SetFacing issues (continued)

[namreeb]

This is a continuation of two discussions. The older one, pertaining to SetFacing:

It's calling the function fine, but seems to be bailing out early. Is there magic "patching" that has to happen to convince this function to actually... do stuff?

And a more recent one that is in an unrelated thread:

SetFacing works fine for me, just tested it.

typedef void (__thiscall * tSetFacing)(void* lp, float angle);
tSetFacing oSetFacing = (tSetFacing)0x005AFA10;

then call it somewhere:

oSetFacing(reinterpret_cast<void*>(GetLocalPlayer()), 1.337f);

This is if you don't have a reconstructed player class.

I figured I would merge the two and create a new one, rather than continuing to pollute the 3.1.2 info thread with off-topic discussion.

To summarize: for people in the past, as well as me presently, calling SetFacing does nothing.

I fired up OllyDbg to try and figure out why. This is the code for the function we call SetFacing:

Code:

005AFA10   55               PUSH EBP
005AFA11   8BEC             MOV EBP,ESP
005AFA13   8B81 D0000000    MOV EAX,DWORD PTR DS:[ECX+D0]
005AFA19   33D2             XOR EDX,EDX
005AFA1B   83EC 14          SUB ESP,14
005AFA1E   3950 44          CMP DWORD PTR DS:[EAX+44],EDX
005AFA21   7E 4B            JLE SHORT WoW.005AFA6E
005AFA23   8B41 08          MOV EAX,DWORD PTR DS:[ECX+8]
005AFA26   56               PUSH ESI
005AFA27   8B30             MOV ESI,DWORD PTR DS:[EAX]
005AFA29   3B35 00811101    CMP ESI,DWORD PTR DS:[1118100]
005AFA2F   5E               POP ESI
005AFA30   75 3C            JNZ SHORT WoW.005AFA6E
005AFA32   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]
005AFA35   3B05 04811101    CMP EAX,DWORD PTR DS:[1118104]
005AFA3B   75 31            JNZ SHORT WoW.005AFA6E
005AFA3D   A1 C0401D01      MOV EAX,DWORD PTR DS:[11D40C0]
005AFA42   3950 30          CMP DWORD PTR DS:[EAX+30],EDX
005AFA45   74 27            JE SHORT WoW.005AFA6E
005AFA47   D9EE             FLDZ
005AFA49   51               PUSH ECX
005AFA4A   D955 EC          FST DWORD PTR SS:[EBP-14]
005AFA4D   8955 F8          MOV DWORD PTR SS:[EBP-8],EDX
005AFA50   D955 F0          FST DWORD PTR SS:[EBP-10]
005AFA53   8955 FC          MOV DWORD PTR SS:[EBP-4],EDX
005AFA56   D95D F4          FSTP DWORD PTR SS:[EBP-C]
005AFA59   8D55 EC          LEA EDX,DWORD PTR SS:[EBP-14]
005AFA5C   D945 08          FLD DWORD PTR SS:[EBP+8]
005AFA5F   8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
005AFA62   D91C24           FSTP DWORD PTR SS:[ESP]
005AFA65   52               PUSH EDX
005AFA66   50               PUSH EAX
005AFA67   6A 02            PUSH 2
005AFA69   E8 92C4FFFF      CALL WoW.005ABF00
005AFA6E   8BE5             MOV ESP,EBP
005AFA70   5D               POP EBP
005AFA71   C2 0400          RETN 4

Now, there are some basic sanity checks going on here at the start. From what I understand, we are first making sure the target's health is > 0. Secondly, we are making sure that this is being called only on ourselves. The third check seems to be some sort of redundant assertion of the second check? The fourth check is where when my injected code which calls the function is getting nailed:

Code:

005AFA3D   A1 C0401D01      MOV EAX,DWORD PTR DS:[11D40C0]
005AFA42   3950 30          CMP DWORD PTR DS:[EAX+30],EDX
005AFA45   74 27            JE SHORT WoW.005AFA6E

At this point EDX is 0, so it's just checking if [[0x11D40C0] + 0x30] is 0 (which for me it is, so the function bails).

