[Sample Code] EndScene Hook with ASM and blackmagic

[FenixTX2]

Just a quick glance at your code:

In your LuaDoString code:

Code:

uint FrameScript__Execute = 0x3A2620;// +ba;

Code:

mov eax, " + (uint)FrameScript__Execute, // Lua_DoString

The FrameScript__Execute value you specify has been re-based. You need to add the wow main module base address to the address specified:

Code:

mov eax, " + ((uint)MyHook.Memory.MainModule.BaseAddress + FrameScript__Execute), // Lua_DoString

Also, this line needs to be changed:

Code:

"add esp, 0xC",// +(uint)command.Length,

In your GetLocalizedText method:

Code:

uint ClntObjMgrGetActivePlayerObj = 0x3520;
uint FrameScript__GetLocalizedText = 0x1C2250;

Code:

"call " + (uint)ClntObjMgrGetActivePlayerObj,

Code:

"call " + (uint)FrameScript__GetLocalizedText,

Again, you need to add the MainModule.BaseAddress to these values.

Code:

"call " + ((uint)MyHook.Memory.MainModule.BaseAddress + (uint)ClntObjMgrGetActivePlayerObj),

Code:

"call " + ((uint)MyHook.Memory.MainModule.BaseAddress + (uint)FrameScript__GetLocalizedText),

[Ozius]

All has corrected that you have written. Goes in cycles in the same place. I will not understand where still there can be an error
code: http://dl.dropbox.com/u/7381029/2Program.cs

[FenixTX2]

All has corrected that you have written. Goes in cycles in the same place. I will not understand where still there can be an error
code: http://dl.dropbox.com/u/7381029/2Program.cs

When you run your program, do you have a character logged into WoW?
Is WoW running normally?
Do you have any other programs attached to wow already?

[Ozius]

Character logged. At use aHook.dll and iHook.dll, works. I will not understand why it doesn't work. The project: http://dl.dropbox.com/u/7381029/ConsoleApplication2.zip

[FenixTX2]

I'm attaching my working code.
My implementation is slightly different than what was originally specified.

My 'Hook' class is called HookManager and its default constructor requires an instance of BlackMagic.
The HookApplication and DisposeOfHook methods are private and used only within the InjectAndExecute method.

HookManager Code:

Code:

    public struct Direct3D
    {
        public static uint Direct3D9__Device = 0x98BCDC;
        public static uint Direct3D9__Device__OffsetA = 0x27C4;
        public static uint Direct3D9__Device__OffsetB = 0xA8;
    }
    public class HookManager
    {
        private BlackMagic process;

        private bool mainThreadHooked;
        private bool ExecutingCode;

        private uint codeCave;
        private uint injectionAddress;
        private uint returnAddress;

        public HookManager(BlackMagic process)
        {
            this.process = process;

            this.mainThreadHooked = false;
            this.ExecutingCode = false;

            this.codeCave = 0;
            this.injectionAddress = 0;
            this.returnAddress = 0;
        }

        private void HookApplication()
        {
            if (!process.IsProcessOpen)
                throw new Exception("Process is not open");

            uint baseAddress = (uint)process.MainModule.BaseAddress;
            uint pDevice = process.ReadUInt(baseAddress + Direct3D.Direct3D9__Device);
            uint pEnd = process.ReadUInt(pDevice + Direct3D.Direct3D9__Device__OffsetA);
            uint pScene = process.ReadUInt(pEnd);
            uint pEndScene = process.ReadUInt(pScene + Direct3D.Direct3D9__Device__OffsetB);

            if (process.ReadUInt(pEndScene) == 0xE9 && (codeCave == 0 || injectionAddress == 0))
            {
                DisposeOfHook();
            }
            if (process.ReadUInt(pEndScene) != 0xE9)
            {
                try
                {
                    mainThreadHooked = false;

                    codeCave = process.AllocateMemory(2048);
                    injectionAddress = process.AllocateMemory(0x4);

                    process.WriteInt(injectionAddress, 0);

                    returnAddress = process.AllocateMemory(0x4);
                    process.WriteInt(returnAddress, 0);

                    process.Asm.Clear();

                    process.Asm.AddLine("mov edi, edi");
                    process.Asm.AddLine("push ebp");
                    process.Asm.AddLine("mov ebp, esp");

                    process.Asm.AddLine("pushfd");
                    process.Asm.AddLine("pushad");
                    
