
            resumeMainThread();
        }

those are the other two functions used:

Code:

        private static int ProcessId = Mem.wow.ProcessId;
        private static void suspendMainThread()
        {
            ProcessThread wowMainThread = SThread.GetMainThread(ProcessId);
            IntPtr hThread = SThread.OpenThread(wowMainThread.Id);
            SThread.SuspendThread(hThread);
        }
        private static void resumeMainThread()
        {
            ProcessThread wowMainThread = SThread.GetMainThread(ProcessId);
            IntPtr hThread = SThread.OpenThread(wowMainThread.Id);
            SThread.ResumeThread(hThread);
        }

i hope that helps

edit:
just added it as a method to the class as you are doing it, works as well (i know that this is no surprise, but i had to try ^^)

[Hawker]

Put a try catch around the injection and set the catch to print why injection failed.

catch (Exception ex)
{
log(ex.Message;
}

[miceiken]

Added the try/catch filter, also added suspend/resume thread.
Yet, it all crashes on injecting the codecave.
The exception error was the same.

Code:

Injection failed for some reason.

[Shynd]

Where you have Core.WBM.Asm.InjectAndExecute(codecave);, replace it with Core.WBM.Asm.Assemble(); and see if it throws an error. If it does not, then test if you can write to the game's memory using Core.WBM.Asm.WriteUInt(codecave, 0);. If that succeeds, then I have no idea. Maybe I should rewrite fasm_managed to be a little more descriptive.

Also, check your console output to see if anything else is written to the console directly before you get that error. If not, then it is erroring on the WriteProcessMemory call, which probably means that your handle to the Wow.exe process does not contain proper privileges, which means you're doing something wrong somewhere else (like not calling Core.WBM.Open(dwProcessId); at some point before trying to write to memory).

Here's the source to the error that you're getting:

Code:

	bool ManagedFasm::Inject(IntPtr hProcess, DWORD dwAddress)
	{
		if (hProcess == IntPtr::Zero)
			return false;

		if (m_AssemblyString->ToString()->Contains("use64") || m_AssemblyString->ToString()->Contains("use16"))
			m_AssemblyString->Replace("use32\n", "");

		if (!m_AssemblyString->ToString()->Contains("org "))
			m_AssemblyString->Insert(0, String::Format("org 0x{0:X08}\n", dwAddress));

		IntPtr lpSource = IntPtr::Zero;

		try
		{
			lpSource = Marshal::StringToHGlobalAnsi(m_AssemblyString->ToString());
			_c_FasmAssemble((char *)lpSource.ToPointer(), m_MemorySize, m_PassLimit);
		}
		catch (Exception ^ ex)
		{
			Console::WriteLine(ex->Message);
			return false;
		}
		finally
		{
			if (lpSource != IntPtr::Zero)
				Marshal::FreeHGlobal(lpSource);
		}

		_C_FASM_STATE * fasm_state = reinterpret_cast<_C_FASM_STATE *>(_c_fasm_memorybuf);
		if (fasm_state->condition != FASM_OK)
			throw gcnew Exception(String::Format("Assembly failed!  Error code: {0};  Error Line: {1}", fasm_state->error_code, fasm_state->error_data->line_number));
		
		return WriteProcessMemory((HANDLE)hProcess, (void *)dwAddress, fasm_state->output_data, fasm_state->output_length, NULL);
	}

	DWORD ManagedFasm::InjectAndExecute(IntPtr hProcess, DWORD dwAddress, DWORD dwParameter)
	{
		if (hProcess == IntPtr::Zero)
			throw gcnew ArgumentNullException("hProcess");

		if (dwAddress == NULL)
			throw gcnew ArgumentNullException("dwAddress");

		HANDLE hThread;
		DWORD dwExitCode = 0;

		if (!this->Inject(hProcess, dwAddress))
			throw gcnew Exception("Injection failed for some reason.");

		hThread = CreateRemoteThread((HANDLE)(hProcess.ToInt32()), NULL, 0, (LPTHREAD_START_ROUTINE)dwAddress, (void *)dwParameter, 0, NULL);
		if (hThread == NULL)
			throw gcnew Exception("Remote thread failed.");

		try
		{
			if (WaitForSingleObject(hThread, 10000) == WAIT_OBJECT_0)
				if (!GetExitCodeThread(hThread, &dwExitCode))
					throw gcnew Exception("Could not get thread exit code.");
		}
		finally
		{
			CloseHandle(hThread);
		}
		
		return dwExitCode;
	}

Yes, it's poorly written; deal with it.

[miceiken]

I went through both of them without any error (taken that you mean WBM.WriteUInt and not WBM.Asm.WriteUInt).

