Advanced Injection

[Cromon]

Hello everyone!

After a lot of work my ASM-Injection lib for C++ is finally finished. Now of course i want to test that thing and use it

My first steps worked well (calling virtuall functions of objects) and are making a lot of fun ! But now im trying to get to some advanced things which at the moment arent working. Here is a list of what id like to learn:

1. Calling functions with parameters
2. Hooking LUA-Events
3. Hooking WoW-Functions

Well, lets begin with the first one, functions with parameters. From what i made in ASM before when i was learning the basics of ASM i used to call functions with parameters by pushing my parameter on the stack and in the function it gets popped and used. Now i tried that with the lua-function IsFlying. I suggest that it uses one parameter that is the unit we want to inspect. So, thats what i now coded:

Code:

	IAsmInterface* ias = g_MemInterf->GetInterface();
	ias->Clear();
	DWORD dwAddr = ias->AllocateMemory(g_MemInterf->GetProcess());
	ias->AddLine("mov eax, %u", obj->GetOffset());
	ias->AddLine("push eax");
	ias->AddLine("xor eax, eax");
	ias->AddLine("call %u", 0x005973F0);
	ias->AddLine("retn");
	DWORD dwRet = ias->InjectAndExecute(g_MemInterf->GetProcess(), dwAddr, 0);

Now that crashed wow with an acces_violation that the memory could not be written.

To the other 2 points i mentioned above id say we come if the first one is solved

Greetings
Cromon

[ggg898]

If its the lua function you are trying to call (i havnt looked at the address, just asuming) then the parameter is not the unit, it is the lua state which lua uses to pass parameter in.

[Robske]

If its the lua function you are trying to call (i havnt looked at the address, just asuming) then the parameter is not the unit, it is the lua state which lua uses to pass parameter in.

Could be wrong, but the Lua Function IsFlying() will throw the boolean on the lua stack instead of placing it in eax right?

[Cromon]

Yes, i think its placed on the LUA-stack and in eax there will be either 1 or 0 if the function pushed something on the stack or not.

The offset is taken from the 3.2.2a info posted by Apoc, so i guess its correct. Ill try to do things with the lua_state cause even if i would get IsFlying working without the lua_state i would need it to get the returnvalue.

[furang]

Attach olly and trace that call. Inject CC opcode at the beginning for int3. And your stack is not balanced. Fix this obvious bugs. If doesn't help just let us know.

[ggg898]

Im just happy I dont use advanced injection. Seems hard :P

[Cromon]

Attach olly and trace that call. Inject CC opcode at the beginning for int3. And your stack is not balanced. Fix this obvious bugs. If doesn't help just let us know.

Kk, good idea, ill let olly go trough it. And thanks for pointing to the stack-thing, i allways forget that *memo*.

[flo8464]

Yes, i think its placed on the LUA-stack and in eax there will be either 1 or 0 if the function pushed something on the stack or not.

Luafunctions return with eax set to the number of pushed things in total.

[Cromon]

yes, and cause IsFlying either fails or pushes a boolean it will be 1 or 0, thats what i ment in the post quoted

[ostapus]

why dont you look in IDA on IsFlying rather than bother people with questions ?

[Cromon]

1. Read the thread, then answer if you really have something to say
2. Give me a license for a version of IDA compatible with a current symbol-database or give me a symbol-database for a free version
3. If i bother you with my question, hit ALT + F4 very, very, very, very, fast (or press the "back"-button of your browser in the same speed). If not and you like to contribute, do so. You can see in the replies above that there is a common interest in these things.

And last but not least:
If you just wanna troll, gtfo.

And now back to topic:
Couldnt work on that since the last posting, but ill keep you all updated!

[Robske]

The offset is taken from the 3.2.2a info posted by Apoc, so i guess its correct. Ill try to do things with the lua_state cause even if i would get IsFlying working without the lua_state i would need it to get the returnvalue.

Rhough outlines to get return values:

Code:

LuaFunction(pLuaState)
for Index: 0 -> GetTop(pLuaState)
{
      Foo = ToFoo(pLuaState, Index, 0)
}

Keep in mind that you have to handle both stacks (The functions to handle the lua stack such as PushString, GetTop and ToString use the cdecl calling convention) As with ToFoo, if you wish to call a function that requires arguments, you'll have to push those on the lua stack manually.

[ostapus]

so, you didn't look to isFlying....
1. eax will always = 1 (in case of isFlying)... rings any bell ?
2. any lua C function (which is isFlying) will always has just 1 parameter ( to answer what should be passed into function as parameter)
3. google ida (5.2 is latest "free" avaliable), you dont need "current" symbol database

was it helpfull enough ?

[Ellesar1]

Since IsFlying is a Lua function, it's signature has to conform to the Lua specification, and so is:

Code:

int IsFlying (lua_State* L);

- lua_State contains the whole state of Lua. Everything which is available to Lua is somehow referenced there. Therefore, there is only one lua_State in the whole game. There is some memory location which points to the lua_State. You can get it from the Info Dump Thread
- the function returns the number of arguments which should be returned. As IsFlying returns 1 or nil depending on whether you are flying or not, there will be always one argument returned and the return value of the function will therefore be one.

