[Help Request] Using GetObjectbyGUID

[FenixTX2]

Hey,

I could do with a hand creating a GetObjectbyGUID fuction, can anyone lend a hand int getting it to work.
Here's the code I have so far:

Code:

            OM.wow.Asm.AddLine("push 0x86"); 
            OM.wow.Asm.AddLine("push 0x92F3B0"); // ASCI string offset? 
            OM.wow.Asm.AddLine("push 0x10");
            OM.wow.Asm.AddLine("push {0}",B); // high
            OM.wow.Asm.AddLine("push {0}",A); // low
            OM.wow.Asm.AddLine("call {0}", 0x007BE110);
            OM.wow.Asm.AddLine("add esp, 0x14");
            OM.wow.Asm.AddLine("mov [{0}], eax", 0x007BE110);

It's based on a post by SKU and a function written by Bobbysing.
ASM is being written to memory thanks to Shynd's library.
A is the first 8 bytes of a Hex string converted from the ulong GUID and
B is the second 8 bytes of a Hex string converted from the ulong GUID

i.e. GUID = 5352042757105910025 then
A = 4A464688
B = 00000109

Cheers.

[lanman92]

Don't push the extra crap at the beginning of the call that you always see in WoW. Just GUIDLow and GUIDHigh + the filter. To do the guid correctly, I would just write it to mem and smack the first 4 bytes of it in the asm as a pointer and then the second four bytes as another pointer.

[SKU]

What's the problem again? Have you tried the code? What kind of crash do you get? What is

OM.wow.Asm.AddLine("mov [{0}], eax", 0x007BE110);

supposed to do?

[abuckau907]

5c4dfa push esi
5c4dfb push edi
5c4dfc push 0x2DC
5c4e01 push 0x9A21Bc
5c4e06 push 0x8
5c4e08 push eax
5c4e09 push ebx
5c4e0a call 0x007Be110
5c4e0f mov esi,eax EAX = obj_base

it looks like you did everything correctly: all the push's and then called 007be110, until the line SKU mentions..I don't know asm well enough..but aren't you trying to write EAX to 007be110..as in, you're trying to over-write the wow.exe code at 007be110, which shouldn't be possible? I *think* you're trying to copy eax into a variable your other code can see..something like..

.AddLine("mov [{0}],eax" my_variable);

I don't know anything about that asm library everyone is using...but I'm guessing you can do that ie. move a register into a local variable, not sure if my syntax is correct etc..but I'm 51% sure that's what you're trying to do??

Atleast in the code I looked up..007be110 return the obj_base in eax..should be the same for you Hope that isn't totally wrong/helps.

ps. Is this the...first time you're trying to use the asm library? ie. has it worked correctly for you before, or is this step 1?

[FenixTX2]

Hey, thanks for the replys.
The error code I was getting was from the asm library.
'error code -125' i think it was.

The line "OM.wow.Asm.AddLine("mov [{0}], eax", 0x007BE110);"
was actually a balls up on my part.

abuckau907 has it right, it should be .AddLine("mov [{0}],eax" my_variable);

@abuckau907. The shynd's library works well.

[FenixTX2]

I took a look at the memory location 5c4dfa as shown by abuckau907 (cheers for that)

I 've updated my code to mirror that found in the memory browser:

Code:

            try
            {
                uint output = 0;
                uint codecave = OM.wow.AllocateMemory(0x200);
                OM.wow.Asm.Clear();

                OM.wow.Asm.AddLine("push esi");
                OM.wow.Asm.AddLine("push edi"); 
                OM.wow.Asm.AddLine("push 0x2DC");
                OM.wow.Asm.AddLine("push 0x9A21Bc");
                OM.wow.Asm.AddLine("push 0x8");
                OM.wow.Asm.AddLine("push {0}", B); // high
                OM.wow.Asm.AddLine("push {0}", A); // low
                OM.wow.Asm.AddLine("call {0}", 0x007BE110);
                OM.wow.Asm.AddLine("mov [{0}], eax", output);
                
                OM.wow.SuspendThread();
                OM.wow.Asm.InjectAndExecute(codecave);

                OM.wow.ResumeThread();
                OM.wow.FreeMemory(codecave);

                return output;
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
                return 0;
            }

When I test this code (using the local player guid) wow becomes unresponsive and I recieve the error:

Code:

System.Exception: Assembly failed!  Error code: -125;  Error Line: 8
   at Fasm.ManagedFasm.Inject(IntPtr hProcess, UInt32 dwAddress)
   at Fasm.ManagedFasm.InjectAndExecute(IntPtr hProcess, UInt32 dwAddress, UInt32 dwParameter)
   at Fasm.ManagedFasm.InjectAndExecute(UInt32 dwAddress)
   at FunctionManager.cs:line 146
A first chance exception of type 'System.Exception' occurred in fasmdll_managed.dll

Looks like it's pointing to the line
"OM.wow.Asm.AddLine("call {0}", 0x007BE110);"
for the source of the error.

