3.3.5a hooking issue

[dencelle]

so i've been banging my head agenst a wall trying to figure out why my code hasn't been working, finally found the issue after a lot of trial and error.
wondering if anyone can help with this since i can't seem to find a good hook for windows 10. the code below works for windows 7 or less but anything above will cause a crash as soon as you attempt to hook. perfer to not have to switch back over to windows 7 if i can help it but its starting to look like my only resort. anyone have any other ideas?

Code:

using System;
using System.Collections.Generic;
using System.Text;
using Magic;
using System.Threading;
using System.Diagnostics;

namespace ConsoleApplication1
{
    class Program
    {
        public static int FrameScript__Execute = 0x819210;
        public static void LuaDoString(string command)
        {
            Process[] p = Process.GetProcessesByName("Wow");
            if (p[0].Id == 0)
            {
                return;
            }
            Console.WriteLine(p[0].Id);
            Hook MyHook = new Hook((uint) p[0].Id);
            // Allocate memory
            uint DoStringArg_Codecave = MyHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);


            // Write value:
            MyHook.Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));

            // Write the asm stuff for Lua_DoString
            String[] asm = new String[]
            {
                "mov eax, " + DoStringArg_Codecave,
                "push 0",
                "push eax",
                "push eax",
                "mov eax, " + (uint)FrameScript__Execute, // Lua_DoString
                "call eax",
                "add esp, 0xC",
                "retn",
            };

            // Inject
            MyHook.InjectAndExecute(asm);
            // Free memory allocated 
            MyHook.Memory.FreeMemory(DoStringArg_Codecave);
        }
        static void Main(string[] args)
        {
            LuaDoString("print()");
        }
    }
    public class Hook
    {
        // Addresse Inection code:
        uint injected_code = 0;
        uint addresseInjection = 0;
        public bool threadHooked = false;
        uint retnInjectionAsm = 0;
        bool InjectionUsed = false;
        public BlackMagic Memory = new BlackMagic();
        public int _processId = 0;
        public Hook(uint processId)
        {
            _processId = (int) processId;
            Hooking();
        }
        public void Hooking()
        {
            // Offset:
            uint DX_DEVICE = 0xC5DF88;
            uint DX_DEVICE_IDX = 0x397C;
            uint ENDSCENE_IDX = 0xA8;

            // Process Connect:
            if (!Memory.IsProcessOpen)
            {
                Memory.OpenProcessAndThread(_processId);
            }

            if (Memory.IsProcessOpen)
            {
                // Get address of EndScene
                uint pDevice = Memory.ReadUInt(DX_DEVICE);
                uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                uint pScene = Memory.ReadUInt(pEnd);
                uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

                if (Memory.ReadByte(pEndScene) == 0xE9 && (injected_code == 0 || addresseInjection == 0)) // check if wow is already hooked and dispose Hook
                {
                    DisposeHooking();
                }

                if (Memory.ReadByte(pEndScene) != 0xE9) // check if wow is already hooked
                {
                    try
                    {
                        threadHooked = false;
                        // allocate memory to store injected code:
                        injected_code = Memory.AllocateMemory(2048);
                        // allocate memory the new injection code pointer:
                        addresseInjection = Memory.AllocateMemory(0x4);
                        Memory.WriteInt(addresseInjection, 0);
                        // allocate memory the pointer return value:
                        retnInjectionAsm = Memory.AllocateMemory(0x4);
                        Memory.WriteInt(retnInjectionAsm, 0);

                        // Generate the STUB to be injected
                        Memory.Asm.Clear(); // $Asm

                        // save regs
                        Memory.Asm.AddLine("pushad");
                        Memory.Asm.AddLine("pushfd");

                        // Test if you need launch injected code:
                        Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                        Memory.Asm.AddLine("test eax, ebx");
                        Memory.Asm.AddLine("je @out");

                        // Launch Fonction:
                        Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                        Memory.Asm.AddLine("call eax");

                        // Copie pointer return value:
                        Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");

                        // Enter value 0 of addresse func inject
                        Memory.Asm.AddLine("mov edx, " + addresseInjection);
                        Memory.Asm.AddLine("mov ecx, 0");
                        Memory.Asm.AddLine("mov [edx], ecx");