Before the Interact() call, I am hooking the handles by this function:

Code:

        public static bool HookHandles()
        {
            hWnd = FindWindow(null, "World of Warcraft");
            var process = Process.GetProcessesByName("wow");

            if (process.Length == 0)
                return false;
            pId = process[0].Id;
            if (hWnd == 0 || pId == 0 || !WBM.OpenProcessAndThread(pId))
                return false;
            return true;
        }

I am running Windows 7 x64 and compiling it under x86 to make it runable.

[Shynd]

Verify that you can write values using WBM.WriteUInt and have the changes reflected inside wow.exe:

Code:

uint dwTemp = WBM.ReadUInt(RANDOMADDRESS);
Console.WriteLine(dwTemp.ToString());
bool bSuccess = WBM.WriteUInt(RANDOMADDRESS, dwTemp + 1);
Console.WriteLine(bSuccess.ToString());
dwTemp = WBM.ReadUInt(RANDOMADDRESS);
Console.WriteLine(dwTemp.ToString());

If that correctly reads a value at some random address that you choose, then writes thatvalue+1 to the address and correctly reads the value again, then I honestly have no idea what the problem is. I've never troubleshot on anything but XP SP3 x86, so maybe Cypher can shine some light on the issue.

By the way, to anyone who reads this, do not make the error that miceiken has made; omitting the operating system and architecture on which you're attempting to get something to work when asking about a problem is ****ing stupid.

[tanis2000]

It's interesting that I'm having the same problem with 3.1.3 on XP SP3 32bit.

My code looks like this at the moment (Interact function):

Code:

try
                {
                    ProcessManager.SuspendMainWowThread();
                    uint codecave = ProcessManager.WowProcess.AllocateMemory();
                    ProcessManager.WowProcess.Asm.Clear();
                    ProcessManager.WowProcess.Asm.AddLine("fs mov eax, [0x2C]");
                    ProcessManager.WowProcess.Asm.AddLine("mov eax, [eax]");
                    ProcessManager.WowProcess.Asm.AddLine("add eax, 0x10");
                    ProcessManager.WowProcess.Asm.AddLine("mov dword [eax], {0}", Globals.CurMgr);
                    ProcessManager.WowProcess.Asm.AddLine("mov ecx, {0}", ObjectPointer);
                    ProcessManager.WowProcess.Asm.AddLine("call {0}", ProcessManager.WowProcess.ReadUInt(VMT + 38 * 4));
                    ProcessManager.WowProcess.Asm.AddLine("retn");

                    ProcessManager.WowProcess.Asm.InjectAndExecute(codecave);
                    Thread.Sleep(10);
                    ProcessManager.ResumeMainWowThread();
                    ProcessManager.WowProcess.FreeMemory(codecave);
                }
                catch (Exception ex)
                {
                    ProcessManager.ResumeMainWowThread();
                    throw new Exception("Interact() failed miserably!");
                }

I've debugged into my bot and the values are:

Code:

      Globals.CurMgr   0x0a2ced60   uint
      ObjectPointer   0x111222d8   uint
      ProcessManager.WowProcess.ReadUInt(VMT + 38 * 4)   0x005b5fb0   uint

Out of curiosity I dumped the client 3.1.3 with IDA and Interact() appears to be at offset 0x6F26D0, so there seems to be something bad here.

Code:

.data:00A3DC40                 dd offset aInteractunit ; "InteractUnit"
.data:00A3DC44                 dd offset sub_6F26D0

[tanis2000]

For those having this problem. I solved it for my project by including the fasm_managed project into my solution and making sure that it's set to compile for win32 and that my project is set for Any Processor. I haven't tested this out on 64 bit systems though.

[lanman92]

That interact unit you see is the LUA function.

[Nirinium]

Where do I download or acquire this CodeCave or WDM? I understand most of this to an extent and I really want to get into this. Thank you.

[Shynd]

You have claimed to understand most of something while explicitly illustrating that you understand nearly nothing. Fail.

[tanis2000]

That interact unit you see is the LUA function.

Yeah I noticed this afterwards. Actually another guy pointed it out to me and I was like "d'oh! you're right!"

[Nirinium]

You have claimed to understand most of something while explicitly illustrating that you understand nearly nothing. Fail.

Well thanks, Seriously help me out?

[schlumpf]

codecave - Google Search

[Robske]

Where do I download or acquire this CodeCave or WDM? I understand most of this to an extent and I really want to get into this. Thank you.

Trying to catch a CodeCave is pretty hard. Not only are they hard to find in the wilderness of an application's address space, they also don't live very long I caught one yesterday using my OLLY 2000 rifle, using lvl 3 breakpoint ammo. it was sitting silently around 0x20000000 ish. Then I had to put it out of it's misery using an injection needle containing a sedative fluid that causes memory to free

PS: You are awesome, post more.