[Sample Code] EndScene Hook with ASM and blackmagic

[Ozius]

The code turns out now should look so?:
code:

Code:

using System;
using System.Threading;
using Magic;
using System.Text;
using System.Collections.Generic;
using System.Diagnostics;

namespace ConsoleApplication2
{
    class Program
    {
        static Hook MyHook = null;
        static uint AddAdr;
        static void Main(string[] args)
        {
            Process[] Processes = Process.GetProcessesByName("Wow");
            if (Processes.Length > 0)
            {
                Console.WriteLine("Select wow process " + Processes[0].Id);

                AddAdr = (uint)BaseAdress((int)Processes[0].Id);

                MyHook = new Hook((uint)Processes[0].Id, AddAdr);
                Console.WriteLine("Hook statut: " + MyHook.threadHooked);
		
                if (MyHook.threadHooked)
                {
                    LuaDoString("DoEmote(\"Dance\");");//DoEmote("cry");
                    Console.WriteLine("INJECT LuaDoString(\"DoEmote(\"Dance\");\")");

                   // LuaDoString("freeslots = GetContainerNumFreeSlots(0) + GetContainerNumFreeSlots(1) + GetContainerNumFreeSlots(2) + GetContainerNumFreeSlots(3) + GetContainerNumFreeSlots(4)");
                   // Console.WriteLine("Free bag slots " + Convert.ToInt32(GetLocalizedText("freeslots")));

                    MyHook.DisposeHooking();
                    Console.WriteLine("Dispose Hooking");
                }
            }
            else
                Console.WriteLine("WoW process no found.");
            Console.ReadKey();
        }

        private static Int32 BaseAdress(Int32 IdProcess)
        {
            ProcessModuleCollection modules = Process.GetProcessById(IdProcess).Modules;
            for (int i = 0; i < modules.Count; i++)
            {
                if (modules[i].ModuleName.ToLower() == "wow.exe")
                {
                    return (int)modules[i].BaseAddress;
                }
            }
            return 0;
        }

        public static void LuaDoString(string command)
        {
            // Allocate memory
            uint DoStringArg_Codecave = MyHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
            // offset:
            uint FrameScript__Execute = 0x395960 + AddAdr;


            // Write value:
            MyHook.Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));

            // Write the asm stuff for Lua_DoString
            String[] asm = new String[] 
            {
                "mov eax, " + DoStringArg_Codecave,
                "push 0",
                "push eax",
                
                "push eax",
                "mov eax, " + (uint)FrameScript__Execute, // Lua_DoString
                
                "call eax",
                "add esp, 0xC",
                "retn",    
            };

            // Inject
            MyHook.InjectAndExecute(asm);
            // Free memory allocated 
            MyHook.Memory.FreeMemory(DoStringArg_Codecave);
        }

        public static string GetLocalizedText(string Commandline)
        {
            // Command to send using LUA
            String Command = Commandline;

            // Allocate memory for command
            uint Lua_GetLocalizedText_Space = MyHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(Command).Length + 1);

            // offset:
            uint ClntObjMgrGetActivePlayerObj = 0x3480 + AddAdr;
            uint FrameScript__GetLocalizedText = 0x1C19F0 + AddAdr;

            // Write command in the allocated memory
            MyHook.Memory.WriteBytes(Lua_GetLocalizedText_Space, Encoding.UTF8.GetBytes(Command));

            String[] asm = new String[] 
            {
            "call " + (uint)ClntObjMgrGetActivePlayerObj,
            "mov ecx, eax",
            "push -1",
            
            "mov edx, " + Lua_GetLocalizedText_Space + "",
            "push edx",
            
            "call " + (uint)FrameScript__GetLocalizedText,
            "retn",
            };
            // Inject the shit
            string sResult = Encoding.ASCII.GetString(MyHook.InjectAndExecute(asm));

            // Free memory allocated for command
            MyHook.Memory.FreeMemory(Lua_GetLocalizedText_Space);

