Passing string pointer as parameter crashes WoW

[Burningmace]

I've been working on some code that calls a method in WoW and returns its return value. Whilst this is fine for a single uint parameter, I'm struggling with passing strings.

So far my code allocates memory for a string, writes it to memory, then calls the method at the address with the address of the string as a parameter.

Here's what I have:

Code:

        private uint Call(uint address, string Param)
        {
            Param += '\0';
            // round length to nearest 4096
            int sl = RoundPageSize(Param.Length);
            // create some memory to store the string
            uint sptr = wow.AllocateMemory(sl);
            // write the string to memory
            SMemory.WriteUnicodeString((IntPtr)wow.ProcessId, sptr, Param);
            // execute at the address (I'm testing with 0x005A4FE0)
            uint retn = wow.Execute(address, sptr);
            System.Threading.Thread.Sleep(5);
            wow.FreeMemory(sptr);
            return retn;
        }

This crashes WoW, stating that an access violation occured reading memory address 0x00000044.

What am I doing wrong?

[flo8464]

Well, at first, you can't call non-__stdcall functions by using CreateRemoteThread.
Then, ever tried to leave the string in memory? 5ms is pretty short, maybe the game still stores references to your string. Ohh, and calling functions in a remote thread can cause many problems, like race conditions and access to the TLS etc

Call it manually by injecting some ASM.

[Burningmace]

I tried some ASM and still got the same issue...

Code:

// called with 0x005A4FE0, "target"
private uint Call(WarcraftOffsets address, string Param)
        {
            Param += '\0';
            int sl = RoundPageSize(Param.Length);
            uint sptr = wow.AllocateMemory(sl);
            SMemory.WriteUnicodeString((IntPtr)wow.ProcessId, sptr, Param);
            wow.Asm.Clear();
            wow.Asm.AddLine("push 0x" + sptr.ToString("X"));
            wow.Asm.AddLine("call 0x" + address.ToString("X"));
            wow.Asm.AddLine("pop ebp");
            wow.Asm.AddLine("retn");
            uint mptr = wow.AllocateMemory(wow.Asm.GetMemorySize());
            uint retn = wow.Asm.InjectAndExecute(mptr); // CRASH
            System.Threading.Thread.Sleep(1000);
            wow.FreeMemory(mptr);
            wow.FreeMemory(sptr);
            return retn;
        }

[Robske]

Meh, as I expected. You are trying to call a lua function. You have to manage the lua stack yourself.

int __cdecl lua_UnitHealth(LuaState* p)

[Burningmace]

Aaah, that explains a lot. I've just read the guide by jbrauman on the object manager and the WoW 3.3.0 info dump threads and it seems there should be a much simpler way to access the information than injecting ASM to call LUA functions.

From what I can understand, there's a static pointer to the PlayerBase and then a bunch of offsets to the important values. The info thread has an enum called PlayerFields with a pile of interesting looking offsets in. What I can't find is the actual PlayerBase pointer... I searched but it's basically full of questions without answers - telling people either to find it themselves (without giving them an idea how) or telling them it's in the info thread (I can't find it!). A little help?

[Robske]

Aaah, that explains a lot. I've just read the guide by jbrauman on the object manager and the WoW 3.3.0 info dump threads and it seems there should be a much simpler way to access the information than injecting ASM to call LUA functions.

From what I can understand, there's a static pointer to the PlayerBase and then a bunch of offsets to the important values. The info thread has an enum called PlayerFields with a pile of interesting looking offsets in. What I can't find is the actual PlayerBase pointer... I searched but it's basically full of questions without answers - telling people either to find it themselves (without giving them an idea how) or telling them it's in the info thread (I can't find it!). A little help?

Iterate the objectmanager and compare with the GUID of the localplayer or use the static pointer to the localplayer base...

And open your eyes while searching:

Just updated my addresses and I tought I'd share the new player pointer so here it is:
Player Pointer: 0x00CF8C50
Base: Didn't change, (((Ptr)+34)+24)

[amadmonk]

[code]
private uint Call(uint address, string Param)
{
Param += '\0';
// round length to nearest 4096
int sl = RoundPageSize(Param.Length);
// create some memory to store the string
uint sptr = wow.AllocateMemory(sl);
// write the string to memory
SMemory.WriteUnicodeString((IntPtr)wow.ProcessId, sptr, Param);

Among other things, String.Length != buffer size if you're using Unicode. Use ANSI or correctly calculate the byte length of the Unicode string.

[Burningmace]

amamonk - I spotted this error a minute ago and corrected it, though since the original string was only 6 characters it shouldn't have caused problems in this case.

Robske - You're a legend! +1 rep for you, I think. I can't believe I missed that one, my brain must have fallen asleep. I think the fact that it was such a short reply in the thread meant that my eyes just slid over it without processing it. When I searched the thread itself I used "playerbase" as a term, so that's why it didn't get flagged. Just goes to show that you shouldn't try to find stuff like this so early in the morning!

I did actually read up on iterating through the object manager, but for some reason I kept getting 0x00000000 returned from my pointers. Maybe I messed up somewhere or chose the wrong pointer... who knows? Anyway, I'll give that player base pointer a go. Thanks again!