[Sample Code] EndScene Hook with ASM and blackmagic menu

User Tag List

Page 1 of 6 12345 ... LastLast
Results 1 to 15 of 90
  1. #1
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Sample Code] EndScene Hook with ASM and blackmagic

    Hi all,

    I post the source code for hook the endscene with blackmagic only on ASM injec, as GetName, Interact, Ctm, Lua doString inject.

    This inject is not secure!!!

    I do not guarantee operation to 100%

    (Offset for WoW 3.3.5a)

    Hook EndScene:
    Code:
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using Magic;
    using System.Threading;
    
    namespace WowManager.Memory
    {
        public class Hook
        {
            // Addresse Inection code:
            uint injected_code = 0;
            uint addresseInjection = 0;
            public bool threadHooked = false;
            uint retnInjectionAsm = 0;
            bool InjectionUsed = false;
            public BlackMagic Memory = new BlackMagic();
            public uint _processId = 0;
            public Hook(uint processId)
            {
                _processId = processId;
                Hooking();
            }
    
            public void Hooking()
            {
                // Offset:
                uint DX_DEVICE = 0xC5DF88;
                uint DX_DEVICE_IDX = 0x397C;
                uint ENDSCENE_IDX = 0xA8;
    
                // Process Connect:
                if (!Memory.IsProcessOpen)
                {
                    Memory.OpenProcessAndThread(_processId);
                }
    
                if (Memory.IsProcessOpen)
                {
                    // Get address of EndScene
                    uint pDevice = Memory.ReadUInt(DX_DEVICE);
                    uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                    uint pScene = Memory.ReadUInt(pEnd);
                    uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);
    
                    if (Memory.ReadByte(pEndScene) == 0xE9 && (injected_code == 0 || addresseInjection == 0)) // check if wow is already hooked and dispose Hook
                    {
                        DisposeHooking();
                    }
    
                    if (Memory.ReadByte(pEndScene) != 0xE9) // check if wow is already hooked
                    {
                        try
                        {
                            threadHooked = false;
                            // allocate memory to store injected code:
                            injected_code = Memory.AllocateMemory(2048);
                            // allocate memory the new injection code pointer:
                            addresseInjection = Memory.AllocateMemory(0x4);
                            Memory.WriteInt(addresseInjection, 0);
                            // allocate memory the pointer return value:
                            retnInjectionAsm = Memory.AllocateMemory(0x4);
                            Memory.WriteInt(retnInjectionAsm, 0);
    
                            // Generate the STUB to be injected
                            Memory.Asm.Clear(); // $Asm
    
                            // save regs
                            Memory.Asm.AddLine("pushad");
                            Memory.Asm.AddLine("pushfd");
    
                            // Test if you need launch injected code:
                            Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                            Memory.Asm.AddLine("test eax, eax");
                            Memory.Asm.AddLine("je @out");
    
                            // Launch Fonction:
                            Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                            Memory.Asm.AddLine("call eax");
    
                            // Copie pointer return value:
                            Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
    
                            // Enter value 0 of addresse func inject
                            Memory.Asm.AddLine("mov edx, " + addresseInjection);
                            Memory.Asm.AddLine("mov ecx, 0");
                            Memory.Asm.AddLine("mov [edx], ecx");
    
                            // Close func
                            Memory.Asm.AddLine("@out:");
    
                            // load reg
                            Memory.Asm.AddLine("popfd");
                            Memory.Asm.AddLine("popad");
    
    
                            // injected code
                            uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                            Memory.Asm.Inject(injected_code);
    
                            // