Floating-Point Support issue

[nitrogrlie]

First of all, this is an issue that is caused by my own code, not WoW doing something strange or anything.

For my bot I have taken the following path:

a) Manually Map the bot DLL into the WoW process - this is done through my own memory allocation and fixing imports and relocations. This is in essence, my own DLL injector, except that doing it this way prevents it being found using VADs. (Technically, VMMap will still see it as a block of allocated memory with RWX flag, but that's it... and I could fix that with PageGuards but that's a completely different topic).
b) the bot DLL file creates its own thread in WoW's process space
c) my created thread hooks DirectD3D's EndScene and Reset functions
d) most of my logic is executed in through calls inside EndScene hook

Now, my problem is that ever since I started Manually Mapping my bot DLL it seems that I loose floating-point support. For example something as simple as:

Code:

				float curFacing = self->GetFacing();
				char szBuf[128];
				sprintf(szBuf, "CurFacing: %f\n", curFacing);
				MessageBoxA(0, szBuf, "Rotation Info", 0);

The code above will crash WoW with a:

Code:

Runtime Error!

R6002
 - floating point support not loaded

Now, to be specific, the crash occurs on the sprintf(), not on creating or setting the float (or double) variables.

This is true regardless if I run that code inside EndScene or my injected bot DLL thread.

Any ideas for how I can force floating-point support to be loaded?

MSDN (Floating-Point Support (CRT)) states that floating-point support is loaded at run-time when it is found to be required. Some other suggestions I've read was to simply instantiate a double/float and set it to a value inside the DllMain load routine to force compiler/linker to set the __floatused variable to true so the library is included. I've done that, but the issue still remains.

I compile/link with:
RuntimeLibrary set to Multi-threaded (/MT)
No Common Language Runtime Support

This really might be something dumb on my part, but not sure.

[Cypher]

I take it you're using Darawk's manual mapper? It's old, it's unstable, and it's broken. I really wouldn't recommend using it.

You need to add TLS support to it (along with a shitload of other stuff if you want it to be anything but a PoC). Once you add TLS support your current problem should be solved.

[nitrogrlie]

I take it you're using Darawk's manual mapper? It's old, it's unstable, and it's broken. I really wouldn't recommend using it.

You need to add TLS support to it (along with a shitload of other stuff if you want it to be anything but a PoC). Once you add TLS support your current problem should be solved.

Well I based it of his 2005 OpenRCE Tools submission (ManualMap - Collaborative RCE Tool Library), which is much better than his original PoC code, but I guess it is still somewhat lacking. I know it's the injector because if I use another one it works just fine.

[Cypher]

Well I based it of his 2005 OpenRCE Tools submission (ManualMap - Collaborative RCE Tool Library), which is much better than his original PoC code, but I guess it is still somewhat lacking. I know it's the injector because if I use another one it works just fine.

Huh? Your injector should have nothing to do with it.

At any rate, I'm telling you, FPU support is broken because you don't have TLS support. The CRT is open source, take a look at the implementation if you don't believe me.

You can probably initialize it manually somehow, but simply adding TLS support should fix the problem.

From memory this exact problem has already been covered previously on GD.

P.S. The 2005 version of the code is still no more than a PoC.

[Cypher]

Sorry for the double post, but given you're online atm I didn't want to edit and then have you miss it then have to edit, etc.

Anyway...

Why the hell are you manually mapping anyway? Seriously. It seems totally unnecessary given your cheat is (I assume) private.

Besides, unless you know what you're doing when it comes to this kind of stuff (which, based on this thread and your other module hiding thread, you don't*), you're just setting yourself up for a mess that you won't be able to clean up properly.

Last I looked (and it's been a while, so forgive me) at the public implementations of manual mappers, they were all very flakey, and very basic. As soon as you start doing anything beyond the absolute 'basics' (read: anything more than just very low level pure C) you're bound to run into problems.

Heck, you ran into problems simply trying to use the FPU!

Sure, it might work fine in limited situations, but I wouldn't rely on it for anything more than a quick PoC. You're just going to run into problems and waste a lot of time on something that's useless to you anyway.

* Not trying to be rude, just telling it like it is.

[nitrogrlie]

Sorry for the double post, but given you're online atm I didn't want to edit and then have you miss it then have to edit, etc.

Anyway...

Why the hell are you manually mapping anyway? Seriously. It seems totally unnecessary given your cheat is (I assume) private.

Besides, unless you know what you're doing when it comes to this kind of stuff (which, based on this thread and your other module hiding thread, you don't*), you're just setting yourself up for a mess that you won't be able to clean up properly.

Last I looked (and it's been a while, so forgive me) at the public implementations of manual mappers, they were all very flakey, and very basic. As soon as you start doing anything beyond the absolute 'basics' (read: anything more than just very low level pure C) you're bound to run into problems.

Heck, you ran into problems simply trying to use the FPU!

Sure, it might work fine in limited situations, but I wouldn't rely on it for anything more than a quick PoC. You're just going to run into problems and waste a lot of time on something that's useless to you anyway.

* Not trying to be rude, just telling it like it is.

I hear you and I don't mind you calling it like it is. I honestly don't get upset at people being honest or giving their opinions. To answer your question, the only reason i did it is because I tend to be the type of person that best learns trying something. Yes, I am fully aware that as long as my bot is private all this stuff is overkill. But I was curious how it would work and what limitation I would run into. And now I know...

My bot works fine (at the infant stage I have it - currently I only have a working d3d endscene/reset hook with a registered lua callback function that wraps the return values for handling when I want). There is more I want to know and learn.

Now, I'm looking at another Manual Mapper that is apparently part of the metasploit framework (Harmony Security : Reflective Dll Injection). You ever hear of it or use it? And again, this is not because I want to use it, but because I want to see if I can and what limitation it has.

[Cypher]

I hear you and I don't mind you calling it like it is. I honestly don't get upset at people being honest or giving their opinions. To answer your question, the only reason i did it is because I tend to be the type of person that best learns trying something. Yes, I am fully aware that as long as my bot is private all this stuff is overkill. But I was curious how it would work and what limitation I would run into. And now I know...

My bot works fine (at the infant stage I have it - currently I only have a working d3d endscene/reset hook with a registered lua callback function that wraps the return values for handling when I want). There is more I want to know and learn.

Now, I'm looking at another Manual Mapper that is apparently part of the metasploit framework (Harmony Security : Reflective Dll Injection). You ever hear of it or use it? And again, this is not because I want to use it, but because I want to see if I can and what limitation it has.

I remember looking at that Reflective DLL shit when it was first published, but from memory it wasn't all that new or amazing. However it's been a long time since I've looked at it, so I may be remembering incorrectly.

[wraithZX]

Doesn't seem to solve the TLS issue either.