[theory] alt method to get object list via codecave

[abuckau907]

Basic theory is this.

There are functions in wow that loop over the object list (duh). Apparently there is more than one. Anyway.

Patch one of those functions to run our own byte code. The byte code will copy a (the) register to a buffer inside the bytecode. (it will also keep a counter variable at the very end of the bytecode)

Problem: There is no way to know when the wow function is done running, which means all we can do is blindly read the buffer. But I think there are ways to make sure you get an up-to-date list. If you make the buffer long enough (ie. 2x actual object list length) the wow function will run multiple times and fill the buffer, basically treating it like a circular stack. The 2x length is crucial. Basically there will be 2 very similar lists in the buffer, once you figure out where each one is, you have 2 copies of the list: 1 old complete list, 1 new and possibly incomplete.?

I'm stuck on the actual codecave code atm. Just trying to copy a register to array. Haven't got it yet.

Code:

             '_codeCaveCtrLoc = end of the buffer - 4 'ie. Int32
             '_codeCaveDumpStart = _codeCaveStart + 200 'assuming 200 bytes is enough for my code
             '_objMgrListGiveAddr = wow.exe code that uses a register to store object.baseaddress
            .AppendLine("push eax")
            .AppendLine("push ebx")
            .AppendLine("push ecx")
            ''Check counter
            .AppendLine("mov eax, " & _codeCaveCtrLoc.ToInt32.ToString)
            .AppendLine("mov ebx, [eax]") 'ebx = curIndex
            .AppendLine("cmp ebx, 999") '
              .AppendLine("jle 6")        'If
            .AppendLine("mov [eax], 0") 'reset index
            .AppendLine("add [eax], 1") 'Else increment index
            ''write ebx to list
            ''ebx = _codeCaveDumpStartLoc + (indx * 4)
            .AppendLine("mov ebx, " & _codeCaveDumpStartLoc.ToInt32.ToString)
            .AppendLine("mov ecx, [eax]")
            .AppendLine("add ebx, ecx * 4") 'howto?
            .AppendLine("pop eax")
            .AppendLine("mov [ebx], eax") 'magic happens right here
            .AppendLine("pop ebx")
            .AppendLine("pop ecx")
            .AppendLine("jmp " & _objMgrListGiverAddr.ToInt32.ToString)

* 999 is hardcoded. will change to some MAX_SIZE constant once i feel comfortable I know how big the list gets.
* jle 6 --might not be 6, I'm using fasm_managed (credits*) to assemble the bytecode. Will debug the
byteCode jmps once i get the array index part working.

Any thoughts on the basic principal? (or my asm mistake?)

edit: fixed comments.
*obviously I did the "mov [ecx], 0" wrong. I keep trying to move value/reg/valueOfReg incorrectly. learning. fixed in image 2 comments down.
**jmp was wrong too. I just now started viewing the codecave with CE (because it shows opcodes in assembly too, very nice), and noticed it was
actually jumping backwards! (instead of jumping past the next instruction::how i implement my loop counter)
one thing I'm unsure about: the fixed coded is "jle 20" which is "Jump near if less than or equal to. But the 20 confuses me. it's relative to the beginning of the codecave location not the current instruction location which I thought it would be? It compiles to ** 02 which is "some jmp type" + 02 so it's actually doing what I want, jmping ahead 1 inctruction. just not sure why it's "+20" for the jle, not +02. <--has something to do with how fasm_managed compiles "jle 20" .

[bigtimt]

Why would you want to do this? If you want to use a function, just call ClntObjMgrObjectPtr and walk the linked list backwards.

[abuckau907]

Why would you want to do this? If you want to use a function, just call ClntObjMgrObjectPtr and walk the linked list backwards.

Because I don't have IDA. only cheat engine. and I can find those functions that access .baseaddress easily in CE. ie. I can't use IDA but still..in theory..

working on asm still, will update soon.

ClntObjMgrObjectPtr - First time seeing this and I can't find it myself so I'm trying to become better at 'this' and hopefully that will lead to FirstObjectAddress
which is all i care about.

I guess you're thinking, since i'm injecting code, why not just call local wow functions from my codecave? -- because I don't know how. And if I did, I don't know how to find the functions using only .net or CE <--needs to be this simple if i'm ever going to update it patch to patch. I have a findPattern() but don't know how to actually use IDA to find the function names/locations etc(?). So I use CE, which has functionality similar to what i can do in memoryManager class. :/

[abuckau907]

Working on the codecave.

I create the byte code and write it into wow space (haven't patched wow.exe and made it run the codecave yet)
codecave doesn't run wow.exe's orig code yet. doing that now. it's 3:38am..process is slow.

note: on line 6EC0017 ecx = 6EC002A which is important codecave code! but, because of how i implemented the if _ctr < 999 loop, _ctr is always at least 1, which is important 2 lines downs, where it actually writes to the array.

