Endscene Injection Crash! ACCESS_VIOLATION

[hamburger1]

Hi I am about to write a hook to draw in Wow. The problem is that Wow crashes when I call the paint function. I have repeatedly checked the Endscene addresse and this is 100% correct.

Code:

Code:

#include <windows.h>
#include <cstdio>
#include <d3d9.h>

#pragma once
#pragma comment(lib, "d3d9.lib")

typedef HRESULT(__stdcall* EndScene_t)(LPDIRECT3DDEVICE9);
EndScene_t pEndScene;

const D3DCOLOR txtPink = D3DCOLOR_ARGB(255, 255, 0, 255); // Alpha, Rot, Grün, Blau

void *DetourFunc(BYTE *src, const BYTE *dst, const int len) // credits to gamedeception
{
	BYTE *jmp = (BYTE*)malloc(len+5);
	DWORD dwback;
	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
	memcpy(jmp, src, len); jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
	VirtualProtect(src, len, dwback, &dwback);
	return (jmp-len);
}

bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for(;*szMask;++szMask,++pData,++bMask)
		if(*szMask=='x' && *pData!=*bMask )
			return false;
	return (*szMask) == NULL;
}


DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
	for(DWORD i=0; i < dwLen; i++)
	{
		if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
			return (DWORD)(dwAddress+i);
	}
	return 0;
}

void DrawRect (LPDIRECT3DDEVICE9 Device_t, int X, int Y, int L, int H, D3DCOLOR color)
{
	D3DRECT rect = {X, Y, X+L, Y+H};
	Device_t->Clear(1, &rect, D3DCLEAR_TARGET, color, 0, 0); // bei Google gibt’s näheres
}

HRESULT __stdcall hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
	DrawRect ( pDevice, 10, 10, 200, 200, txtPink);
	return pEndScene(pDevice);
}

void InitHook()
{
	HMODULE hModule = NULL;
	while( !hModule )
	{
		hModule = GetModuleHandleA( "d3d9.dll" ); // Handle zur DLL holen
		Sleep( 100 ); // 100ms warten
	}
	
	DWORD* VTableStart = 0;

	DWORD FoundByGordon = dwFindPattern((DWORD)hModule, 0x128000,
	(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
	memcpy(&VTableStart, (void*)(FoundByGordon+2), 4);
	DWORD dwDrawIndexedPrimitive = (DWORD)VTableStart[82]; 
	DWORD dwEndScene = (DWORD)VTableStart[42];

	char buf[10];
	sprintf(buf,"%X",dwEndScene);
	MessageBoxA(0,buf,"EndScene Address",0);

	pEndScene = ( EndScene_t )DetourFunc((PBYTE)(dwEndScene),(PBYTE)hkEndScene, 5);
	 //pEndScene = (EndScene_t)DetourFunc((PBYTE) (void*)((0x1C6BCDC + 0x27C4) + 0xA8), (PBYTE)hkEndScene, 5);
	//pEndScene = (EndScene_t)DetourFunc((PBYTE) (void*)(dwEndScene), (PBYTE)hkEndScene, 5);
}

int WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
	switch(reason)
	{
		case DLL_PROCESS_ATTACH:
			CreateThread(0, 0, (LPTHREAD_START_ROUTINE) InitHook, 0, 0, 0);
		break;
	}
	return true;
}

Befor:

After:


Thank you verry much! Moste of Code is from Tutorial!

[namreeb]

The error message box is giving you all of the information you should need. What code is at 0x4ED1858?

[hamburger1]

Mh i don't know what you mean about the Messagebox Address it also change every Wow Crash.

[namreeb]

So when it crashes, but before you close the program, attach Ollydbg and see what is at that address.

[Cypher]

Mh i don't know what you mean about the Messagebox Address it also change every Wow Crash.

Debugging - Wikipedia, the free encyclopedia

[hamburger1]

Ok here id have a screen from the Crash.

[galpha]

Quite simple.... At the instruction before the highlighted lane, you have ADD BYTE PTR DS:[EAX], CL. What this instruction mean is that it tries to add the 8-bit register cl (lower part of ECX) into what is pointed by EAX. Your EAX register = 0, so you get an access violation for that reason. Something tells me one of your function called from EndScene is using a null pointer...[COLOR="Silver"]

---------- Post added at 02:53 PM ---------- Previous post was at 02:52 PM ----------

You really shouldn't try to copy/paste some code from other forums without understanding what it does.

A quick google search led me to believe you got the code from UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats

He specifies that this code is for MID-FUNCTION HOOKING, meaning that he inserts a jump in the middle of the EndScene function, preserves registers manually, then procedes to grab the IDirect3DDevice9 pointer from the registers (it's stored in ESI at this point the function). He thens restore the registers and jump back to the rest of the function.

Also, notice his function is declared as __declspec(naked) for that very specific reason, and yours is __stdcall, which is dead wrong for this hooking technique.

[hamburger1]

Hello! At the point with the Code you are wrong. Code is from (D3D9 Hooking Tutorial by purple.d1amond ). I had googled the Problem and found the Pattern on Ep***. But it is also at the end of the Tutorial. I also understand the code the only thing where i stuck is the address i have to use. I'am not sure witch i should use :S

[Cypher]

How about you learn to program before trying to inject DLLs and hack WoW?

[namreeb]

How about you learn to program before trying to inject DLLs and hack WoW?

I concur with my esteemed colleague. You're in over your head, I'm afraid.

[hamburger1]

Programming I can but I am concerned the first time with injection of dlls

[Cypher]

[hamburger1]

Show me 1 or 2 Threads that deals with this Problem. I googled more than 5 hours.... Nothing....

[reggggg]

Step through your code in your head and see if you can explain to yourself what each line of code is doing. No? Didn't think so.

I was at this stage myself 6 months or a year ago. The Beginners Guide to Codecaves - CodeProject (Attribute 2: Codecave Entry and Exit) was probably the resource that helped me the most. Don't take code from it, try understand the concepts.

Open up a disassembler (either offline or a live one - olly or cheat engine would work fine), and try to manually detour a function by applying those concepts learned. Jump away, Run Code, Jump Back. Once you can do that, you will have no problem solving this.

i cant really get my head around why you are JMPing to a stdcall then CALLing endscene ... take my advice please

[namreeb]

Show me 1 or 2 Threads that deals with this Problem. I googled more than 5 hours.... Nothing....

I may be putting words in his mouth, but I assume Cypher means some thread where someone is trying to skip steps in their learning and expecting others here to fill in the gaps. That problem shows up here quite often.