[Linux] Wow freeze on object deferencing [Solved]

[eLaps]

Hi,
I already used and abused the search function, verifying my structs and my offsets etc
but since I'm running on linux... I know the object linked list stuff was already answered like 46511 times but I honestly
didn't found what's wrong from the thousands threads I've read.

Here is the simplified injected code (yes this is C ), which is supposed to list all GUIDs of the list in ~/wow_output:

Code:

#define WGUID unsigned long long
#define DWORD unsigned int

#define PCLIENTCONNECTION        0xC923C0

#define OBJMANAGER               0x2E04
#define FIRSTOBJECT              0xAC
#define LOCALGUID                0xC0

#define OBJECTFIELDS             0x8
#define OBJECTNEXT               0x3C

//    From the 3.3.0 info dump thread 
#include "objects_structs.h"

typedef struct sObject sObject;
struct sObject {
    char x0[OBJECTFIELDS];
    union uObjectInformation* info;
    char x1[OBJECTNEXT-sizeof(DWORD)-OBJECTFIELDS];
    struct sObject* next;
};

typedef struct sObjectManager ObjectManager;
struct sObjectManager {
    char x0[FIRSTOBJECT];
    sObject* firstObject;
    char x1[LOCALGUID-sizeof(DWORD)-FIRSTOBJECT];
    WGUID guid_local;
};

void __attribute__ ((constructor)) winedl_input(void);
void winedl_input(void) {
    ObjectManager* curMgr = (ObjectManager*)(*(DWORD*)PCLIENTCONNECTION + OBJMANAGER);
    char output[500];
    sObject* ptr;

    ptr = curMgr->firstObject;
    while (ptr != NULL) {
        sprintf(output, "echo '%lld\\n' >> ~/wow_output", ptr->info->object.objectFields.OBJECT_FIELD_GUID);
        system(output);
        ptr = ptr->next;
    }
}

There is no file created by system() and WoW has an endless freeze.

curMgr->guid_local seems to be right though ('68823121392'?).
The ReloadUI LUA function works fine.





ps: flaming a french for his english/code would be a diplomacy incident

[Flowerew]

Try to check for ptr % 2 == 0 rather than ptr != NULL, that's what occured to me at first glance.

[eLaps]

Thanks but that didn't fixed it. I think it's more about a problem of offsets in sObject but can't find what (supposing I have the right local GUID).

[Flowerew]

I think you forgot to read the pointer value.

You do [PCLIENTCONNECTION]+OBJMGR and you take that as curMgr, but it's [[PCLIENTCONNECTION]+OBJMGR].
Try this: ObjectManager* curMgr = *(ObjectManager**)(*(DWORD*)PCLIENTCONNECTION + OBJMANAGER);

If the rest of your structures are correct, everything should be fine now.

[rootguy]

Code:

void __attribute__ ((constructor)) winedl_input(void);

This is the function called when the lib is loaded right?
Wow doesn't crash right? It just hangs?
Instead of doing all the work in the initiate routine of the library you are loading, you should create a thread and perfom the actions you want to do in that thread as to not cause an endless freeze.

[eLaps]

Flowerew:
curMgr is already a pointer, so do you mean that [PCLIENTCONNECTION] + OBJMANAGER is a pointer of pointer?
If I try I get a doubtful output:
4719772417737299262
4719772414549808107
4719772415130530153
4719772414403616820
4719772417737264047
4719772414543202497
4719772417737121761
4719772414538272747
4719772414372550400

but GUIDS are large numbers and they look similars... I should find out if they are valids, but wow still crashes.

rootguy:
Yes the function is called at the injection, and WoW doesn't crash if I stay kind (when I call std and some lua functions).
Running this in another process is on my todo list but for the moment I'm trying to decypher all the structs / func prototypes (I know it's obvious to you but a mess for the beginners).
While my function is running WoW "stops" but for now I think it's negligible.

edit: Thread fork() done and wow still crashes

[Flowerew]

What you call doubtful is exactly what it should look like, altough it looks much prettier if you output it in hex. Yes GUIDs are large numbers and as I understand you it does crash after listing all GUIDs so you are doing something wrong past that point you showed here.

curMgr is already a pointer, so do you mean that [PCLIENTCONNECTION] + OBJMANAGER is a pointer of pointer?

