[C# DLL] iHook, EndScene ASM Injection!

[Edder]

Nice dll, but it doesnt work for clients <= 3.3.5a because of the BaseAddress use in the dll?!

edit: well it does work, but you have to write your own DoString function without the BaseAddress, am I right?

[akarner]

Since Patch 4.3 its impossible for me to get the LocalizedText from LUA ... i used the simplest example (with latest offsets)

Hook.DoString("freeslots = GetContainerNumFreeSlots(0) + GetContainerNumFreeSlots(1) + GetContainerNumFreeSlots(2) + GetContainerNumFreeSlots(3) + GetContainerNumFreeSlots(4)");
Console.WriteLine("Bag Space: " + Hook.GetLocalizedText("freeslots"));

But my Client crashes, when i run this...
please help

[Vandra]

Since Patch 4.3 its impossible for me to get the LocalizedText from LUA ... i used the simplest example (with latest offsets)


But my Client crashes, when i run this...
please help

Which offsets are you using ?

[vitecp]

Can I use this DLL to Hook.DoString("InteractUnit(unit)"); ??

[lasbat]

4.3.3.15354

Code:

public static uint Direct3D9__Device = 0xABD694;      
public static uint Direct3D9__Device__OffsetA = 0x2800;
public static uint Direct3D9__Device__OffsetB = 0xA8;
public static uint ClntObjMgrGetActivePlayerObjAddress = 0x3200;
public static uint Lua_DoStringAddress = 0x43A810;
public static uint Lua_GetLocalizedTextAddress = 0x1BB6E0;

tested and working with these

and btw
GetLocalizedText doesnt work on russian realms: returns ?????????(and it is really "?" tried to decode it, but no luck) <- can anyone help with that?

[Wildbreath]

try to read a byte buffer from GetLocalizedText return ptr and encode it with Encoding.UTF8.GetString(buffer)

[eracer]

5.0.5.16057

Code:

        public static uint Direct3D9__Device = 0xAD773C;
        public static uint Direct3D9__Device__OffsetA = 0x27F8;
        public static uint Direct3D9__Device__OffsetB = 0xA8;
        public static uint ClntObjMgrGetActivePlayerObjAddress = 0x34D0;
        public static uint Lua_DoStringAddress = 0x75350;
        public static uint Lua_GetLocalizedTextAddress = 0x48D7F0;

I tried the example project with these updated offsets, both with and without administrator privileges but it crashes every time at Hook.DoString("DoEmote(\"Dance\")");

Edit: I was wrong, it is crashing at Hook.Appy

[~Unknown~]

5.0.5.16057

Code:

        public static uint Direct3D9__Device = 0xAD773C;
        public static uint Direct3D9__Device__OffsetA = 0x27F8;
        public static uint Direct3D9__Device__OffsetB = 0xA8;
        public static uint ClntObjMgrGetActivePlayerObjAddress = 0x34D0;
        public static uint Lua_DoStringAddress = 0x75350;
        public static uint Lua_GetLocalizedTextAddress = 0x48D7F0;

I tried the example project with these updated offsets, both with and without administrator privileges but it crashes every time at Hook.DoString("DoEmote(\"Dance\")");

Edit: I was wrong, it is crashing at Hook.Appy

Your app is running as administrator as well as the 32bit wow exe? I have no problems with the library at the time of posting.

[-Ryuk-]

Your app is running as administrator as well as the 32bit wow exe? I have no problems with the library at the time of posting.

Hook.Apply will crash if you/wow are not admin and if you have invalid addresses.

[eracer]

I found out it is because I am running windows 8, the exact same solution works fine in windows 7.

[~Unknown~]

I found out it is because I am running windows 8, the exact same solution works fine in windows 7.

Ha, I tried out Windows 8 and am not sure if I like it or not. For future compatibility you are suggesting it still doesn't work on Windows 8 or it does function now?

[eracer]

iHook won't work on windows 8 the way it is currently because the endscene functions that are hooked/detoured are different on windows 8.

Win 7 EndScene looks like (5 bytes)
----------------------------------------
mov edi, edi
push ebp
mov ebp, esp

Win 8 EndScene looks like this (7 bytes)
------------------------------------
push 14
mov eax, d3d9.dll+149A0C

I ended up writing my own version of iHook that uses BeaEngine to disassemble the functions so it can work on both win7 and win8 so I know iHook could do something similar but that would be up to Ryuk since it is closed source.