                    //Test for waiting code?
                    process.Asm.AddLine("mov eax, [" + injectionAddress + "]");
                    process.Asm.AddLine("test eax, ebx");
                    process.Asm.AddLine("je @out");

                    //Execute waiting code
                    process.Asm.AddLine("mov eax, [" + injectionAddress + "]");
                    process.Asm.AddLine("call eax");

                    //Copy pointer to return value
                    process.Asm.AddLine("mov [" + returnAddress + "], eax");

                    process.Asm.AddLine("mov edx, " + injectionAddress);
                    process.Asm.AddLine("mov ecx, 0");
                    process.Asm.AddLine("mov [edx], ecx");

                    //Close Function
                    process.Asm.AddLine("@out:");

                    //Inject Code
                    uint sizeAsm = (uint)(process.Asm.Assemble().Length);

                    process.Asm.Inject(codeCave);

                    int sizeJumpBack = 5;

                    // create jump back stub
                    process.Asm.Clear();
                    process.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                    process.Asm.Inject(codeCave + sizeAsm);// + (uint)sizeJumpBack);

                    // create hook jump
                    process.Asm.Clear(); // $jmpto
                    process.Asm.AddLine("jmp " + (codeCave));
                    process.Asm.Inject(pEndScene);

                }
                catch
                {
                    mainThreadHooked = false; return;
                }
                mainThreadHooked = true;
            }

        }
        private void DisposeOfHook()
        {
            if (!process.IsProcessOpen)
                throw new Exception("Process is not open");

            uint baseAddress = (uint)process.MainModule.BaseAddress;
            uint pDevice = process.ReadUInt(baseAddress + Direct3D.Direct3D9__Device);
            uint pEnd = process.ReadUInt(pDevice + Direct3D.Direct3D9__Device__OffsetA);
            uint pScene = process.ReadUInt(pEnd);
            uint pEndScene = process.ReadUInt(pScene + Direct3D.Direct3D9__Device__OffsetB);

            try
            {
                if (process.ReadByte(pEndScene) == 0xE9) // check if wow is already hooked and dispose Hook
                {
                    // Restore origine endscene:
                    process.Asm.Clear();
                    process.Asm.AddLine("mov edi, edi");
                    process.Asm.AddLine("push ebp");
                    process.Asm.AddLine("mov ebp, esp");
                    process.Asm.Inject(pEndScene);
                }

                // free memory:
                process.FreeMemory(codeCave);
                process.FreeMemory(injectionAddress);
                process.FreeMemory(returnAddress);
            }
            catch
            {
            }
        }

        public byte[] InjectAndExecute(string[] asm)
        {
            while (ExecutingCode)
            {
                System.Threading.Thread.Sleep(5);
            }

            ExecutingCode = true;

            HookApplication();

            byte[] tempsByte = new byte[0];

            // reset return value pointer
            process.WriteInt(returnAddress, 0);

            if (process.IsProcessOpen && mainThreadHooked)
            {
                // Write the asm stuff
                process.Asm.Clear();
                foreach (string tempLineAsm in asm)
                {
                    process.Asm.AddLine(tempLineAsm);
                }

                // Allocation Memory
                int codeSize = process.Asm.Assemble().Length;
                uint injectionAsm_Codecave = process.AllocateMemory(codeSize);


                try
                {
                    // Inject
                    process.Asm.Inject(injectionAsm_Codecave);
                    process.WriteInt(injectionAddress, (int)injectionAsm_Codecave);

                    // Wait to launch code
                    while (process.ReadInt(injectionAddress) > 0)
                    {
                        System.Threading.Thread.Sleep(5);
                    }

                    byte Buf = new Byte();
                    List<byte> retnByte = new List<byte>();
                    uint dwAddress = process.ReadUInt(returnAddress);
                    Buf = process.ReadByte(dwAddress);
                    while (Buf != 0)
                    {
                        retnByte.Add(Buf);
                        dwAddress = dwAddress + 1;
                        Buf = process.ReadByte(dwAddress);
                    }
                    tempsByte = retnByte.ToArray();
                }
                catch { }

                // Free memory allocated 
                process.FreeMemory(injectionAsm_Codecave);
            }

            DisposeOfHook();

            ExecutingCode = false;

            return tempsByte;
        }
    }

I also have a function manager class.
The default constructor takes an instance of BlackMagic as a parameter and creates an instance of HookManager.

FunctionManager Code:

Code:

    public class FunctionManager
    {
        private BlackMagic process;
        private HookManager aHook;

        public FunctionManager(BlackMagic process)
        {
            this.process = process;
            this.aHook = new HookManager(process);
        }

        public void LuaDoString(string command)
        {
            int nSize = command.Length + 0x100;
            uint codeCave = process.AllocateMemory(nSize);
            uint moduleBase = (uint)process.MainModule.BaseAddress;

            process.WriteASCIIString(codeCave, command);
            
            process.Asm.Clear();

            String[] asm = new String[] 
            {
                "mov eax, " + codeCave,
                "push 0",
                "push eax",
              
                "push eax",
                "mov eax, " + (moduleBase + FrameScript__Execute),
                
                "call eax",
                "add esp, 0xC",
                "retn",    
            };

            aHook.InjectAndExecute(asm);
            process.FreeMemory(codeCave);
        }
}

Crappy Example Usage:

Code:

        static void Main(string[] args)
        {
            BlackMagic application;
            FunctionManager functionManager;

            Process[] processes = Process.GetProcessesByName("Wow");

            application = new BlackMagic(processes[0].id);
            functionManager = new FunctionManager(application);

            functionManager.LuaDoString("print(\"Hello World\");");
            functionManager.LuaDoString("DoEmote(\"dance\");"); 
        }

[FenixTX2]

FenixTX2, thx.
Has corrected the code as you have offered. Cycling in the same place:

Code:

while (Memory.ReadInt(addresseInjection) > 0) { Thread.Sleep(5); } // Wait to launch code

The code entirely: http://dl.dropbox.com/u/7381029/Program.cs

I seem to have encountered the same error.
The code works perfectly fine on my PC but fails to execute the command on my Laptop.
The strange thing is that both machines are running windows 7 x64 and both have an i7 processor.

The error seems to stem from this section of code:

Code:

        application.Asm.AddLine("mov eax, [" + addresseInjection + "]");
        application.Asm.AddLine("test eax, ebx");
        application.Asm.AddLine("je @out");

On the Laptop 'ebx' is always 0;

[Xelper]

Is your laptop's WoW running in something other than DX9? My new Dell Laptop that I freshly installed WoW onto defaulted to DX11.

edit: Incase you don't know how to check. Check your Config.WTF file, see if you have a line that looks like SET gxApi "d3d11" I don't know what the value would be to set it to DX9, however if you wipe out that line it should default to DX9.

[FenixTX2]

Both devices 'should' be running in d3d9 mode. That is to say that the gxApi cvar has not been set and I expect d3d9 to be default.
I did try using d9d11 but tbh it didn't seem to make any difference...how on earth do you check the running state of a cvar anyway? print(cvarname) always returns nill.

[Ozius]

Thanx a lot!
The most funny thing is that my new project copypasted from FenixTX2's code appears to loop at the same point.
I run it in d3d9 mode (The line SET gxApi "d3d11" isn't found):
DeskTop: cpu is Celeron, Win7 x86 platform;
Laptop: cpu i7, Win7 x64 platform.
Could you be so kind to run the project, in case it will run I'll try searching for error somwhere else rother then code.
project: http://dl.dropbox.com/u/7381029/Inj.zip

[GameAssist]

Thanx a lot!
project: http://dl.dropbox.com/u/7381029/Inj.zip

Works great - added the missing GetLocalizedText

Code:

public class FunctionManager
        {
            BlackMagic process;
            HookManager aHook;
            uint FrameScript__Execute = 0x3A2620;
            uint moduleBase { get { return (uint)process.MainModule.BaseAddress; } }

            public FunctionManager(BlackMagic process)
            {
                this.process = process;
                this.aHook = new HookManager(process);
            }

            public void LuaDoString(string command)
            {
                int nSize = command.Length + 0x100;
                uint codeCave = process.AllocateMemory(nSize);

                process.WriteASCIIString(codeCave, command);
                process.Asm.Clear();

                String[] asm = new String[] 
            {
                "mov eax, " + codeCave,
                "push 0",
                "push eax",
              
                "push eax",
                "mov eax, " + (moduleBase + FrameScript__Execute),
                
                "call eax",
                "add esp, 0xC",
                "retn",    
            };

                aHook.InjectAndExecute(asm);
                process.FreeMemory(codeCave);
            }

            public string GetLocalizedText(string command)
            {
                uint ClntObjMgrGetActivePlayerObj = moduleBase + 0x3520;
                uint FrameScript__GetLocalizedText= moduleBase + 0x1C2250;

                int nSize = command.Length + 0x100;
                uint codeCave = process.AllocateMemory(nSize);
                process.WriteASCIIString(codeCave, command);

                String[] asm = new String[] 
                {
                "call " + ClntObjMgrGetActivePlayerObj,
                "mov ecx, eax",
                "push -1",
                "mov edx, " + codeCave + "",
                "push edx",
                "call " + FrameScript__GetLocalizedText,
                "retn",
                };
                
                string sResult = Encoding.ASCII.GetString(aHook.InjectAndExecute(asm));
                process.FreeMemory(codeCave);

                return sResult;
            }
        }

[MaiN]

The line should read 'test eax, eax', not 'test eax, ebx'. You have not moved anything into ebx and it's actually completely random what ebx might be.
Long story short; learn ASM.

[Ozius]

The line should read 'test eax, eax', not 'test eax, ebx'. You have not moved anything into ebx and it's actually completely random what ebx might be.
Long story short; learn ASM.

MaiN, мany thanks, there was in it an error. Now works!

[RivaLfr]

The line should read 'test eax, eax', not 'test eax, ebx'. You have not moved anything into ebx and it's actually completely random what ebx might be.
Long story short; learn ASM.

I have not see this error, I edit my post

[streppel]

hey all
first of all, thanks RivaLfr for your amazing example,it works pretty well out of the box even in a non wow-related context,i would rep you but i can't currently

ok my reason for bumping this is that i encountered a problem with a boolean as returnvalue that was passed directly in the variable and not as a pointer
i changed the class a little

Code:

                    if (returnLength == 1)
                    {
                        tempsByte = Memory.ReadBytes(retnInjectionAsm, returnLength);
                    }
                    if (returnLength > 1)
                    {
                        tempsByte = Memory.ReadBytes(Memory.ReadUInt(retnInjectionAsm), returnLength);
                    }
                    if(returnLength == 0)
                    {
                        byte Buf = new Byte();
                        List<byte> retnByte = new List<byte>();
                        uint dwAddress = Memory.ReadUInt(retnInjectionAsm);
                        Buf = Memory.ReadByte(dwAddress);
                        while (Buf != 0)
                        {
                            retnByte.Add(Buf);
                            dwAddress = dwAddress + 1;
                            Buf = Memory.ReadByte(dwAddress);
                        }
                        tempsByte = retnByte.ToArray();
                    }

this way it works just perfect, wanted to let you know...and this problem really got me hooked for about an hour before i finally fixed it...yay

[Sye24]

Hello, here is a way to return GetLocalizedText Variable with multiple types (String, int, float, bool etc.),

(No Code) id also recommend randomizing the ASM calls to make less detectable.

Code:

 public static T LuaDoString<T>(string LuaCode)
        {
            LuaDoString(LuaCode.Replace("return true", "R = 1").Replace("return false", "R = 0").Replace("return ", " R = ") + $" {Properties.Settings.Default.RandomString} = R");
            var LuaCallback = GetLocalizedText($"{Properties.Settings.Default.RandomString}");
            object Temp;

            if (typeof(T) == typeof(int))
            {
                Temp = Convert.ToInt32(LuaCallback);
            }
            else if (typeof(T) == typeof(string))
            {
                Temp = LuaCallback.ToString();
            }
            else if (typeof(T) == typeof(bool))
            {
                Temp = LuaCallback == "1";
            }
            else if (typeof(T) == typeof(List<string>))
            {
                List<char> Table = new List<char>();
                foreach(char i in LuaCallback)
                {
                    Table.Add(i);
                }
                Temp = Table.ToArray();
            }
            else if (typeof(T) == typeof(float))
            {
                Temp = float.Parse(LuaCallback);
            }
            else if (typeof(T) == typeof(double))
            {
                Temp = double.Parse(LuaCallback);
            }
            else
            {
                Temp = (T)Convert.ChangeType(0, typeof(T));
            }
            return (T)Temp;
        }  
    }