Yes curMgr is a pointer and what you where previously looking at was merely the address of the pointer to curMgr, not the pointer to curMgr itself, so yes it's a pointer pointer. Try to visualize it:

Code:

class ClientConnection {
...
CGCurMgr_C *m_pCurMgr;  // with an offset of 0x2e04
...
};

ClientConnection *pClientConnection = *(ClientConnection**)0xC923C0;
CGCurMgr_C *pCurMgr = *(CGCurMgr_C**)((DWORD)pClientConnection + 0x2e04);

It's that simple...

[eLaps]

Oh great finally you were right, I just forked the process and added '((DWORD)ptr & 1) == 0' (the same as you told me).
Seems strange not to store NULL to end a linked list but whatever.

Thank you! Problem solved .

ps: Now I search for lua func prototypes, if you have some in your sack

[Ellesar1]

Here are those that I use currently in my project. For the other ones, go to lua.org, download it and check lua.h

Code:

typedef const void (* p_lua_pushcclosure) (lua_State *L, lua_CFunction fn, int n);
typedef void (* p_lua_setfield) (lua_State *L, int idx, const char *k);
typedef int (* p_lua_gettop) (lua_State *L);
typedef const char * (* p_lua_tolstring) (lua_State *L, int idx, size_t *len);
typedef void (* p_lua_pushstring) (lua_State *L, const char *s);

Signatures if you don't want to update those offsets after every patch:

Code:

	std::vector<char> pattern;
	// lua_pushcclosure
	{
		const char data[] = {
			0x55, 0x8b, 0xec, 0x53, 0x56, 0x8b, 0x75, 0x08,
			0x8b, 0x46, 0x14, 0x8b
		};
		pattern.assign(data, data + sizeof data);
		Offsets::lua_pushcclosure = (p_lua_pushcclosure)FindPattern(pattern, 0x00, Offsets::WowModuleStart, Offsets::WowModuleEnd);
	}
	// lua_setfield
	{
		const char data[] = {
			0x55, 0x8b, 0xec, 0x83, 0xec, 0x10, 0x8b, 0x45,
			0x0c, 0x53, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x8b,
			0xce, 0xe8, 0xaa
		};
		pattern.assign(data, data + sizeof data);
		Offsets::lua_setfield = (p_lua_setfield)FindPattern(pattern, 0x00, Offsets::WowModuleStart, Offsets::WowModuleEnd);
	}
	// lua_gettop
	{
		const char data[] = {
			0x55, 0x8b, 0xec, 0x8b, 0x4d, 0x08, 0x8b, 0x41,
			0x0c, 0x2b
		};
		pattern.assign(data, data + sizeof data);
		Offsets::lua_gettop = (p_lua_gettop)FindPattern(pattern, 0x00, Offsets::WowModuleStart, Offsets::WowModuleEnd);
	}
	// lua_tolstring
	{
		const char data[] = {
			0x55, 0x8b, 0xec, 0x56, 0x8b, 0x75, 0x08, 0x57,
			0x8b, 0x7d, 0x0c, 0x8b, 0xc7
		};
		pattern.assign(data, data + sizeof data);
		Offsets::lua_tolstring = (p_lua_tolstring)FindPattern(pattern, 0x00, Offsets::WowModuleStart, Offsets::WowModuleEnd);
	}
	// lua_pushstring
	{
		const char data[] = {
			0x55, 0x8b, 0xec, 0x8b, 0x55, 0x0c, 0x85, 0xd2,
			0x75
		};
		pattern.assign(data, data + sizeof data);
		Offsets::lua_pushstring = (p_lua_pushstring)FindPattern(pattern, 0x00, Offsets::WowModuleStart, Offsets::WowModuleEnd);
	}

Code:

void * FindPattern (const std::vector<char> &pattern, char wildcard, const void * startAddress, const void * endAddress) {
	int size = pattern.size();
	int j;
	for (char * i = (char *)startAddress; i < (char *)endAddress - size; i++) {
		for (j = 0; j < size && (*(i + j) == pattern[j] || pattern[j] == wildcard); j++);
		if (j == size) {
			return (void *)i;
		}
	}
	return 0;
};