                        // Close func
                        Memory.Asm.AddLine("@out:");

                        // load reg
                        Memory.Asm.AddLine("popfd");
                        Memory.Asm.AddLine("popad");


                        // injected code
                        uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                        Memory.Asm.Inject(injected_code);

                        // Size asm jumpback
                        int sizeJumpBack = 5;

                        // copy and save original instructions
                        Memory.Asm.Clear();
                        Memory.Asm.AddLine("mov edi, edi");
                        Memory.Asm.AddLine("push ebp");
                        Memory.Asm.AddLine("mov ebp, esp");
                        Memory.Asm.Inject(injected_code + sizeAsm);

                        // create jump back stub
                        Memory.Asm.Clear();
                        Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                        Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);

                        // create hook jump
                        Memory.Asm.Clear(); // $jmpto
                        Memory.Asm.AddLine("jmp " + (injected_code));
                        Memory.Asm.Inject(pEndScene);
                    }
                    catch {
                        threadHooked = false;
                        return;
                    }
                }
                threadHooked = true;
            }

        }
        public void DisposeHooking()
        {
            try
            {
                // Offset:
                uint DX_DEVICE = 0xC5DF88;
                uint DX_DEVICE_IDX = 0x397C;
                uint ENDSCENE_IDX = 0xA8;

                // Get address of EndScene:
                uint pDevice = Memory.ReadUInt(DX_DEVICE);
                uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                uint pScene = Memory.ReadUInt(pEnd);
                uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);

                if (Memory.ReadByte(pEndScene) == 0xE9) // check if wow is already hooked and dispose Hook
                {
                    // Restore origine endscene:
                    Memory.Asm.Clear();
                    Memory.Asm.AddLine("mov edi, edi");
                    Memory.Asm.AddLine("push ebp");
                    Memory.Asm.AddLine("mov ebp, esp");
                    Memory.Asm.Inject(pEndScene);
                }

                // free memory:
                Memory.FreeMemory(injected_code);
                Memory.FreeMemory(addresseInjection);
                Memory.FreeMemory(retnInjectionAsm);

            }
            catch { }
        }
        public byte[] InjectAndExecute(string[] asm, int returnLength = 0)
        {
            while (InjectionUsed)
            { Thread.Sleep(5); }
            InjectionUsed = true;

            // Hook Wow:
            Hooking();

            byte[] tempsByte = new byte[0];

            // reset return value pointer
            Memory.WriteInt(retnInjectionAsm, 0);

            if (Memory.IsProcessOpen && threadHooked)
            {
                // Write the asm stuff
                Memory.Asm.Clear();
                foreach (string tempLineAsm in asm)
                {
                    Memory.Asm.AddLine(tempLineAsm);
                }

                // Allocation Memory
                uint injectionAsm_Codecave = Memory.AllocateMemory(Memory.Asm.Assemble().Length);


                try
                {
                    // Inject
                    Memory.Asm.Inject(injectionAsm_Codecave);
                    Memory.WriteInt(addresseInjection, (int)injectionAsm_Codecave);
                    while (Memory.ReadInt(addresseInjection) > 0) { Thread.Sleep(5); } // Wait to launch code


                    if (returnLength > 0)
                    {
                        tempsByte = Memory.ReadBytes(Memory.ReadUInt(retnInjectionAsm), returnLength);
                    }
                    else
                    {
                        byte Buf = new Byte();
                        List<byte> retnByte = new List<byte>();
                        uint dwAddress = Memory.ReadUInt(retnInjectionAsm);
                        Buf = Memory.ReadByte(dwAddress);
                        while (Buf != 0)
                        {
                            retnByte.Add(Buf);
                            dwAddress = dwAddress + 1;
                            Buf = Memory.ReadByte(dwAddress);
                        }
                        tempsByte = retnByte.ToArray();
                    }
                }
                catch { }

                // Free memory allocated 
                Memory.FreeMemory(injectionAsm_Codecave);
            }
            InjectionUsed = false;
            // return
            return tempsByte;
        }
    }
}

[namreeb]

Can you post the stack trace from the game crash log?

