Endscene Injection Crash!

[hamburger1]

Hello everyone. Got a prob :S.

My source is crashing Wow but it should work fine o.O. Would you have a look on it and say me if i'am mistakin in any step?

Code:

 void Inject(HANDLE phandle,DWORD Addr,string Var)
{
	unsigned char* Sarray = NULL;
	int size;
	string_to_bytearray(Var,Sarray,size);
	cout<<"Size: "<<size<<endl;
	WriteProcessMemory(phandle,(LPVOID *)Addr,(LPVOID)Sarray,size,NULL);
	delete [] Sarray;
}

int main()
{
	//cout<<intToOpcode(1801309710-5)<<endl;
	
	SetDebuggPrivilege();
	HWND WowHwnd = WinGetProcess("World of Warcraft");
	DWORD WowPid = GetProcessId(WowHwnd);
	HANDLE WowHandle = MemoryOpenByPid(WowPid);
	DWORD WowBase = GetModuleBaseAddress(WowPid,"Wow.exe");

	cout<<"WowHwnd: "<<WowHwnd<<" WowPid: "<<WowPid<<" WowHandle "<<WowHandle<<" WowBase: "<<WowBase<<endl;

	DWORD Direct3D9__Device = 0xA7E20C;
        DWORD Direct3D9__Device__OffsetA = 0x27E8;
        DWORD Direct3D9__Device__OffsetB = 0xA8;


	DWORD EndScene = ReadDword(WowHandle,ReadDword(WowHandle,ReadDword(WowHandle,ReadDword(WowHandle,WowBase +Direct3D9__Device)+Direct3D9__Device__OffsetA))+Direct3D9__Device__OffsetB);
	cout<<hex<<EndScene<<endl;

	void * CodeCave = VirtualAllocEx(WowHandle, 0, 2048, MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	void * injectionAddress = VirtualAllocEx(WowHandle, 0, 0x4, MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	
	WriteInt(WowHandle,(DWORD)injectionAddress,0);

	void * returnAddress = VirtualAllocEx(WowHandle, 0, 0x4, MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	WriteInt(WowHandle,(DWORD)returnAddress,0);

	string EndSceneHook = "89FF5589E59C60A1"+intToOpcode((DWORD)injectionAddress)+"85C07418A1"+intToOpcode((DWORD)injectionAddress)+"FFD0A3"+intToOpcode((DWORD)returnAddress)+"BA"+intToOpcode((DWORD)injectionAddress)+"B900000000890A";

	Inject(WowHandle,(DWORD)CodeCave,EndSceneHook);

	int sizeJumpBack = 5;
	cout<<"Endscene: "<<hex<<EndScene+sizeJumpBack<<endl;
	string JumpBackStub = "E9"+intToOpcode(EndScene);
	Inject(WowHandle,(DWORD)CodeCave + 40,JumpBackStub);
	
	string HookJump = "E9"+intToOpcode((DWORD)CodeCave-5);// CRASHES HERE!
	Inject(WowHandle,EndScene,HookJump); 
	
	DWORD FrameScript__Execute = WowBase + 0x425A30;
	string command = "print(\"Hello World!\")";

	int nSize = command.length() + 0x100;
        void * LuaCode = VirtualAllocEx(WowHandle, 0, nSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);

	WriteString(WowHandle,(DWORD)LuaCode, command.c_str());

	string LuaDoString = "B8"+intToOpcode((DWORD)LuaCode)+"6A005050B8"+intToOpcode(FrameScript__Execute)+"FFD083C40CC3";
	cout<<LuaDoString<<endl;

	void * injectionAsm_Codecave = VirtualAllocEx(WowHandle, 0, LuaDoString.length(), MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	Inject(WowHandle,(DWORD)injectionAsm_Codecave,LuaDoString.c_str());

	WriteDword(WowHandle,(DWORD)injectionAddress, (int)injectionAsm_Codecave);

	Sleep(5000);

	string DisposeHook = "89FF5589E5";
	Inject(WowHandle,EndScene,DisposeHook.c_str());
	
	cout<<"DONE!"<<endl;
	system("pause");
}

Is my Inject Funktion Ok?

I tested the Binary Output - its ok
I tested the Size - its ok
I tested intToOpcode func - its ok

thank you for your help!

[Bananenbrot]

Code:

"89FF5589E59C60A1"+intToOpcode((DWORD)injectionAddress)+"85C07418A1"+intToOpcode((DWORD)injectionAddress)+"FFD0A3"+intToOpcode((DWORD)returnAddress)+"BA"+intToOpcode((DWORD)injectionAddress)+"B900000000890A";

Machine code anyone?
The whole code is a mess! Clean up and refactor your code before posting again plz... This is just ridiculous!
And you write your asm as a string rather than as bytes. You have to prepend \x in front of each byte ("\x89\xff...").
Get used to to JIT assembler like asmjit - Complete x86/x64 JIT Assembler for C++ Language. - Google Project Hosting. If you don't get it running, read the wiki examples.
There are unbelievably many other bugs in your code.

[hamburger1]

Oh do you know how to jump to address?

like:
jmp 0x12345

or like:
mov eax, 0x12345

? thats the only thing i don't get since 11 Hours -.-

with asmjit*

[Bananenbrot]

You can't jump to an address by simply putting the address into a register.
Assembler::jmp has several overloads, choose the one which pleases you the most.
Pretty obvious, isn't it?

Code:

Assembler a;
a.jmp(0x12345);
void* localCode = a.make();
int codeSize = a.codeSize();
// write localCode content to remote process
MemoryManager::global()->free(localCode);
// too lazy to set up unique_ptr for this example

[hamburger1]

Done it with opcode ^^ was preatty simple :S sry that i hadn't used the debugger befor asking


PLEAS CLOSE!