*I realize by posting this, (if they cared) warden could scan for my codecave in it's own ram. noted.

theory edit: Once you have first object in list, and knowing "NextObject" offset (relatively easy to figure out once you know the baseaddress of every object ), you can loop over the objmgr list. duh. This means, once you *know* the nextObject offset, and you have a big list of possible addresses, you can sort through them to find which object has no other object pointing to it, ie. the first object?? *This is A LOT of unnecessary sorting again, my whole goal is to reliably find FirstObjectAddress.

[JuJuBoSc]

or you can call EnumVisibleObjects passing your codecave as a callback which populate a list.

[abuckau907]

"EnumVisibleObjects"

how would i 'discover' this myself lol? What happens if wow stops exporting functions names in it's binary? (ie. packing?). Basically I don't know wth EnumVisibleObjects is, and don't want to ask how to find it because..i didn't think of that question myself. :/

I'm entirely open to calling wow functions. I guess I just don't know how to look up the functions / will that process change :/ Everything I've done so far is in CheatEngine which is pretty basic, but that's why I like it.

EnumVisibleObjects sounds amazing tho

edit: wow will never be packed* just an excuse. Just saying, I've never seen that functionName before now.

[TOM_RUS]

What happens if wow stops exporting functions names in it's binary?

Nothing. Because it never exported anything useful.

[abuckau907]

TOM_RUS -- Open IDA --> Open wow.exe, you get TONS of strings and function names etc? Isn't that how I'm supposed to find EnumVisibleObjects .? But I don't want to do it that way :/ ?

[Frosttall]

The symbolnames have been published as debugbuild once ago and now do we recalculate the addresses every time a new binary is released with the tools BinDiff or PatchDiff for IDA.

Why do you waste your time on fixing your bugs instead of learning how to use IDA properly? http://www.ownedcore.com/forums/worl...ple-stuff.html ([Tutorial] How to find simple stuff)

[abuckau907]

because I don't want to rely on the magic that is IDA. Maybe someday you open wow.exe with it and don't see any strings. :/ I'd rather not *rely* on IDA. The way I'm doing it should lead to the object list. Only using memory read/write, without using ida. That's all I really want.

to stay generic. Maybe the next mmorpg i get interested in won't give strings in ida. ?? <--dumb?
^^so maybe this shouldn't be in wow section? It's very wow specific tho.

[bigtimt]

You don't have to have the first object in the object list to enumerate objects. Find a static address for you player and walk the linked list backwards, when the first object is hit the list wraps back to the end. Just enumerate until you hit your player again.

Code:

public IntPtr GetPreviousObject(IntPtr pObject)
{
    return Memory.ReadIntPtr(pObject + 0x24) - 0x24;
}

[Frosttall]

because I don't want to rely on the magic that is IDA. Maybe someday you open wow.exe with it and don't see any strings. :/ I'd rather not *rely* on IDA. The way I'm doing it should lead to the object list. Only using memory read/write, without using ida. That's all I really want.

to stay generic. Maybe the next mmorpg i get interested in won't give strings in ida. ?? <--dumb?
^^so maybe this shouldn't be in wow section? It's very wow specific tho.

Again: You can get the functionnames for IDA on your own by using BinDiff or PatchDiff. Some other names can be received by scripts which loop for example trough the lua-engine (don't know the correct name right now), search for the error message if you're passing a wrong input and extract the name of the Lua-Function. Something like this can be done with every game as soon as they have an API or store any types of strings.

Right now do you search for the objects via CheatEngine: You could search for your local object, look what references to it, open these addresses with IDA and will see a function which we know as "EnumVisibleObjects". It will have a random name if you haven't loaded the symbol names, but you can rename the function yourself by rightclicking it.

To keep the function names between different binary versions you can use BinDiff/PatchDiff again and will keep all your names and things like that. This applies to all games and programs - not only WoW!

[abuckau907]

I said i don't want to use ida so you give me two more program to use with it. super. *******

[abuckau907]

@bigtimt Thank you, I didn't know the local player was for sure the beginning or end of the list. Tis helpful.
(how do you walk the list backwards: i thought each object only pointed forward? ie objBase + NextObjOffst = NextObject.Base How would you do that in reverse? without brute forcing? nvm, thnx for the tip, I'm done for the day.
tbh i'm giving up on wow (too many ppl do it already) and starting swtor as soon as I can buy a new graphics card. thank anyway.

[abuckau907]

For those who care

Got the code-cave complete.


Got the code-cave copying over the eax register (ie the .baseaddress of an object)


semi-verify that it's outputting valid data.
The addresses are very close to my localplayer.health --seems legit.

right on**** yeah.

Althought these might not be the object's .BaseAddress, could be some pointer inside each object?? Will start debugging soon --> i know health offset is 1294H, so i'll start checking for health values, and if I find them, i know these are baseaddresses.