            // Uninstall the hook
            return sResult;
        }
    }

    class Hook
    {
        // Addresse Inection code:
        uint injected_code = 0;
        uint addresseInjection = 0;
        public bool threadHooked = false;
        uint retnInjectionAsm = 0;
        bool InjectionUsed = false;
        public BlackMagic Memory = new BlackMagic();
        public uint _processId = 0;
        uint AddAdr;
        public Hook(uint processId,uint Добавочный)
        {
            _processId = processId;
            this.AddAdr = Добавочный;//(uint)BaseAdress((int)_processId);
            Hooking();
        }
        
        public void Hooking()
        {
            // Offset:
            uint DX_DEVICE = 0x971094 + AddAdr;
            uint DX_DEVICE_IDX = 0x27B4;
            uint ENDSCENE_IDX = 0xAC;

            // Process Connect:
            if (!Memory.IsProcessOpen)
            {
                
                Memory = new BlackMagic((int)_processId);
            }

            if (Memory.IsProcessOpen)
            {
                // Get address of EndScene
                uint pDevice = Memory.ReadUInt(DX_DEVICE);
                uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                uint pScene = Memory.ReadUInt(pEnd);
                uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

                if (Memory.ReadByte(pEndScene) == 0xE9 && (injected_code == 0 || addresseInjection == 0)) // check if wow is already hooked and dispose Hook
                {
                    DisposeHooking();
                }

                if (Memory.ReadByte(pEndScene) != 0xE9) // check if wow is already hooked
                {
                    try
                    {
                        threadHooked = false;
                        // allocate memory to store injected code:
                        injected_code = Memory.AllocateMemory(2048);
                        // allocate memory the new injection code pointer:
                        addresseInjection = Memory.AllocateMemory(0x4);
                        Memory.WriteInt(addresseInjection, 0);
                        // allocate memory the pointer return value:
                        retnInjectionAsm = Memory.AllocateMemory(0x4);
                        Memory.WriteInt(retnInjectionAsm, 0);

                        // Generate the STUB to be injected
                        Memory.Asm.Clear(); // $Asm

                        // save regs
                        Memory.Asm.AddLine("pushad");
                        Memory.Asm.AddLine("pushfd");

                        // Test if you need launch injected code:
                        Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                        
                        Memory.Asm.AddLine("test eax, ebx");
                        Memory.Asm.AddLine("je @out");

                        // Launch Fonction:
                        Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                        Memory.Asm.AddLine("call eax");

                        // Copie pointer return value:
                        Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");

                        // Enter value 0 of addresse func inject
                        Memory.Asm.AddLine("mov edx, " + addresseInjection);
                        
                        Memory.Asm.AddLine("mov ecx, 0");
                        Memory.Asm.AddLine("mov [edx], ecx");

                        // Close func
                        Memory.Asm.AddLine("@out:");

                        // load reg
                        Memory.Asm.AddLine("popfd");
                        Memory.Asm.AddLine("popad");


                        // injected code
                        uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                        Memory.Asm.Inject(injected_code);

                        // Size asm jumpback
                        int sizeJumpBack = 5;

                        // copy and save original instructions
                        Memory.Asm.Clear();
                        Memory.Asm.AddLine("mov edi, edi");
                        Memory.Asm.AddLine("push ebp");
                        Memory.Asm.AddLine("mov ebp, esp");
                        Memory.Asm.Inject(injected_code + sizeAsm);

                        // create jump back stub
                        Memory.Asm.Clear();
                        Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                        Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);

                        // create hook jump
                        Memory.Asm.Clear(); // $jmpto
                        Memory.Asm.AddLine("jmp " + (injected_code));
                        Memory.Asm.Inject(pEndScene);
                    }
                    catch { threadHooked = false; return; }
                }
                threadHooked = true;
            }

        }

        public void DisposeHooking()
        {
            try
            {
                // Offset:
                uint DX_DEVICE = 0x971094 + AddAdr;
                uint DX_DEVICE_IDX = 0x27B4;
                uint ENDSCENE_IDX = 0xAC;
            