[lanman92]

You can't do that. You have to do inject and execute and use the returned variable. WaitForSingleObject() returns the value of eax after completing the function. This is what blackmagic uses internally. You can't pass the address of you're variable(which doesn't even work in regular asm) into another process.

[Shynd]

Code:

                OM.wow.Asm.AddLine("mov [{0}], eax", codecave + 0x900);
                
                OM.wow.SuspendThread();
                OM.wow.Asm.InjectAndExecute(codecave);

                output = OM.wow.ReadUInt(codecave + 0x900);

Would work. Really, though, since you're creating your own thread, you should:

Code:

            try
            {
                uint output = 0;
                uint codecave = OM.wow.AllocateMemory(0x200);
                OM.wow.Asm.Clear();

                OM.wow.Asm.AddLine("push esi");
                OM.wow.Asm.AddLine("push edi"); 
                OM.wow.Asm.AddLine("push 0x2DC");
                OM.wow.Asm.AddLine("push 0x9A21Bc");
                OM.wow.Asm.AddLine("push 0x8");
                OM.wow.Asm.AddLine("push {0}", B); // high
                OM.wow.Asm.AddLine("push {0}", A); // low
                OM.wow.Asm.AddLine("call {0}", 0x007BE110); //objBase is in eax here, which is returned to CreateRemoteThread on the next line
                OM.wow.Asm.AddLine("retn"); //hard to terminate a thread without it returning
                
                OM.wow.SuspendThread();
                output = OM.wow.Asm.InjectAndExecute(codecave);

                OM.wow.ResumeThread();
                OM.wow.FreeMemory(codecave);

                return output;
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
                return 0;
            }

[FenixTX2]

OK, i've been playing around with this and it's still not working.

As the code was, each time I executed, the program would crash out and point to
"OM.wow.Asm.AddLine("call {0}", 0x007BE110);" as the source of the error.

I thought I must be passing the wrong values so i used-

Code:

(error edited, thanks to lanman92 for pointing it out) 
 OM.wow.Asm.AddLine("mov ebx, dword [" + OM.PlayerList[OM.LocalPlayerGuid].BaseAddress + "+0x31*4]"); // high
 OM.wow.Asm.AddLine("mov edx, dword [" + OM.PlayerList[OM.LocalPlayerGuid].BaseAddress + "+0x30*4]"); // low

-to set ebx and edx. (using local play guid for testing)
Now when I execute, "output = OM.wow.Asm.InjectAndExecute(codecave);" returns 1 and then either wow will crash out straight away or wow will crash out when DoString is called (which normally works fine). which is ... odd.

Edit:
Here's an example of the crash report-

Code:

ERROR #132 (0x85100084) Fatal Exception
Program:	C:\Users\Public\Games\World of Warcraft\WoW.exe
Exception:	0xC0000005 (ACCESS_VIOLATION) at 0023:01B7A390

The instruction at "0x01B7A390" referenced memory at "0x01B7A390".
The memory could not be "written".

[lanman92]

Uh. The GUID of objects is at offset zero in the descriptor fields. It's also at 0x30 from the base of the object.

[FenixTX2]

Ah good point. I just re-wrote that in the post.
19*4 is the offset for an items enchantment. Thats what this is all about.
19*4 away from an items descriptor field returns a guid.
I'm trying to find out what that guid is refereing to and trying to use getobjectbyguid to return the object as my object manager doesn't contain any guids that match the guid returned.

[lanman92]

That should work. Just push 0x10, ebx, then edx, and call the function and restore the stack. Eax should contain the object base. Not sure what else to tell you, it works for me. Don't bother pushing the other values.

