Reversing CGActionBar::UseAction

[kingdeking]

Hello guys,

I am trying to reverse the function UseAction which is called when for example a spell is cast. However I am having problems finding out what parameters the function takes... Can someone maybe help me a bit? Here is the assembler of that function (WoW 4.06a):

Code:

017338A0 >/. 55             PUSH EBP
017338A1  |. 8BEC           MOV EBP,ESP
017338A3  |. 83EC 08        SUB ESP,8
017338A6  |. 57             PUSH EDI
017338A7  |. 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
017338AA  |. 6A 01          PUSH 1                                   ; /Arg2 = 00000001
017338AC  |. 57             PUSH EDI                                 ; |Arg1
017338AD  |. E8 AE28B8FF    CALL Wow.012B6160                        ; \Wow.012B6160
017338B2  |. 83C4 08        ADD ESP,8
017338B5  |. 85C0           TEST EAX,EAX
017338B7  |. 74 54          JE SHORT Wow.0173390D 
017338B9  |. 56             PUSH ESI
017338BA  |. 6A 01          PUSH 1                                   ; /Arg2 = 00000001
017338BC  |. 57             PUSH EDI                                 ; |Arg1
017338BD  |. E8 AE29B8FF    CALL Wow.012B6270                        ; \Wow.012B6270
017338C2  |. 83C4 08        ADD ESP,8
017338C5  |. E8 06B30900    CALL Wow.017CEBD0
017338CA  |. 8BF0           MOV ESI,EAX
017338CC  |. 6A 01          PUSH 1
017338CE  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
017338D1  |. 50             PUSH EAX
017338D2  |. 6A 00          PUSH 0                                   ; /Arg3 = 00000000
017338D4  |. 6A 02          PUSH 2                                   ; |Arg2 = 00000002
017338D6  |. 57             PUSH EDI                                 ; |Arg1
017338D7  |. 4E             DEC ESI                                  ; |
017338D8  |. E8 432AB8FF    CALL Wow.012B6320                        ; \Wow.012B6320
017338DD  |. 83C4 0C        ADD ESP,0C
017338E0  |. 50             PUSH EAX                                 ; |Arg1
017338E1  |. E8 CA5DBAFF    CALL Wow.012D96B0                        ; \Wow.012D96B0
017338E6  |. 83C4 0C        ADD ESP,0C
017338E9  |. 84C0           TEST AL,AL
017338EB  |. 74 18          JE SHORT Wow.01733905
017338ED  |. 6A 00          PUSH 0
017338EF  |. 6A 03          PUSH 3
017338F1  |. 57             PUSH EDI
017338F2  |. E8 292AB8FF    CALL Wow.012B6320
017338F7  |. 50             PUSH EAX                                 ; |Arg3
017338F8  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]             ; |
017338FB  |. 51             PUSH ECX                                 ; |Arg2
017338FC  |. 56             PUSH ESI                                 ; |Arg1
017338FD  |. E8 BEFBFFFF    CALL Wow.017334C0                        ; \Wow.017334C0
01733902  |. 83C4 18        ADD ESP,18
01733905  |> 5E             POP ESI
01733906  |. 33C0           XOR EAX,EAX
01733908  |. 5F             POP EDI
01733909  |. 8BE5           MOV ESP,EBP
0173390B  |. 5D             POP EBP
0173390C  |. C3             RETN
0173390D  |> 68 E0359A01    PUSH Wow.019A35E0                        ; /Arg2 = 019A35E0 ASCII "Usage: UseAction(slot, [, target] [, button])"
01733912  |. 57             PUSH EDI                                 ; |Arg1
01733913  |. E8 D87A0B00    CALL Wow.017EB3F0                        ; \Wow.017EB3F0
01733918  |. 83C4 08        ADD ESP,8
0173391B  |. 33C0           XOR EAX,EAX
0173391D  |. 5F             POP EDI
0173391E  |. 8BE5           MOV ESP,EBP
01733920  |. 5D             POP EBP
01733921  \. C3             RETN

And this is a snippet of the calling function:

Code:

012AB025  |. 83C4 0C        ADD ESP,0C
012AB028  |> 8B56 18        MOV EDX,DWORD PTR DS:[ESI+18]
012AB02B  |. 8B42 04        MOV EAX,DWORD PTR DS:[EDX+4]
012AB02E  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
012AB030  |. 8B79 18        MOV EDI,DWORD PTR DS:[ECX+18]
012AB033  |. 57             PUSH EDI
012AB034  |. E8 47063B00    CALL Wow.0165B680
012AB039  |. 56             PUSH ESI
012AB03A  |. FFD7           CALL EDI
012AB03C  |. 83C4 08        ADD ESP,8
012AB03F  |. 85C0           TEST EAX,EAX
012AB041  |. 7D 0A          JGE SHORT Wow.012AB04D
012AB043  |. 5F             POP EDI
012AB044  |. 5E             POP ESI
012AB045  |. B8 02000000    MOV EAX,2
012AB04A  |. 5B             POP EBX
012AB04B  |. 5D             POP EBP
012AB04C  |. C3             RETN

EDI contains the address to the function UseAction and calls it like so:
012AB03A |. FFD7 CALL EDI


I cant really tell what parameters UseAction takes...

[Master674]

<something used to be here... its gone now>

[kingdeking]

Thanks you for your reply. This helped me ALOT. Im gonna take a look at that IDA database just now.

[kingdeking]

Hi its me again,

I cant get this to work. Thats what I have come up so far:

- call GetGuidByKeyword and let it fill the local Variable v6, which is some target GUID.

-call UseAction with v6.


Are you sure that GetGuidByKeyword takes 4 parameters? After debugging it, I think it takes 3.

Thats how I am calling it:

Code:

typedef int (__cdecl* pGetGuidByKeyword)(int, int*, int);
typedef void (__cdecl* pUseAction)(int, int*, char*);

void hk_UseAction(int slot_number, char* buttonType, pGetGuidByKeyword key, pUseAction act)
{
	int* v6 = new int;

	key(0, v6, 1);
	logger.Add("GetGuidByKeyWord executed");

	act(slot_number, v6, buttonType);
	logger.Add("UseAction executed");

	delete v6;
}

And then I do:

Code:

hk_UseAction(0, (char*)LeftButton, GetGuidByKeyWord, UseAction);

Where:
LeftButton = "LeftButton"



I debugged everything and the addresses are fine, the parameters are fine aswell. The GUID gets written into the variable I pass. But calling UseAction does simply nothing in game. It should use fisrt slot on action bar... Do you know whats the issue with that? I dont really see a mistake here.

[_Mike]

Code:

bool GetGuidByToken(const char* token, unsigned __int64& guid, bool b1, bool b2);
void UseAction(int slot, unsigned __int64& target, const char* button);

'token' is a unit token ("player", "target", "mouseover", etc..). Haven't really looked in to what b1 and b2 are as I have no use for them. They don't seem to matter anyway unless token is null or "none".
For example

Code:

unsigned __int64 guid;
if(GetGuidByToken("mouseover", guid, true, true) && guid != -2)
    UseAction(0, guid, "LeftButton");

Oh, and

Code:

int* v6 = new int;

guids are 64 bit. But why are you using heap memory for a single int?

[kingdeking]

Thanks for your help. I see GetGuidByKeyword takes 4 parameters. I will have a look at that again.

For the heap memory allocation, I dont know, just how I did it. I know stack allocation is faster. About the 64-bit GUID, yeah i fixxed that already.

Will post my results!

[kingdeking]

Okay, I changed stuff a bit. I also tried giving it 4 parameters like you suggested Mike, especially passing "player" or "target". Also I can not confirm GetGuidByToken/GetGuidByKeyword taking 4parameters.
And the token you mentionned is always 0 for me! No matter if i have a target. When i press 1 in WoW to use a spell bound to slot 1, this is what I get:




I really do not know what is wrong with this shit. I feed the functions with the same parameters and nothing happens.


And this is the typedefs im working with now:

Code:

typedef bool (__cdecl* pGetGuidByKeyword)(const char*, unsigned __int64*, bool);
typedef void (__cdecl* pUseAction)(unsigned int, unsigned __int64*, const char*);

The only difference I see is that I pass the Guid by pointer and u suggested pass by Reference. But that shouldnt make a difference in asm...

[_Mike]

Yes you are right, it really is 3 parameters
I didn't see you were talking about 4.0.6 so I was looking at the 4.3.3 exe. It seems the prototype for GetGuidByKeyword changed in some recent patch. In 4.1.0 it's listed as bool Script_GetGUIDFromToken(char const*,ulong long &,bool)

What happens if you skip that function all together and call CGActionBar::UseAction directly? You can pass a guid of 0 and it defaults to your current target and a null pointer as button defaults to left mouse button.
And which thread are you calling all this from? CGActionBar::UseAction uses TLS-dependent functions.

[kingdeking]

Nope, that didnt help. Im calling those functions within a thread that I create in WoW's process. Is there a problem with that? Other then that, I will have to reverse a bit more....

[l0l1dk]

Nope, that didnt help. Im calling those functions within a thread that I create in WoW's process. Is there a problem with that? Other then that, I will have to reverse a bit more....

You need to call those functions from WoW's main thread, since they use TLS. They won't work correctly (at all) if they aren't. I had a similar issue when I was writing OHack, and it took me awhile to figure out that it was caused by TLS. Call them from WoW's main thread (eg. from an EndScene hook) and they should work correctly.