any reason why this is crashin wow?

[Nokia5800]

hey yall

quick question, Im not usually the one to be injecting and all, but I just cant resist myself, Lua_dostring just looks so cool, so I wanted to try it..

But im not sure if I have it correct as far as some of the asm goes.. let me know if this needs to be updated at all...

Code:

  Main.wow.Asm.Clear
            Main.wow.Asm.AddLine("mov EDX, [0x01139F80]")
            Main.wow.Asm.AddLine("mov EDX, [EDX+0x2C34]")
            Main.wow.Asm.AddLine("FS mov EAX, [0x2C]")
            Main.wow.Asm.AddLine("mov EAX, [EAX]")
            Main.wow.Asm.AddLine("add EAX, 0x10")
            Main.wow.Asm.AddLine("mov [EAX], EDX")
            Main.wow.Asm.AddLine("push {0}", New Object() { 0 })
            Main.wow.Asm.AddLine("mov eax, {0}", New Object() { (dwAddress + 0x200) })
            Main.wow.Asm.AddLine("push eax")
            Main.wow.Asm.AddLine("push eax")
            Main.wow.Asm.AddLine("call {0}", New Object() { "0x0049AAB0" })
            Main.wow.Asm.AddLine("add esp, 0xC")
            Main.wow.Asm.AddLine("retn")

This is just the asm injection part.. I know the allocation is fine, but I think one of the instructions is out of date,, let me know guys if you want to help.


thanks again

[flo8464]

Why are you retrieving the objectmgr ?

This is all you have to do

0040100E |. 6A 00 PUSH 0
00401010 |. 68 08214000 PUSH OFFSET dummy.??_C@_08OCNLHKCN@lString1?$AA@ ; ASCII "lString1"
00401015 |. 68 08214000 PUSH OFFSET dummy.??_C@_08OCNLHKCN@lString1?$AA@ ; ASCII "lString1"
0040101A |. B8 B0AA4900 MOV EAX,49AAB0
0040101F |. FFD0 CALL EAX

Just push the offset of your string instead

[lanman92]

Updating the TLS makes it less likely to crash(it still will).

As for the fix, why in the hell are you casting it as an Object()? Cast the address to call as a uint.

Here:

Code:

...("mov eax, {0}", (uint)(dwAlloc + 0x512));
...("push 0");
...("push eax");
...("push eax");
...("call {0}", (uint)(0x49AAB0));

The ultimate way to do this is to inject a stub to write to the beginning of endscene and hook it. Have the detour check a bool to see if you have a string to do(pun intended). Run dostring on that string if so, and write 0 to the bool then continue with the actual endscene.

Here's my endscene hook that I use:

Code:

HRESULT __stdcall mEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    __asm {
        pushad;
        pushfd;
    }
    
    while(!stringstodo.empty())
    {
        std::string * s = stringstodo.back();
        stringstodo.pop_back();
        DoString(const_cast<char*>(s->c_str()), const_cast<char*>(s->c_str()), 0);
        delete s;
    }

    __asm {
        popfd;
        popad;
    }
    return oEndScene(pDevice);
}

Obviously it's in C++, but you get the idea. Stringstodo is a global vector that I push_back() a string onto through a P/Invoke.

[jockel]

Doing C++ DoString through P/Invoke sounds awesome.
Any hints on that, how you are doing this?

I know how to use P/Invoke, but I can't think of a method how you can use a injected library via P/Invoke.

[Nokia5800]

thanks for the responses guys, im tryin to get it to work now..

also anyone have a good asm to opcode converter on hand?

[lanman92]

Through an injected DLL. Im in-process.

[Nokia5800]

anyone have an updated C# Lua_Dostring function that uses blackmagic?

[Apoc]

anyone have an updated C# Lua_Dostring function that uses blackmagic?

Yes, your 2 new infraction points do.

[jockel]

Through an injected DLL. Im in-process.

Yeah of course... I said that before.

But how do you call the C++ Dll from C# since it is in process and not in the file system.

Are you using shared memory?

[lanman92]

No, I'm loading a separate DLL file into WoW's memory in my C# code through P/Invoke and I call functions to hook or call wow's functions.

[kemkoi]

no idea sry :S

[tanis2000]

But how do you call the C++ Dll from C# since it is in process and not in the file system.

Named pipes or sockets seem to be the best way for that kind of IPC. Keep in mind that you might want to run more than one instance of the client.

[jockel]

I know but sockets or pipes are really slow compared to P/Invoke calls.

So I can't think of another method than shared memory access, using P/Invoke to call function from my C++ Dll in the wow process.

[lanman92]

That would be a very interesting project. A .NET library that wraps shared memory and the likes... There's probably already one out there, just gotta look around.

[Nesox]

im using pipes atm but calling functions with pInvoke seems interesting.
Is there any special requirements to do that?