[WiNiFiX]

@dencelle this issue is known in windows 8+ because of how the hooking is done (see FixEndSceneForHB function in the Hook.cs class to see whats different), the way i solved it is to never unhook since that is what crashes or to hardcode the end-scene bytes to over-write when I need to unhook.
See https://github.com/winifix/MemoryMag...c/Hook/Hook.cs it should solve your issue.

[dencelle]

ahhhhh okay winifix, thank you i think that should fix the issue, woot

[dencelle]

okay, so i used that code you gave me but there seems to be a issue on the Assemble

tried updating FASM but that did nothing, looked around the internet for this same assembly failed issue but the very few things i did find that were pertaining to WoW, all pretty much ended in the magical fix that no one actually posted any info on how they actually fixed it. i did leave out the randomization since i figured that it wasn't really needed since i'm on my own emulated server, probably would add it in if i ever went to live WoW though. anyone have any thoughts on what else could be the issue?

Code:

System.Exception was unhandled
  Message=Assembly failed!  Error code: -121;  Error Line: 13
  Source=fasmdll_managed
  StackTrace:
       at Fasm.ManagedFasm.Assemble(String szSource, Int32 nMemorySize, Int32 nPassLimit)
       at Fasm.ManagedFasm.Assemble()
       at ConsoleApplication1.Hook.FixEndSceneForHB(IntPtr pEndScene) in C:\Users\phate\Desktop\Programming\ConsoleApplication2\ConsoleApplication2\Program.cs:line 290
       at ConsoleApplication1.Hook.Hooking() in C:\Users\phate\Desktop\Programming\ConsoleApplication2\ConsoleApplication2\Program.cs:line 87
       at ConsoleApplication1.Hook..ctor(UInt32 processId) in C:\Users\phate\Desktop\Programming\ConsoleApplication2\ConsoleApplication2\Program.cs:line 65
       at ConsoleApplication1.Program.LuaDoString(String command) in C:\Users\phate\Desktop\Programming\ConsoleApplication2\ConsoleApplication2\Program.cs:line 21
       at ConsoleApplication1.Program.Main(String[] args) in C:\Users\phate\Desktop\Programming\ConsoleApplication2\ConsoleApplication2\Program.cs:line 49
       at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
       at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException:

Code:

        private void FixEndSceneForHB(IntPtr pEndScene)
        {
            Memory.Asm.Clear();
            IntPtr _fixHBStub = (IntPtr) Memory.AllocateMemory(0x200);
            Memory.Asm.AddLine("push ebx");
            Memory.Asm.AddLine("mov bl, [" + pEndScene + "]");
            Memory.Asm.AddLine("cmp bl, 0xE9"); // check for the long jmp that hb uses.
            Memory.Asm.AddLine("jnz @HbIsNotHooked");
            Memory.Asm.AddLine("pop ebx"); // first pop the ebx register we pushed to the stack
            Memory.Asm.AddLine("pop ebp"); // then pop the ebp register HB pushed to the stack
            Memory.Asm.AddLine("jmp @original");
            Memory.Asm.AddLine("@HbIsNotHooked:");
            Memory.Asm.AddLine("pop ebx");
            Memory.Asm.AddLine("@original:");
            Memory.Asm.AddLine("Push 0x14");
            Memory.Asm.AddLine("Mov Eax, " + Memory.ReadUInt((uint) pEndScene) + 3);
            var funcOffset = ((uint)pEndScene) + 0xC + Memory.ReadInt(((uint)pEndScene) + 8);
            Memory.Asm.AddLine("Call " + ((uint)funcOffset - (uint)_fixHBStub));
            Memory.Asm.AddLine("Jmp " + ((uint)pEndScene + 0xC - (uint)_fixHBStub));
            Memory.Asm.AddLine("Jmp " + ((uint)_fixHBStub - (uint)pEndScene));
            Memory.WriteBytes((uint) _fixHBStub, Memory.Asm.Assemble());
            Memory.Asm.Clear();
        }

[WiNiFiX]

You can literally copy paste run https://github.com/winifix/Fishbot-3.3.5 see if that works