[1.12.1] Problems with printing to in game console

[wowwac]

Hello, I've started to fiddle around with cpp dll injection and I'm trying to print text to WoW's console. I've made some bots in the past and they were mostly passive and out-of-process. I've found the address of "PrintToConsole" function on 0x63CB50 (or 0x23CB50 rebased) and it expects pointer to the string it has to print in ECX and color in EDX (white = 0, red = 3...). First I've tried to typedef it as __fastcall with 2 arguments but it crashed the game (the function was called with correct parameters, but maybe I did something wrong?) so then I tried to call it using inline ASM but it always crashes due to ACCESS_VIOLATION error. I've noticed that it crashes when accessing the stack registers (ESP and EBP). I thought that I have to push some value to the stack that it expects, but I didn't find anything when I looked through the original calls in the code. I can change almost every register to 0x0 and the function works as long as I don't change ECX, EBP and ESP. I've also tried to preserve the registers but it doesn't change anything since it crashes while it's calling the function, not after.

Anyway, here's my code:

Code:

(this is called on attach in dllmain)
char message[] = "test";
PrintToConsole((unsigned __int32)&message, 0x63CB50);

void __stdcall PrintToConsole(unsigned __int32 TextPointer, unsigned __int32 PrintPointer) {
	__asm
	{
		//pushfd
		//pushad

		mov edx, 0
		mov ecx, TextPointer
		call PrintPointer

		//popfd
		//popad
	}
}

The original PrintToConsole function ("xx" is the command I send):

Code:

0063CB50 | PUSH EBP                                | PrintToCnsole
0063CB51 | MOV EBP, ESP                            |
0063CB53 | SUB ESP, 8                              |
0063CB56 | PUSH EBX                                |
0063CB57 | MOV EBX, ECX                            | ecx:"Unknown command"
0063CB59 | TEST EBX, EBX                           |
0063CB5B | MOV DWORD PTR SS:[EBP - 8], EDX         | [ebp-8]:"xx"
0063CB5E | MOV DWORD PTR SS:[EBP - 4], EBX         |
0063CB61 | JE wow.63CCF1                           |
0063CB67 | CMP BYTE PTR DS:[EBX], 0                |
0063CB6A | JE wow.63CCF1                           |
0063CB70 | MOV EAX, DWORD PTR DS:[C4EC1C]          |
0063CB75 | TEST EAX, EAX                           |
0063CB77 | JE wow.63CCF1                           |
0063CB7D | MOV EAX, DWORD PTR DS:[C4EC34]          |
0063CB82 | TEST EAX, EAX                           |
0063CB84 | JE wow.63CCF1                           |
0063CB8A | PUSH ESI                                |
0063CB8B | PUSH EDI                                | edi:"xx"
0063CB8C | MOV ECX, wow.C4E64C                     | ecx:"Unknown command"
0063CB91 | CALL <wow.EnterCriticalSection?>        |
0063CB96 | PUSH 8                                  |
0063CB98 | PUSH FFFFFFFE                           |
0063CB9A | PUSH wow.864908                         | 0x864908:".?AUCONSOLELINE@@"
0063CB9F | PUSH 24                                 |
0063CBA1 | CALL <wow.SomethingWithDebug??>         |
0063CBA6 | TEST EAX, EAX                           |
0063CBA8 | JE wow.63CBBB                           |
0063CBAA | MOV DWORD PTR DS:[EAX], 0               |
0063CBB0 | MOV DWORD PTR DS:[EAX + 4], 0           |
0063CBB7 | MOV ESI, EAX                            |
0063CBB9 | JMP wow.63CBBD                          |
0063CBBB | XOR ESI, ESI                            |
0063CBBD | MOV EAX, DWORD PTR DS:[C4E9AC]          |
0063CBC2 | TEST AL, 1                              |
0063CBC4 | JNE wow.63CC45                          |
0063CBC6 | TEST EAX, EAX                           |
0063CBC8 | JE wow.63CC45                           |
0063CBCA | MOV ECX, DWORD PTR DS:[EAX + 14]        | ecx:"Unknown command"
0063CBCD | TEST ECX, ECX                           | ecx:"Unknown command"
0063CBCF | MOV EBX, EAX                            |
0063CBD1 | JE wow.63CC42                           |
0063CBD3 | TEST ESI, ESI                           |
0063CBD5 | MOV EDI, ESI                            | edi:"xx"
0063CBD7 | JNE wow.63CBDE                          |
0063CBD9 | MOV EDI, wow.C4E9A8                     | edi:"xx"
0063CBDE | CMP DWORD PTR DS:[EDI], 0               | edi:"xx"
0063CBE1 | JE wow.63CC05                           |
0063CBE3 | PUSH FFFFFFFF                           |
0063CBE5 | MOV ECX, EDI                            | ecx:"Unknown command", edi:"xx"
0063CBE7 | CALL wow.63CF80                         |
0063CBEC | MOV ECX, DWORD PTR DS:[EDI]             | ecx:"Unknown command", edi:"xx"
0063CBEE | MOV DWORD PTR DS:[EAX], ECX             | ecx:"Unknown command"
0063CBF0 | MOV EDX, DWORD PTR DS:[EDI]             | edi:"xx"
0063CBF2 | MOV EAX, DWORD PTR DS:[EDI + 4]         |
0063CBF5 | MOV DWORD PTR DS:[EDX + 4], EAX         |
0063CBF8 | MOV DWORD PTR DS:[EDI], 0               | edi:"xx"
0063CBFE | MOV DWORD PTR DS:[EDI + 4], 0           |
0063CC05 | MOV DWORD PTR DS:[EDI], EBX             | edi:"xx"
0063CC07 | MOV ECX, DWORD PTR DS:[EBX + 4]         | ecx:"Unknown command"
0063CC0A | MOV DWORD PTR DS:[EDI + 4], ECX         | ecx:"Unknown command"
0063CC0D | MOV EAX, DWORD PTR DS:[EBX + 4]         |
0063CC10 | TEST AL, 1                              |
0063CC12 | MOV ECX, DWORD PTR DS:[C4E9A4]          | ecx:"Unknown command"
0063CC18 | JNE wow.63CC1E                          |
0063CC1A | TEST EAX, EAX                           |
0063CC1C | JNE wow.63CC2B                          |
0063CC1E | AND EAX, FFFFFFFE                       |
0063CC21 | MOV DWORD PTR DS:[EAX], EDI             | edi:"xx"
