Need help sending packets

[Nightblizzard]

Hey guys,
the last few days I've tried to send packets and for the sake of god it just keeps crashing my client.
I've tried all sort of things in order to get it to work, but no matter what I do, it just comes down the the same result: the client crashs.


So, here is what I did:

Code:

//Gets only called at the very first tick of EndScene after injecting into wows process
void TestSendPacket()
{
	CDataStore* store = new CDataStore;
	
	CDataStore__InitPacket2(store);

	CDataStore__PutInt32(store, 0x64); //Opcode CMSD_WHOIS
	CDataStore__PutInt32(store, 0x12345678); //guid
	CDataStore__PutInt32(store, 0x90ABCDEF); //guid

	CDataStore__PutCString(store, "Kwark");

	ClientServices__Send2(store);
	CDataStore__ReleasePacket2(store);

	delete store;
}

Calling PutCString randomly jumps back (via retn) into my dll and crashs.

I couldn't figure out why the hell that happend, so I moved along to some other functions.
So instead of calling PutCString I've just put each byte individually into the buffer.

Code:

	CDataStore__PutInt8(store, 0x4b); //K
	CDataStore__PutInt8(store, 0x77); //w
	CDataStore__PutInt8(store, 0x61); //a
	CDataStore__PutInt8(store, 0x72); //r
	CDataStore__PutInt8(store, 0x6b); //k
	CDataStore__PutInt8(store, 0x00);

Since that would've been way to easy, it now gives me this nice little error message
http://imagr.eu/up/506f651c6dec02_ioError.png
and then it crashes, yay! Note, that this time it is not crashing inside any of my functions.
Stuff gets called, it's leaving endscene and then a little later it crashes.

The callstack:

Code:

>	054aeda8()	Unknown
 	[Frames below may be incorrect and/or missing]	
 	Wow.exe!004DF837()	Unknown
 	Wow.exe!0058DFDD()	Unknown
 	Wow.exe!0056958B()	Unknown
 	ntdll.dll!_NtQueryPerformanceCounter@8()	Unknown
 	ntdll.dll!_RtlQueryPerformanceCounter@4()	Unknown
 	Wow.exe!0047182F() Unknown
 	Wow.exe!0047182F() Unknown
 	Wow.exe!00471E1A() Unknown
 	Wow.exe!0046ECD8() Unknown
 	Wow.exe!0046fc0c() Unknown
 	Wow.exe!0143fc0c()	Unknown
 	Wow.exe!0047038a() Unknown
 	ntdll.dll!_ZwSetEvent@8()	Unknown
 	KernelBase.dll!_SetEvent@4()	Unknown
 	kernel32.dll!__BaseFiberStart@0()	Unknown
 	kernel32.dll!_BaseFiberStart@0()	Unknown

This stuff seems more related to drawing stuff instead of sending packets, which confuses me.

Since this also does not work, I've thought that I might be using the wrong function to send stuff.
Even though I'm sure that the way I've done it is right (I think so, because blizzard is also sending some stuff this way),
I decided to give NetClient__Send2 a try.

So here is the code again:

Code:

void TestSendPacket()
{
	CDataStore* store = new CDataStore;		
		
	CDataStore__InitPacket2(store);

	CDataStore__PutInt32(store, 0x64); //Opcode CMSD_WHOIS
	CDataStore__PutInt32(store, 0x12345678); //guid
	CDataStore__PutInt32(store, 0x90ABCDEF); //guid

	CDataStore__PutInt8(store, 0x4b); //K
	CDataStore__PutInt8(store, 0x77); //w
	CDataStore__PutInt8(store, 0x61); //a
	CDataStore__PutInt8(store, 0x72); //r
	CDataStore__PutInt8(store, 0x6b); //k
	CDataStore__PutInt8(store, 0x00);

	ClientServices__Send2(store);
	CDataStore__ReleasePacket2(store);

	delete store;
}

Well, guess what? The exact same result! First that funny error message and then armageddon!

So this clearly didn't work the way I liked it to. Therefore I was looking for other ways Blizzard is sending packets. I found something and adapted it:

Code:

void TestSendPacket()
{
	CDataStore* store = new CDataStore;
	//No longer using initpacket
	store->__vfPtr = LPVOID(baseAddr + 0x08EF73C);
	store->data[0] = store->data[1] = store->data[2] = store->data[3] = 0;
	store->data[4] = -1;		

	CDataStore__PutInt32(store, 0x461); //Opcode
		
	NetClient__Send2(0xDC95AC + baseAddr, store, 2);

	delete store;
}

This one is crashing aswell, but also not inside any of my functions.

The call stack is almost the same as in the last two cases:

Code:

>	054aeda8()	Unknown
 	[Frames below may be incorrect and/or missing]	
 	Wow.exe!004DF837()	Unknown
 	Wow.exe!0058DFDD()	Unknown
 	Wow.exe!0056958B()	Unknown
 	Wow.exe!0047182F() Unknown
 	Wow.exe!00471E1A() Unknown
 	Wow.exe!0046ECD8() Unknown
 	Wow.exe!0046fc0c() Unknown
 	Wow.exe!0143fc0c()	Unknown
 	Wow.exe!0047038a() Unknown
 	ntdll.dll!_ZwSetEvent@8()	Unknown
 	KernelBase.dll!_SetEvent@4()	Unknown
 	kernel32.dll!__BaseFiberStart@0()	Unknown
 	kernel32.dll!_BaseFiberStart@0()	Unknown

That pattern in mind, I've redone all previous steps, but without any success.

I even blamed it on the compiler (that's a good vent) and went full assembly and did other crazy stuff , but posting that would be too much.

Well, I must be doing something entirely wrong and I can't figure what that might be.
I'm working on this the entire week and now I'm running out of ideas, so any hints in the right direction would be greatly appreciated!

Thanks in advance,
Night!

[daCoder]

You want to send the who command?

The Opcode for this is 0xd69 and not 0x64
You should have a look @ 0xB92100 (not rebased), this function is doing what you want.

But the Datastructure is different and without a uid, if you search for "Night" it will look like:
00 00 00 00 64 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 01 00 00 00 4E 69 67 68 74 00

Edit: explanation for the packet data
0x64 is the command for string search
0x1 is the counter of the strings you want to search
4E 69 67 68 74 00=> Ascii for night with zero termination

But if you know the exact username, like by shift clicking on the user the packet looks like:
00 00 00 00 64 00 00 00 ASCII(username) 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00

[Nightblizzard]

Thanks man, that really helped me out!
The reason for the client crashing seemed to be that I've used the wrong vtable pointer. Using off_CEF734 from that function works, however I'm not getting any visual response. I wonder if the client is doing some extra work for that.

Anyway, that was the much needed missing piece in order to continue working, thank you, danke dir!

[Frosttall]

Thanks man, that really helped me out!
The reason for the client crashing seemed to be that I've used the wrong vtable pointer. Using off_CEF734 from that function works, however I'm not getting any visual response. I wonder if the client is doing some extra work for that.

Actually not.

Code:

SlashCmdList["WHO"] = function(msg)
    if ( msg == "" ) then
        msg = WhoFrame_GetDefaultWhoCommand();
        ShowWhoPanel();
    end
    WhoFrameEditBox:SetText(msg);
    SendWho(msg);
end

SendWho is a Lua-Script, which calls FriendList::SendWho (0xB93570 not rebased). That function does various filter checks, writes the opcode 0xD69 into the CDataStore, some other values (which you've already identified) and sends the packet. That's all.