About CTM via asm injection

[N1ghtmaree]

Just... as the title says.

I am trying to call CTM func via injecting asm code to wow process. I am using aHook lib, which i found here. Sorry, but i am not rly good in asm, i wrote that code below using olly debugger.

Atm. it looks like this

Code:

public static void MoveTo(float x, float y, float z)
        {
            uint CTMP_space = EndScene.BlackMagic.AllocateMemory(0x4 * 3);
            uint CTMGUID_space = EndScene.BlackMagic.AllocateMemory(0x4 * 2);

            EndScene.BlackMagic.WriteFloat((uint)CTMP_space, x);
            EndScene.BlackMagic.WriteFloat((uint)CTMP_space + 0x4, y);
            EndScene.BlackMagic.WriteFloat((uint)CTMP_space + 0x8, z);

            EndScene.Hook_AsmAddLine("mov eax, 0x" + CTMGUID_space.ToString("X"));
            EndScene.Hook_AsmAddLine("mov edx, 0x" + CTMP_space.ToString("X"));
            EndScene.Hook_AsmAddLine("push 0");
            EndScene.Hook_AsmAddLine("push edx");
            EndScene.Hook_AsmAddLine("push eax");
            EndScene.Hook_AsmAddLine("push 4");
            EndScene.Hook_AsmAddLine("call 0x00727400");
            EndScene.Hook_AsmAddLine("retn 4");

            EndScene.Hook_AsmInject();

            EndScene.BlackMagic.FreeMemory(CTMP_space);
            EndScene.BlackMagic.FreeMemory(CTMGUID_space);
        }

And im getting this:

---------------------------
Wow
---------------------------
This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: E:\Games\World of Warcraft 3.3.5\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:000B1968

The instruction at "0x000B1968" referenced memory at "0x000B1968".
The memory could not be "written".

Press OK to terminate the application.
---------------------------
ОК
---------------------------

What im doing wrong?

And.. sry for my english if it sucks.

[galpha]

Instead of plain copy/pasting, you could attach a debugger and see where it crashes. But since you ask here, it means you just don't know how to use those tools. I'll let someone feel generous to respond, but I won't.

[N1ghtmaree]

Instead of plain copy/pasting, you could attach a debugger and see where it crashes. But since you ask here, it means you just don't know how to use those tools. I'll let someone feel generous to respond, but I won't.

Lol, copy pasting? Well, error happens because edx changes to 0xFFFFFFFF somehow and when wow tries to read mem from there, well you know what happens. And man, learn to read i did this by using olly debugger =/

---------------------------
Wow
---------------------------
This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: E:\Games\World of Warcraft 3.3.5\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:0072740C

The instruction at "0x0072740C" referenced memory at "0xFFFFFFFF".
The memory could not be "read".

Press OK to terminate the application.
---------------------------
ОК
---------------------------

Thats how error looks like right now.

CTM func asm from olly:

Code:

CPU Disasm
Address   Hex dump          Command                                  Profile  Comments
00727400  /$  55              PUSH EBP                                 ;                      WoW.00727400(guessed Arg1,Arg2,Arg3,Arg4)
00727401  |.  8BEC           MOV EBP,ESP                              ;
00727403  |.  83EC 18       SUB ESP,18                               ;
00727406  |.  53               PUSH EBX                                 ;
00727407  |.  8BD9           MOV EBX,ECX                              ;
00727409  |.  8B43 08       MOV EAX,DWORD PTR DS:[EBX+8]             ;
0072740C  |.  8B08           MOV ECX,DWORD PTR DS:[EAX]               ;  << crash right here

Registers on func enter:

Code:

CPU - main thread, module WoW
EAX 0F920000
ECX 02BEFD8C
EDX 0F910000
EBX 02FDB388
ESP 02BEFDA0
EBP 02BEFDDC
ESI 000026DC
EDI 00000000
EIP 00727400 WoW.00727400

C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr 00000000 ERROR_SUCCESS
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)

ST0 empty 0.0
ST1 empty 1.0000000000000000000
ST2 empty 1.0000000000000000000
ST3 empty 0.0
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 4022  Cond 1 0 0 0  Err 0 0 1 0 0 0 1 0 (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
Last cmnd 001B:00682A14 WoW.00682A14

XMM0 00000000 00000000 00000000 00000408
XMM1 00000000 00000000 40880000 00000000
XMM2 00000000 00000433 00000000 0000002B
XMM3 00000000 00000000 BFF00000 00000000
XMM4 3F800000 3F800000 3F800000 3F800000
XMM5 00000000 00000000 00000000 00000000
XMM6 3F800000 3F800000 3F800000 3F800000
XMM7 00000000 00000000 40880000 00000000
                                P U O Z D I
MXCSR 00001FA0  FZ 0 DZ 0  Err  1 0 0 0 0 0
                Rnd NEAR   Mask 1 1 1 1 1 1

On crash:

Code:

CPU - main thread, module WoW

EAX FFFFFFFF << right here
ECX 02BEFD8C
EDX 0F910000
EBX 02BEFD8C
ESP 02BEFD80
EBP 02BEFD9C
ESI 000026DC
EDI 00000000
EIP 0072740C WoW.0072740C

C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr 00000000 ERROR_SUCCESS
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)

ST0 empty 0.0
ST1 empty 1.0000000000000000000
ST2 empty 1.0000000000000000000
ST3 empty 0.0
ST4 empty 1.0000000000000000000
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 4022  Cond 1 0 0 0  Err 0 0 1 0 0 0 1 0 (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
Last cmnd 001B:00682A14 WoW.00682A14

XMM0 00000000 00000000 00000000 00000408
XMM1 00000000 00000000 40880000 00000000
XMM2 00000000 00000433 00000000 0000002B
XMM3 00000000 00000000 BFF00000 00000000
XMM4 3F800000 3F800000 3F800000 3F800000
XMM5 00000000 00000000 00000000 00000000
XMM6 3F800000 3F800000 3F800000 3F800000
XMM7 00000000 00000000 40880000 00000000
                                P U O Z D I
MXCSR 00001FA0  FZ 0 DZ 0  Err  1 0 0 0 0 0
                Rnd NEAR   Mask 1 1 1 1 1 1

Hope you can help me now.

[MaiN]

Calling conventions; you fail at them.

[JuJuBoSc]

It's a __thiscall, so you need to pass player pointer in ecx.

[Robske]

The calling convention isn't the only thing he got wrong...

[streppel]

EndScene.Hook_AsmAddLine("mov eax, 0x" + CTMGUID_space.ToString("X"));

why don't you simply do
EndScene.Hook_AsmAddLine("mov eax, " + CTMGUID_space);

or did i miss something? CTMGUID_space should contian the adresse as an uint...

[N1ghtmaree]

EndScene.Hook_AsmAddLine("mov eax, 0x" + CTMGUID_space.ToString("X"));

why don't you simply do
EndScene.Hook_AsmAddLine("mov eax, " + CTMGUID_space);

or did i miss something? CTMGUID_space should contian the adresse as an uint...

I did this just for sure, CTMGUID_space.ToString("X") converts it to hex.

Where i can get player pointer? Thats not GUID, right?

[Robske]

EndScene.Hook_AsmAddLine("mov eax, 0x" + CTMGUID_space.ToString("X"));

why don't you simply do
EndScene.Hook_AsmAddLine("mov eax, " + CTMGUID_space);

or did i miss something? CTMGUID_space should contian the adresse as an uint...

And a number in hexadecimal notation can't possibly be an unsigned integer right?

Everything you post just stinks of horrible copy-paste behaviour. That crash is not caused because you use the wrong calling convention (don't get me wrong, that you got wrong as well), it's because have absolutly no clue what you are doing.

Code:

            EndScene.Hook_AsmAddLine("mov eax, "); <-- wtf is this I don't even
            EndScene.Hook_AsmAddLine("call 0x00727400");

I'm willing to bet that this was the original code

Code:

            EndScene.Hook_AsmAddLine("mov eax, 0x00727400");
            EndScene.Hook_AsmAddLine("call eax");

Now, kindly gtfo and come back when you know the basics.

Where i can get player pointer? Thats not GUID, right?

http://dl.dropbox.com/u/2754079/1274090235332.jpg

[N1ghtmaree]

Well its working if i pass pointer which i see while setting break point to CTM func. Please stop flaming and help me. How to get it?

Code:

EndScene.Hook_AsmAddLine("mov eax, 0x00727400");
            EndScene.Hook_AsmAddLine("call eax");

Rly, ive noticed that before anyone posted here, and corrected. 1st post was wrong. Sry didnt notice EndScene.Hook_AsmAddLine("mov eax, "); there

What i have right now:

Code:

EndScene.Hook_AsmAddLine("mov eax, 0x" + CTMGUID_space.ToString("X"));
            EndScene.Hook_AsmAddLine("mov edx, 0x" + CTMP_space.ToString("X"));
            EndScene.Hook_AsmAddLine("mov ecx, {Damn, help me to get this shit}");
            EndScene.Hook_AsmAddLine("push 0");
            EndScene.Hook_AsmAddLine("push edx");
            EndScene.Hook_AsmAddLine("push eax");
            EndScene.Hook_AsmAddLine("push 4");
            EndScene.Hook_AsmAddLine("call 0x00727400");
            EndScene.Hook_AsmAddLine("retn");

[eLaps]

How to get it?

You might want to know more about the object manager. Loop through the objects list and when object's guid == your guid, then you've found the player base. You also might want to learn to search and find infos by yourself to avoid flaming and ban.

[N1ghtmaree]

You might want to know more about the object manager. Loop through the objects list and when object's guid == your guid, then you've found the player base. You also might want to learn to search and find infos by yourself to avoid flaming and ban.

Thank you, finaly what i was looking for.