0063CC23 | MOV DWORD PTR DS:[EBX + 4], ESI         |
0063CC26 | MOV EBX, DWORD PTR SS:[EBP - 4]         |
0063CC29 | JMP wow.63CC9F                          |
0063CC2B | TEST ECX, ECX                           | ecx:"Unknown command"
0063CC2D | JGE wow.63CC36                          |
0063CC2F | MOV EDX, DWORD PTR DS:[EBX]             |
0063CC31 | MOV ECX, EBX                            | ecx:"Unknown command"
0063CC33 | SUB ECX, DWORD PTR DS:[EDX + 4]         | ecx:"Unknown command"
0063CC36 | ADD EAX, ECX                            | ecx:"Unknown command"
0063CC38 | MOV DWORD PTR DS:[EAX], EDI             | edi:"xx"
0063CC3A | MOV DWORD PTR DS:[EBX + 4], ESI         |
0063CC3D | MOV EBX, DWORD PTR SS:[EBP - 4]         |
0063CC40 | JMP wow.63CC9F                          |
0063CC42 | MOV EBX, DWORD PTR SS:[EBP - 4]         |
0063CC45 | TEST ESI, ESI                           |
0063CC47 | MOV EDI, ESI                            | edi:"xx"
0063CC49 | JNE wow.63CC50                          |
0063CC4B | MOV EDI, wow.C4E9A8                     | edi:"xx"
0063CC50 | CMP DWORD PTR DS:[EDI], 0               | edi:"xx"
0063CC53 | JE wow.63CC77                           |
0063CC55 | PUSH FFFFFFFF                           |
0063CC57 | MOV ECX, EDI                            | ecx:"Unknown command", edi:"xx"
0063CC59 | CALL wow.63CF80                         |
0063CC5E | MOV ECX, DWORD PTR DS:[EDI]             | ecx:"Unknown command", edi:"xx"
0063CC60 | MOV DWORD PTR DS:[EAX], ECX             | ecx:"Unknown command"
0063CC62 | MOV EDX, DWORD PTR DS:[EDI]             | edi:"xx"
0063CC64 | MOV EAX, DWORD PTR DS:[EDI + 4]         |
0063CC67 | MOV DWORD PTR DS:[EDX + 4], EAX         |
0063CC6A | MOV DWORD PTR DS:[EDI], 0               | edi:"xx"
0063CC70 | MOV DWORD PTR DS:[EDI + 4], 0           |
0063CC77 | MOV DWORD PTR DS:[EDI], wow.C4E9A8      | edi:"xx"
0063CC7D | MOV ECX, DWORD PTR DS:[C4E9AC]          | ecx:"Unknown command"
0063CC83 | MOV DWORD PTR DS:[EDI + 4], ECX         | ecx:"Unknown command"
0063CC86 | MOV EDX, DWORD PTR DS:[C4E9A4]          |
0063CC8C | PUSH EDX                                |
0063CC8D | MOV ECX, wow.C4E9A8                     | ecx:"Unknown command"
0063CC92 | CALL wow.63CF80                         |
0063CC97 | MOV DWORD PTR DS:[EAX], EDI             | edi:"xx"
0063CC99 | MOV DWORD PTR DS:[C4E9AC], ESI          |
0063CC9F | PUSH EBX                                |
0063CCA0 | CALL wow.64A6F0                         |
0063CCA5 | PUSH 0                                  |
0063CCA7 | PUSH AAF                                |
0063CCAC | INC EAX                                 |
0063CCAD | PUSH wow.8648C8                         | 0x8648C8:"E:\\build\\buildWoW\\WoW\\Source\\Console\\ConsoleClient.cpp"
0063CCB2 | PUSH EAX                                |
0063CCB3 | MOV DWORD PTR DS:[ESI + C], EAX         |
0063CCB6 | MOV DWORD PTR DS:[ESI + 10], EAX        |
0063CCB9 | CALL <wow.SomethingWithDebug??>         |
0063CCBE | PUSH 7FFFFFFF                           |
0063CCC3 | PUSH EBX                                |
0063CCC4 | PUSH EAX                                |
0063CCC5 | MOV DWORD PTR DS:[ESI + 8], EAX         |
0063CCC8 | CALL wow.64A5A0                         |
0063CCCD | MOV EAX, DWORD PTR SS:[EBP - 8]         | [ebp-8]:"xx"
0063CCD0 | MOV ECX, ESI                            | ecx:"Unknown command"
0063CCD2 | MOV DWORD PTR DS:[ESI + 1C], EAX        |
0063CCD5 | CALL wow.639020                         |
0063CCDA | INC DWORD PTR DS:[C4EC24]               |
0063CCE0 | CALL wow.63BBD0                         |
0063CCE5 | MOV ECX, wow.C4E64C                     | ecx:"Unknown command"
0063CCEA | CALL wow.6579C0                         |
0063CCEF | POP EDI                                 | edi:"xx"
0063CCF0 | POP ESI                                 |
0063CCF1 | POP EBX                                 |
0063CCF2 | MOV ESP, EBP                            |
0063CCF4 | POP EBP                                 |
0063CCF5 | RET                                     |