Does anyone have any insight as to what this check is doing?

Incidentally, I have (once again!) attempted to re-write this function in psuedo-code so that I could better understand what was happening:

Code:

push ebp

ebp = esp

eax = [ecx + 0xD0]
edx = 0
esp = esp - 0x14

if ([eax + 0x44] <= 0)		/* if target is dead */
{
	esp = ebp
	pop ebp
	return 0x4
}

eax = [ecx + 0x8]		/* object @ ecx's guid */
push esi
esi = [eax]

if (esi != [0x1118100])		/* check first half of guid */
{
	pop esi
	esp = ebp
	pop ebp
	return 0x4
}

eax = [eax + 0x4]
if (eax != [0x1118104])		/* check second half of guid */
{
	esp = ebp
	pop ebp
	return 0x4
}

eax = [0x11d40c0]
if ([eax + 0x30] == 0)		/* ??? */
{
	esp = ebp
	pop ebp
	return 0x4
}

push ecx
[ebp - 0x14] = (float)param1
[ebp - 0x8]  = edx
[ebp - 0x10] = (float)param1
[ebp - 0x4]  = edx
[ebp - 0xc]  = (float)param1 (also popped)

eax = ebp - 8

esp = (float)param2

push edx
push eax
push 2
call 005ABF00

esp = ebp
pop ebp
return 0x4

Edit: Victory!

For yucks, I tried patching that magical memory location (brute force and ignorance will always win over time!), and now SetFacing works as it was supposed to.

Code:

		unsigned long sf = 0x005AFA10;
		float rad = 1.76f;
		CGObject_C *p = gpWoWX->GetCurMgr()->GetLocalPlayer();
		DWORD a;

		a = * (DWORD *)(0x011D40C0) + 0x30;

		DBGLOG("Patching [[0x011D40C0] + 0x30] (0x" << std::hex << a << ")..");
		gpWoWX->GetPatcher()->AddPatch(a, reinterpret_cast<PBYTE>( "\x01\x00\x00\x00" ), 4, "SetFacing_Patch" );

		DBGLOG("Calling SetFacing at 0x" << std::hex << sf << " playerBase: 0x" << p);

		_asm
		{
			mov ecx, p
			push rad
			call sf
		}

		DBGLOG("Done.");

[ramey]

I don't use set facing anymore, but from months ago I think I remember that you have to send movement flags before and after or just after to update the facing.

ps, that last code is ugly as ****

[lanman92]

You could just use the VMT func. Since you're in-process, that should be no problem. Look at 0x5AFB46 through 0x5AFB55. You'll see what I mean :P

[namreeb]

I don't use set facing anymore, but from months ago I think I remember that you have to send movement flags before and after or just after to update the facing.

ps, that last code is ugly as ****

There's another SetFacing that does have that requirement. This one is working now as is. Oh, and that is what my code looks like after hours of changing different things around trying to make it work. I obviously re-wrote it once I got things working as they should.

[testout]

Anyone used hex-rays decompiler for IDA?

It will produce c code for functions or even an entire exe.

[Nesox]

Anyone used hex-rays decompiler for IDA?

It will produce c code for functions or even an entire exe.

Yes. It's pretty nice

Here's a decompiled version of IsFalling

Code:

signed int __cdecl Lua_IsFalling(int a1)
{
  int v1; // eax@1
  int v2; // eax@2
  signed int result; // eax@4
  int v4; // eax@1
  int v5; // edx@1
  double v6; // ST0C_8@4

  v4 = GetActivePlayer();
  v1 = GetObjectByGUID(v4, v5, 16);
  if ( v1 && (v2 = *(_DWORD *)(*(_DWORD *)(v1 + 216) + 68), v2 & 0x1000) && !(v2 & 0x800) )
  {
    __asm
    {
      fld1
      fstp    [esp+8+var_8]
    }
    sub_91AE80(a1, v6);
    result = 1;
  }
  else
  {
    sub_91AE60(a1);
    result = 1;
  }
  return result;
}

[testout]

And i think a1 is the lua state, and:
0x0091AEB0 (lua_pushinteger)
0x0091AE60 (lua_pushnil)

[Nesox]

sub_91AE80 (lua_pushnumber)
sub_91AE60 (lua_pushnil)

[namreeb]

Anyone used hex-rays decompiler for IDA?