[Jeepers]

I'm having some weird problems here... The Hook is properly applied and Hook.doString() works just fine, but whenever i try to inject asm my wow (32*,admin) just crashes...

here's the code for my ctm-func:

Code:

internal void ClickToMove(Single x, Single y, Single z, UInt64 guid = 0, Int32 action = 0x4, Single precision = 2.5f)
        {
            // Allocate Memory:
            UInt32 Pos_Codecave = Memory.AllocateMemory(0x4 * 3);
            UInt32 GUID_Codecave = Memory.AllocateMemory(0x8);
            UInt32 Precision_Codecave = Memory.AllocateMemory(0x4);
            // Write value:
            Memory.Write<UInt64>(GUID_Codecave, guid);
            Memory.Write<float>(Precision_Codecave, precision);
            Memory.Write<float>(Pos_Codecave, x);
            Memory.Write<float>(Pos_Codecave + 0x4, y);
            Memory.Write<float>(Pos_Codecave + 0x8, z);
            // BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
            string[] asm = new string[]
            {
                "mov edx, [" + Precision_Codecave + "]",
                "push edx",
                "call " + (uint)Offsets.Global.ClntObjMgrGetActivePlayerObj+Memory.BaseAddress,
                "mov ecx, eax",
                "push " + Pos_Codecave,
                "push " + GUID_Codecave,
                "push " + action,
                "call " + (uint)Offsets.CTM.CGPlayer_C__ClickToMove+Memory.BaseAddress,
                "retn",
            };
            Hook.InjectAndExecute(asm);
            Memory.FreeMemory(Pos_Codecave);
            Memory.FreeMemory(GUID_Codecave);
            Memory.FreeMemory(Precision_Codecave);
        }
//Offsets used:
            FrameScript_ExecuteBuffer = 0x75350,            // 5.0.5
            ClntObjMgrGetActivePlayerObj = 0x4034D0,        // 5.0.5
            FrameScript__GetLocalizedText = 0x48D7F0,       // 5.0.5
            Direct3D9__Device = 0xAD773C,                   // 5.0.5
            Direct3D9__Device__OffsetA = 0x27F8,            // 5.0.5
            Direct3D9__Device__OffsetB = 0xA8,              // 5.0.5
            CGPlayer_C__ClickToMove = 0x493760,             // 5.0.5

Anyone else ever experienced this? I would really appreciate your help ;D

[Frosttall]

I'm having some weird problems here... The Hook is properly applied and Hook.doString() works just fine, but whenever i try to inject asm my wow (32*,admin) just crashes...

here's the code for my ctm-func:

Code:

internal void ClickToMove(Single x, Single y, Single z, UInt64 guid = 0, Int32 action = 0x4, Single precision = 2.5f)
        {
            // Allocate Memory:
            UInt32 Pos_Codecave = Memory.AllocateMemory(0x4 * 3);
            UInt32 GUID_Codecave = Memory.AllocateMemory(0x8);
            UInt32 Precision_Codecave = Memory.AllocateMemory(0x4);
            // Write value:
            Memory.Write<UInt64>(GUID_Codecave, guid);
            Memory.Write<float>(Precision_Codecave, precision);
            Memory.Write<float>(Pos_Codecave, x);
            Memory.Write<float>(Pos_Codecave + 0x4, y);
            Memory.Write<float>(Pos_Codecave + 0x8, z);
            // BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
            string[] asm = new string[]
            {
                "mov edx, [" + Precision_Codecave + "]",
                "push edx",
                "call " + (uint)Offsets.Global.ClntObjMgrGetActivePlayerObj+Memory.BaseAddress,
                "mov ecx, eax",
                "push " + Pos_Codecave,
                "push " + GUID_Codecave,
                "push " + action,
                "call " + (uint)Offsets.CTM.CGPlayer_C__ClickToMove+Memory.BaseAddress,
                "retn",
            };
            Hook.InjectAndExecute(asm);
            Memory.FreeMemory(Pos_Codecave);
            Memory.FreeMemory(GUID_Codecave);
            Memory.FreeMemory(Precision_Codecave);
        }
//Offsets used:
            FrameScript_ExecuteBuffer = 0x75350,            // 5.0.5
            ClntObjMgrGetActivePlayerObj = 0x4034D0,        // 5.0.5
            FrameScript__GetLocalizedText = 0x48D7F0,       // 5.0.5
            Direct3D9__Device = 0xAD773C,                   // 5.0.5
            Direct3D9__Device__OffsetA = 0x27F8,            // 5.0.5
            Direct3D9__Device__OffsetB = 0xA8,              // 5.0.5
            CGPlayer_C__ClickToMove = 0x493760,             // 5.0.5

Anyone else ever experienced this? I would really appreciate your help ;D

Try it with

Code:

                "push [" + Pos_Codecave + "]",
                "push [" + GUID_Codecave + "]",
                "push [" + action + "]",

Even if a codecave (or injection in general) isn't required at all, but this should work

[Jeepers]

Okay... just tried that - didnt work ;D

i get two Exceptions everytime i try to inject ASM...(should have mentioned that earlier^^)

Code:

Exception : 
System.Exception: Assembly failed! Error code: -120; Error Line: 5
 at Fasm.ManagedFasm.Inject(IntPtr hProcess, UInt32 dwAdress)
 at Fasm.ManagedFasm.Inject(UInt32 dwAdress)
 at (Object, UInt 32)
 at iHook.Hook. (String[], UInt32)

Code:

Exception:
System.Exception: Could not write the specified bytes! 05FF0000 [5]
 at iHook.Memory.WriteBytes(UInt32 adress, Byte[] val)
 at iHook.Hook.InjectAndExecute(String [] ASM)

These exceptions even occur when i leave the string array empty... i just wonder why this is happening, because "doString" is injecting asm as well and is working...