DLL Injection

[nitrogrlie]

This is my first time playing with in-process application modification (previously did out-of-process manipulation and packet spoofing / client recreation) and I don't understand why the following code isn't working right now:

Code:

	DWORD guidLOW, guidHIGH;

	__asm 
	{
		mov edx, 0x00476580
		call edx
		mov guidLOW, eax
		mov guidHIGH, edx
	}

	char guidStr[32];
	_snprintf_s(guidStr, 32, 32, "GUID: 0x%08x%08x\n", guidHIGH, guidLOW);
	MessageBox(0, guidStr, "GUID", 0);

I run this from a thread I create in the Initialization function of a DLL I inject. The issue is that basically the guidStr I get is 0x0000000000000000. I know the function address is okay because I used Olly to pause WoW and re-direct EIP at a random point in time to that address and it ran fine, generating the appropriate GUID.

Am I just doing some dumb mistake?

Thanks for the help in advance...

[lanman92]

Your TLS is off. Look at the asm in that function. You'll see that it reads from FS:0x2C. That's thread-local and you'll have to rip the OM from the 'regular' memory and put it in your thread's local storage. Or, you could hook EndScene.

[furang]

I guess it should be smth like this

Code:

mov EDX, [0x012705B0] ; getting OM
mov EDX, [EDX+0x00002D94] ; EDX=OM
mov EAX, FS:[0x2C]; getting TLS
mov EAX, [EAX] ; EAX=TLS[0]
add EAX, 8 ; EAX=TLS[2]
mov [EAX], EDX ;replacing TLS[2] pointer with pointer to OM

[nitrogrlie]

Your TLS is off. Look at the asm in that function. You'll see that it reads from FS:0x2C. That's thread-local and you'll have to rip the OM from the 'regular' memory and put it in your thread's local storage. Or, you could hook EndScene.

That explains it, but that also brings up more questions. Since WoW has the same FS seg descriptor (0x0053) for each thread but it's base is different in each case I can't just GetThreadContext() of one of its threads and set my FS accordingly. So how else to obtain my GUID properly?

mov EDX, [0x012705B0]
mov EDX, [EDX+0x00002D94]
mov EAX, FS:[0x2C]
mov EAX, [EAX]
add EAX, 8
mov [EAX], edx

I do not understand this the address or the offsets (aka what they are, where they came from, and how you found them). Could you please elaborate?

[furang]

lanman92 gave nice coments in prev post. ok. i've added coments in my post.

[nitrogrlie]

lanman92 gave nice coments in prev post. ok. i've added coments in my post.

Thanks for the help, the code you gave me wasn't working until I made a small change, for some reason "mov EDX, [0x012705B0]" would load 0x012705B0 into EDX, and not its dereferenced value. Here it is and I also included two ways of obtaining the player GUID, one in asm and one with func ptrs.

Code:

	unsigned int ObjMngr = 0;

	// Correct TLS with proper ObjectManager ptr
	__asm {
		mov EDX, 0x012705B0
		mov EDX, [EDX]
		mov EDX, [EDX+0x2D94]
		mov ObjMngr, EDX
		mov EAX, FS:[0x2C] 
		mov EAX, [EAX] 		; EAX = TLS[0] 
		mov [EAX+8], EDX 	; replacing TLS[2] pointer with pointer to ObjMngr
	}

	// Get our GUID
	unsigned int guidLOW, guidHIGH;
	__asm {
		mov edx, 0x00476580
		call edx
		mov guidLOW, eax
		mov guidHIGH, edx
	}

	typedef unsigned long long (*fptr_t)(void);
	fptr_t GetPlayerGuid = (fptr_t)0x00476580;
	unsigned long long x = GetPlayerGuid();

	FILE * file = fopen("C:\\Users\\Public\\test.txt", "w");
	fprintf(file, "ObjMngr Addr: 0x%08x\n", ObjMngr);
	fprintf(file, "GUID: 0x%08x%08x\n", guidHIGH, guidLOW);
	fprintf(file, "GUID: 0x%016llx\n", x);
	fflush(file);
	fclose(file);

	char guidStr[32];
	_snprintf_s(guidStr, 32, 32, "GUID: 0x%08x%08x\n", guidHIGH, guidLOW);
	MessageBox(0, guidStr, "GUID", 0);

EDIT: I should add, that once you have ObjMngr you really don't need to call either function to get the GUID as you can just use the ObjMngr with 0xC0 offset to get the GUID.