It will produce c code for functions or even an entire exe.

Wow, that's awesome! When I was doing this manually my CS brain couldn't stop thinking about the methods to do this. I took a semester course in basically lex and yacc to do this kind of thing... but the problem is it would take me almost as much time to implement!

[ostapus]

Yes. It's pretty nice

Here's a decompiled version of IsFalling

Code:

signed int __cdecl Lua_IsFalling(int a1)
{
  int v1; // eax@1
  int v2; // eax@2
  signed int result; // eax@4
  int v4; // eax@1
  int v5; // edx@1
  double v6; // ST0C_8@4

  v4 = GetActivePlayer();
  v1 = GetObjectByGUID(v4, v5, 16);
  if ( v1 && (v2 = *(_DWORD *)(*(_DWORD *)(v1 + 216) + 68), v2 & 0x1000) && !(v2 & 0x800) )
  {
    __asm
    {
      fld1
      fstp    [esp+8+var_8]
    }
    sub_91AE80(a1, v6);
    result = 1;
  }
  else
  {
    sub_91AE60(a1);
    result = 1;
  }
  return result;
}

hex ray is very handy, too bad it is not support (yet?) floating point instructions.

[kynox]

Hex blog: Decompiling floating point

Next release should bring FPU support.

[ostapus]

Hex blog: Decompiling floating point

Next release should bring FPU support.

aah.. sweet.. thx for info

[Cypher]

Hex blog: Decompiling floating point

Next release should bring FPU support.

Finally.

[dekz]

grats at finally getting a blog kynox

[udan]

Hi guys

As my head hurts becose of LAMP projects, and i'm trying hard to understand what's in discussion here,.... i have a pertinent (in my pov) question for a newb in low level programing and memory editing.

Why do you use direct memory writing instead of OS internal messaging to address basic character movement?

In the atempt to better express myself ... here is the code i use to change character facing:

Code:

        public float face(float x, float y)
        {
            float wowFacing = Common.negativeAngle((float)Math.Atan2((double)(x - this.XPos), (double)(y - this.YPos)));

            float face;
            if (Common.negativeAngle(wowFacing - this.Rotation) < Math.PI)
            {
                //The position we want to face is reached fastest by turning to the left  
                face = Common.negativeAngle((wowFacing - this.Rotation));
                if (RadianToDegree(face) > 5)
                {
                    turnLeft(face);
                }
            }
            else
            {
                //Lets turn to the right  
                face = Common.negativeAngle((this.Rotation - wowFacing));
                if (RadianToDegree(face) > 5)
                {
                    turnRight(face);
                }

            }

            return (float)wowFacing;
        }

        private void turnRight(float face)
        {
            Common.myIS.MouseRightButton(true);
            Thread.Sleep(50);
            Common.myIS.MouseMoveRelative((int)(RadianToDegree(face) / 0.456), 0);
            Thread.Sleep(30);
            Common.myIS.MouseRightButton(false);
        }

        private void turnLeft(float face)
        {
            Common.myIS.MouseRightButton(true);
            Thread.Sleep(50);
            Common.myIS.MouseMoveRelative((int)(-1 * RadianToDegree(face) / 0.456), 0);
            Thread.Sleep(30);
            Common.myIS.MouseRightButton(false);
        }

Sorry if my question is somehow offtopic... but i'd really like to hear some pros and cons about the two methods.

Oh,... and i admited i'm a newb... so please don;t hurt my feelings and flame right away.

Thanks