Some original calls to the function:

Code:

.....
0063CD1F | LEA ECX, DWORD PTR SS:[EBP + 10]        |
0063CD22 | PUSH ECX                                | ecx:"Unknown command"
0063CD23 | PUSH EAX                                |
0063CD24 | LEA EDX, DWORD PTR SS:[EBP - 400]       |
0063CD2A | PUSH 400                                |
0063CD2F | PUSH EDX                                |
0063CD30 | CALL wow.64A8B0                         |
0063CD35 | MOV EDX, DWORD PTR SS:[EBP + C]         |
0063CD38 | ADD ESP, 10                             |
0063CD3B | LEA ECX, DWORD PTR SS:[EBP - 400]       |
0063CD41 | CALL <wow.PrintToConsole>               |
0063CD46 | MOV ESP, EBP                            |
0063CD48 | POP EBP                                 |
0063CD49 | RET                                     |
......
0063CF0B | MOV EAX, DWORD PTR DS:[C4F86C]          |
0063CF10 | MOV ECX, DWORD PTR DS:[C4F864]          |
0063CF16 | AND EAX, ESI                            |
0063CF18 | LEA EAX, DWORD PTR DS:[EAX + EAX * 2]   |
0063CF1B | LEA EAX, DWORD PTR DS:[ECX + EAX * 4]   |
0063CF1E | MOV EAX, DWORD PTR DS:[EAX]             |
0063CF20 | ADD EAX, EBX                            |
0063CF22 | MOV EBX, DWORD PTR DS:[EAX + 4]         |
0063CF25 | JMP wow.63CEE0                          |
0063CF27 | XOR EDX, EDX                            |
0063CF29 | MOV ECX, wow.865104                     | 0x865104:"Unknown command"
0063CF2E | CALL <wow.PrintToConsole>               |
0063CF33 | POP EDI                                 | edi:"xx"
0063CF34 | POP ESI                                 |
0063CF35 | POP EBX                                 |
0063CF36 | MOV ESP, EBP                            |
0063CF38 | POP EBP                                 |
0063CF39 | RET                                     |
........
0063986A | MOV EDX, 3                              |
0063986F | MOV ECX, wow.864A08                     | 0x864A08:"One or more colors are not in the 0 to 255 range or missing."
00639874 | CALL <wow.PrintToConsole>               |
00639879 | MOV EDX, 3                              |
0063987E | MOV ECX, wow.8649D0                     | 0x8649D0:"Make sure to specify the red, green and blue colors."
00639883 | CALL <wow.PrintToConsole>               |
00639888 | POP ESI                                 |
00639889 | XOR EAX, EAX                            |
0063988B | POP EBX                                 |
0063988C | MOV ESP, EBP                            |
0063988E | POP EBP                                 |
........

PS: I've already searched the forum but I haven't found the solution to my issue. But then again the vBulletin search function is not exactly the best one so I may have skipped something...

[namreeb]

I'm not sure why it's crashing, maybe because you're not restoring the values of ecx and edx? But the way you're doing this you're making things harder on yourself than they need to be. First of all, there is a va version of the console write function at 0x63CB50, which looks like this:

Code:

void ConsolePrintf(const char *Format, ...)
{
  char msg[4]; // [esp+0h] [ebp-400h]
  va_list Args; // [esp+40Ch] [ebp+Ch]

  va_start(Args, Format);
  if ( Format && *Format )
  {
    if ( s_device )
    {
      SStrVPrintf((int)msg, 1024, (char *)Format, Args);
      ConsoleCommandWriteHelp(msg, 0);
    }
  }
}

You can call it like this:

Code:

using ConsolePrintT = void (*)(const char *format, ...);

auto const consolePrint = reinterpret_cast<ConsolePrintT>(0x0x63CB50);

consolePrint("You can print anything you want here %d", 5);

[DarkLinux]

What thread are you calling from?

Calling from the main thread with no crash or problems,

Code:

typedef int (__fastcall *_ConsoleWrite) (const char*, int);

static int ConsoleWrite(const char* text)
{
	_ConsoleWrite consoleWrite = (_ConsoleWrite)0x0063CB50;
	return consoleWrite(text, 0);
}

[wowwac]

Hmm, I've just tested some things and the wow crashes even when there is no code in my dll, so the error must be somewhere in my injector, lol... Never gonna trust a copy-pasta without trying it first again I'll try fixing it and post the results, but it's almost 3AM here, so it'll have to wait for (tomorrow) today....