In the info dump thread, you can get the memory location of IsFlying. Go there with OllyDbg (or any other similar tool) to get the disassembled function. Try to fill out as many comment fields as you can. The Info Dump Thread is a real help here. If you are through, log in with a guest account and call the function to fill out even more comment fields. Here is what I get from looking at this function:

Code:

CPU Disasm
Address   Hex dump          Command                               Comments
005973F0  /.  55            PUSH EBP
005973F1  |.  8BEC          MOV EBP,ESP
005973F3  |.  E8 88F1EDFF   CALL 00476580                         ; GetActivePlayerGUID
005973F8  |.  68 A1000000   PUSH 0A1
005973FD  |.  68 C8DB9A00   PUSH OFFSET WoW.009ADBC8              ; ASCII "c:\BuildServer\bs1\work\WoW-code\branches\wow-patch-3_2_2_A-branch\WoW\Source\Object/ObjectClient/Player_C.h"
00597402  |.  6A 10         PUSH 10
00597404  |.  52            PUSH EDX                              ; Arg2 => guidHigh
00597405  |.  50            PUSH EAX                              ; Arg1 => guidLow
00597406  |.  E8 4507EEFF   CALL 00477B50                         ; GetObjectByGUID => eax = playerbase, ecx = playerbase+1818, edx = 10
0059740B  |.  83C4 14       ADD ESP,14
0059740E  |.  85C0          TEST EAX,EAX
00597410  |.  74 5D         JE SHORT 0059746F                     ; return nil if object wasn't returned properly
00597412  |.  8B88 680F0000 MOV ECX,DWORD PTR DS:[EAX+0F68]
00597418  |.  85C9          TEST ECX,ECX
0059741A  |.  74 29         JE SHORT 00597445
0059741C  |.  8379 14 03    CMP DWORD PTR DS:[ECX+14],3
00597420  |.  75 23         JNE SHORT 00597445                    ; if [playerbase+0f68] == 0 || [[playerbase+0f68]+14] != 3 jump
00597422  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]            ; 009e6c70
00597424  |.  68 970E0000   PUSH 0E97
00597429  |.  68 347F9D00   PUSH OFFSET WoW.009D7F34              ; ASCII ".\ScriptEvents.cpp"
0059742E  |.  8BC8          MOV ECX,EAX
00597430  |.  8B42 3C       MOV EAX,DWORD PTR DS:[EDX+3C]
00597433  |.  6A 08         PUSH 8
00597435  |.  FFD0          CALL EAX                              ; call 0065ecc0
00597437  |.  52            PUSH EDX                              ; Arg2 => guidHigh ([playerbase+794])
00597438  |.  50            PUSH EAX                              ; Arg1 => guidLow ([playerbase+790])
00597439  |.  E8 1207EEFF   CALL 00477B50                         ; GetObjectByGUID
0059743E  |.  83C4 14       ADD ESP,14
00597441  |.  85C0          TEST EAX,EAX
00597443  |.  74 2A         JE SHORT 0059746F                     ; return nil if object wasn't returned properly
00597445  |>  8B88 D8000000 MOV ECX,DWORD PTR DS:[EAX+0D8]
0059744B  |.  F741 44 00000 TEST DWORD PTR DS:[ECX+44],02000000
00597452  |.  74 1B         JE SHORT 0059746F                     ; if [[eax+0d8]+44] == 02 00 00 00 return nil
00597454  |.  D9E8          FLD1                                  ; else return 1
00597456  |.  8B55 08       MOV EDX,DWORD PTR SS:[ARG.1]
00597459  |.  83EC 08       SUB ESP,8
0059745C  |.  DD1C24        FSTP QWORD PTR SS:[ARG.RETADDR]
0059745F  |.  52            PUSH EDX
00597460  |.  E8 ABC52600   CALL 00803A10                         ; lua_pushnumber
00597465  |.  83C4 0C       ADD ESP,0C
00597468  |.  B8 01000000   MOV EAX,1
0059746D  |.  5D            POP EBP
0059746E  |.  C3            RETN
0059746F  |>  8B45 08       MOV EAX,DWORD PTR SS:[ARG.1]          ; return nil
00597472  |.  50            PUSH EAX                              ; /Arg1 => [ARG.1]
00597473  |.  E8 78C52600   CALL 008039F0                         ; \WoW.008039F0, lua_pushnil
00597478  |.  83C4 04       ADD ESP,4
0059747B  |.  B8 01000000   MOV EAX,1
00597480  |.  5D            POP EBP
00597481  \.  C3            RETN

so, what I can take from this is that your desired info is

Code:

temp = playerbase;
if ([playerbase+0xf68] && [[playerbase+0xf68]+0x14] == 0x3) {
    guidL = [playerbase + 0x790];
    guidH = [playerbase + 0x794];
    temp = GetObjectByGUID(guidL, guidH);
}
return ([[temp+0xd8]+0x44] != 0x2000000) ? 1 : nil;

Couldn't find out what [playerbase+0xf68] represents and what GUID is standing at [playerbase + 0x790] if the if if-branch is taken.

Since I'm new to memory editing there can of course be some errors in this. Feel free to post any improvements or bug reports :-)