[FenixTX2]

Hmm, it must be my ebx and edx values.
I've rewritten it just trying to get some sensible return:

Code:

                //Get localplayer base
                OM.wow.Asm.AddLine("mov eax, [0x010BD5F4]");
                OM.wow.Asm.AddLine("mov eax, [eax+0x34]");
                OM.wow.Asm.AddLine("mov eax, [eax+0x24]");
                OM.wow.Asm.AddLine("mov ecx, eax");

                //Get LP's targetguid
                OM.wow.Asm.AddLine("mov ecx, [ecx+0x8]"); //Descriptor field 
                OM.wow.Asm.AddLine("mov ebx, dword [ecx+0x13*4]"); // second half of guid
                OM.wow.Asm.AddLine("mov edx, dword [ecx+0x12*4]"); // first half of guid

                //Return the objectbase corresponding the guid
                OM.wow.Asm.AddLine("push 0x10");
                OM.wow.Asm.AddLine("push ebx");
                OM.wow.Asm.AddLine("push edx");
                OM.wow.Asm.AddLine("call {0}", 0x007BE110); 
                OM.wow.Asm.AddLine("retn");

                OM.wow.SuspendThread(); 
                output = OM.wow.Asm.InjectAndExecute(codecave);

                OM.wow.ResumeThread(); 
                OM.wow.FreeMemory(codecave);
                return output;

Still no love from this.
WoW crashes out saying: "0xBF3F3C33 cannot be written"
But BF3F3C33 is the second half of the guid (in base16 rather than base10) not a memory location.
I did try passing a pointer to the first and second half of the guid but there was no love there either...

[SKU]

It's a __cdecl ( or at least a caller-cleanup convention ), clear the stack after the call. ( In your case: "add esp, 0x0C" )
Also, just breakpoint the start of your codecave and step through the code so you see where it ****s up.

[FenixTX2]

Thanks very much for the help on this.
The code executes fine now. No more wow crashes which is nice.
Only problem is is that it always returns 0 -_-

Code:

        OM.wow.Asm.AddLine("mov eax, [0x010BD5F4]");
        OM.wow.Asm.AddLine("mov eax, [eax+0x34]");
        OM.wow.Asm.AddLine("mov eax, [eax+0x24]");
        OM.wow.Asm.AddLine("mov ecx, eax");
        // get targetguid of local player
        OM.wow.Asm.AddLine("mov ecx, [ecx+0x8]");
        OM.wow.Asm.AddLine("mov ebx, dword [ecx+0x13*4]"); // high
        OM.wow.Asm.AddLine("mov edx, dword [ecx+0x12*4]"); // low
                
        OM.wow.Asm.AddLine("push 0x10");
        OM.wow.Asm.AddLine("push ebx"); // high
        OM.wow.Asm.AddLine("push edx"); // low
        OM.wow.Asm.AddLine("call {0}", 0x007BE110); // always returns 0
        OM.wow.Asm.AddLine("add esp, 0x0C");
        OM.wow.Asm.AddLine("retn");

I did try setting "push 0x10" to "push 1" as suggested by shingetterrobo in this thread:
mmowned - problems calling objectbyguid console stuff
It had no effect, code still returns 0 (regardless of target: npc,player,self,mob)

I added a breakpoint to the start of the code and used to CE to trace what was happening:

Code:

\\0x007be110 call
007BE110 - 55                         - push ebp
007BE111 - 8b ec                      - mov ebp,esp
007BE113 - 64 8b 0d 2c 00 00 00       - mov ecx,fs:[0000002c]
007BE11A - a1 fc d9 35 01             - mov eax,[0135d9fc] : 00000000
007BE11F - 8b 14 81                   - mov edx,[ecx+eax*4]
007BE122 - 8b 8a 10 00 00 00          - mov ecx,[edx+00000010]
007BE128 - 83 ec 08                   - sub esp,08
007BE12B - 85 c9                      - test ecx,ecx
007BE12D - 74 2d                      - je 007be15c

//jump to 007be15c
007BE15C - 33 c0                      - xor eax,eax
007BE15E - 8b e5                      - mov esp,ebp
007BE160 - 5d                         - pop ebp
007BE161 - c3                         - ret

//Returns to my function 
003C001F - 83 c4 0c                   - add esp,0c
003C0022 - c3                         - ret

I have to admit i'm not 100% sure what's happening there but at a guess I would say that my input variables are being tested against some criteria and fail to pass the test...

Just for added info the registers at the point just after the call to 0x007be110 (@push ebp) were:

Code:

Registers:	Flags: 
EAX 177FC4C8	CF 0
EBX F1300044	PF 1
ECX 177FDCA0	AF 0
EDX 910025A6    ZF 1
ESI 00000000	SF 0
EDI 00000000	DF 0
EBP 19ECFF94    OF 0
ESP 19ECFF7C
EIP 007BE110

Segment Registers:
CS 001B
SS 0023
DS 0023
ES 0023
FS 002B
GS 0000