                // Get address of EndScene:
                uint pDevice = Memory.ReadUInt(DX_DEVICE);
                uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                uint pScene = Memory.ReadUInt(pEnd);
                uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

                if (Memory.ReadByte(pEndScene) == 0xE9) // check if wow is already hooked and dispose Hook
                {
                    // Restore origine endscene:
                    Memory.Asm.Clear();
                    Memory.Asm.AddLine("mov edi, edi");
                    Memory.Asm.AddLine("push ebp");
                    Memory.Asm.AddLine("mov ebp, esp");
                    Memory.Asm.Inject(pEndScene);
                }

                // free memory:
                Memory.FreeMemory(injected_code);
                Memory.FreeMemory(addresseInjection);
                Memory.FreeMemory(retnInjectionAsm);

            }
            catch { }
        }

        public byte[] InjectAndExecute(string[] asm)
        {
            while (InjectionUsed)
            { Thread.Sleep(5); }
            InjectionUsed = true;

            // Hook Wow:
            Hooking();

            byte[] tempsByte = new byte[0];

            // reset return value pointer
            Memory.WriteInt(retnInjectionAsm, 0);

            if (Memory.IsProcessOpen && threadHooked)
            {
                // Write the asm stuff
                Memory.Asm.Clear();
                foreach (string tempLineAsm in asm)
                {
                    Memory.Asm.AddLine(tempLineAsm);
                }

                // Allocation Memory
                uint injectionAsm_Codecave = Memory.AllocateMemory(Memory.Asm.Assemble().Length);


                try
                {
                    // Inject
                    Memory.Asm.Inject(injectionAsm_Codecave);
                    Memory.WriteInt(addresseInjection, (int)injectionAsm_Codecave);
                    while (Memory.ReadInt(addresseInjection) > 0) { Thread.Sleep(5); } // Wait to launch code



                        byte Buf = new Byte();
                        List<byte> retnByte = new List<byte>();
                        uint dwAddress = Memory.ReadUInt(retnInjectionAsm);
                        Buf = Memory.ReadByte(dwAddress);
                        while (Buf != 0)
                        {
                            retnByte.Add(Buf);
                            dwAddress = dwAddress + 1;
                            Buf = Memory.ReadByte(dwAddress);
                        }
                        tempsByte = retnByte.ToArray();
                }
                catch { }

                // Free memory allocated 
                Memory.FreeMemory(injectionAsm_Codecave);
            }
            InjectionUsed = false;
            // return
            return tempsByte;
        }
    }
}

Has changed that that you have written, but there is a cycling:

Code:

while (Memory.ReadInt(addresseInjection) > 0) { Thread.Sleep(5); } // Wait to launch code

In what there can be a problem?

P.S.: I am sorry for my English

[mongoosed]

This example was amazingly helpful for showing me how hooking through C# and blackmagic is usually done, and how to hook into endscene. Thank you very much!

[Millow]

Tried to make it work, never managed to. Tried the other Endscene example, never managed to either, useless evening I guess, learned some things, but nothing works.

Code:

uint pDevice = Memory.ReadUInt(BaseAddress + DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

Get a ReadUInt failed for pEnd, can't figure out why, shame....Anybody can give me a pointer ?

I saw miceiken do a double read in his MBot, I was wondering why you would ever do a double read ? I saw a post about it some times ago, can't seem to find it. Anyhow, amazing forum, but still, I progress slowly, but one day I hope to freakin be able to hook endscene and get some stuff done !

[HeroXx]

What offsets are you using?

[fukmeimbroken]

What offsets are you using?

Code:

                uint DX_DEVICE = 0x971094;
                uint DX_DEVICE_IDX = 0x27B4;
                uint ENDSCENE_IDX = 0xAC;

This are the offsets I use i get no error at this part

uint pDevice = Memory.ReadUInt(BaseAddress + DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

but I get the same Loop as Ozius. Is there something else I have to Update in the source?