What I would love to learn though, is how people arrived at the 0x012705B0 addr and the 0x2D94 offset so that I can find it myself in future patches?

[lanman92]

Look at the function at 0x47A480. The last part of that function shows the offsets. It's always the last xref to 'ObjectMgrClient.cpp' from what I can remember in the recent patches.

[nitrogrlie]

Here is some code in case anyone else is learning DLL injection and gets annoyed with mistakes here and there when trying to use the VFTables.

Code:

DWORD WINAPI runFunction(LPVOID lParam) {  
	unsigned int ObjMngr = 0;

	// Correct TLS with proper ObjectManager ptr
	__asm {
		mov EDX, 0x012705B0
		mov EDX, [EDX]
		mov EDX, [EDX+0x2D94]
		mov ObjMngr, EDX
		mov EAX, FS:[0x2C] 
		mov EAX, [EAX] 		; EAX = TLS[0] 
		mov [EAX+8], EDX 	; replacing TLS[2] pointer with pointer to ObjMngr
	}

	// Get our GUID
	DWORD guidLOW, guidHIGH;
	__asm {
		mov edx, 0x00476580
		call edx
		mov guidLOW, eax
		mov guidHIGH, edx
	}
	
	// Alternative way to get GUID without asm code
	/*
	typedef unsigned long long (*fptr_t)(void);
	fptr_t GetPlayerGuid = (fptr_t)0x00476580;
	unsigned long long playerGuid = GetPlayerGuid();
	*/

	// Get Player pointer
	DWORD playerPtr = 0;
	DWORD playerVFTable = 0;
	__asm {
		push 0xA1
		push 0x00
		push 0x10
		push guidHIGH
		push guidLOW
		mov EDX, 0x00477B50
		call EDX
		mov playerPtr, EAX
		mov EAX, [EAX]
		mov playerVFTable, EAX
		add esp, 0x14
	}

	FILE * file = fopen("C:\\Users\\Public\\test.txt", "w");
	fprintf(file, "ObjMngr Addr: 0x%08x\n", ObjMngr);
	fprintf(file, "GUID: 0x%08x%08x\n", guidHIGH, guidLOW);
	//fprintf(file, "GUID: 0x%016llx\n", playerGuid);
	fprintf(file, "Ptr : 0x%08x\n", playerPtr);
	fprintf(file, "pVFT: 0x%08x\n", playerVFTable);

	// List VFTable addresses
	DWORD VFTable[53];
	for( unsigned short i = 0; i < 53; i++ ) {
		DWORD addr = 0;
		DWORD index = playerVFTable + 4*i;
		__asm {
			mov EDX, index
			mov EDX, [EDX]
			mov addr, EDX
		}
		VFTable[i] = addr;
		fprintf(file, "\t[%02d] - 0x%08x\n", i, addr);
	}
	fprintf(file, "\n");

	// Get our Position
	float pos[3] = {0.0};
	DWORD pos_addr = (DWORD)&pos[0];
	DWORD index = VFTable[11];

	// test this by getting 10 points
	for( unsigned int i = 0; i < 10; i++ ) {
		__asm {
			mov EDX, index
			push pos_addr
			mov ECX, playerPtr
			call EDX
			add esp, 4
		}
		fprintf(file, "Position: %04.2f, %04.2f, %03.2f\n", pos[0], pos[1], pos[2]);

		char gStr[128];
		_snprintf_s(gStr, 128, 128, "Position: %04.2f, %04.2f, %03.2f\n",  pos[0], pos[1], pos[2]);
		MessageBox(0, gStr, "Info", 0);
	}

	// Flush and Close our file
	fflush(file);
	fclose(file);

	// Check Stuff

    ExitThread(0);
}

To Remember: When using VFtables you need to set ECX to be the pointer to the class of the object you want to call the VFTable function for. That led me to a few crashes before I had a "duh" moment.

Next - i'm looking for information of how to perform IPC between the loaded DLL and my injection program through the use of data_seg. Is there a good manual link anyone can provide that describes how to "use" it and not how to "define" it? Or perhaps a post with a quick example?