[Flowerew]

Code:

                uint DX_DEVICE = 0x971094;
                uint DX_DEVICE_IDX = 0x27B4;
                uint ENDSCENE_IDX = 0xAC;

This are the offsets I use i get no error at this part

uint pDevice = Memory.ReadUInt(BaseAddress + DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

but I get the same Loop as Ozius. Is there something else I have to Update in the source?

Isn't EndScene 0xA8 aka VMT[42]?!

[_Mike]

Isn't EndScene 0xA8 aka VMT[42]?!

Yes. (filler)

[Millow]

Code:

public Hook(uint processId)
{
_processId = processId;
this.BaseAddress = (uint)_processId;
Hooking();
}
// Offset:
uint DX_DEVICE = BaseAddress + 0x971094;
uint DX_DEVICE_IDX = 0x27B4;
uint ENDSCENE_IDX = 0xA8;

uint pDevice = Memory.ReadUInt(DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

I still get a mistake at the pEnd line, anyone kind enough to enlighten me on this one ?

[Chinchy]

Code:

public Hook(uint processId)
{
_processId = processId;
this.BaseAddress = (uint)_processId;
Hooking();
}
// Offset:
uint DX_DEVICE = BaseAddress + 0x971094;
uint DX_DEVICE_IDX = 0x27B4;
uint ENDSCENE_IDX = 0xA8;

uint pDevice = Memory.ReadUInt(DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

I still get a mistake at the pEnd line, anyone kind enough to enlighten me on this one ?

Your addresses are wrong for the current patch, if you're trying with 13287.

[Millow]

They should be right, used the new offsets from the 4.0.3 Wow - Offsets thread.

[Chinchy]

DevicePointer = 0x0097E7F4; //4.0.3.13287
_DevicePointer = 0x27B4; //4.0.3.13287
EndScene = 0xAC; //4.0.3.13287

The addresses in the quote are from 13205. Otherwise, make sure that the BaseAddress references the MainModule of the process.

Edit:
What the guy below me said.

[_Mike]

Code:

this.BaseAddress = (uint)_processId;

I still get a mistake at the pEnd line, anyone kind enough to enlighten me on this one ?

That's your problem.

[Millow]

Thanx _Mike, I supposed that it was my problem, so I looked it up and dit this.

Code:

Process[] Processes = Process.GetProcessesByName("Wow");
ProcessModule pm = Processes[0].MainModule;
Console.WriteLine(pm.BaseAddress + ":" + Processes[0].Id);
Console.ReadLine();

Now I see the base address, I suppose it's the good one.

Code:

uint DX_DEVICE = BaseAddress + 0x971094;
uint DX_DEVICE_IDX = 0x27B4;
uint ENDSCENE_IDX = 0xA8;

Still no luck, can't get past the pEnd code described above, uint read failed. I tried looking in IDA for the DX_DEVICE_IDX offset, but with no luck, I need a few more tutorial, because aside from strings I can't find anything.

Edit: Finally got passed through the pEnd error, but now stuck at pScene....damn. used the addresses that Chinchy gave
uint DX_DEVICE = BaseAddress + 0x0097E7F4;

Any pointers appreciated.

[Chinchy]

Thanx _Mike, I supposed that it was my problem, so I looked it up and dit this.

Code:

Process[] Processes = Process.GetProcessesByName("Wow");
ProcessModule pm = Processes[0].MainModule;
Console.WriteLine(pm.BaseAddress + ":" + Processes[0].Id);
Console.ReadLine();

Now I see the base address, I suppose it's the good one.

Code:

uint DX_DEVICE = BaseAddress + 0x971094;
uint DX_DEVICE_IDX = 0x27B4;
uint ENDSCENE_IDX = 0xA8;

Still no luck, can't get past the pEnd code described above, uint read failed. I tried looking in IDA for the DX_DEVICE_IDX offset, but with no luck, I need a few more tutorial, because aside from strings I can't find anything.

Wrong addresses. I even posted the correct ones in this very thread...

[Millow]

Yes indeed, weird though, I had taken them from the Offset thread. Thx for the pointer. But still, something is wrong. Same problem. Device_IDX seems wrong, if you get this code working, hats off. Thanx for the help.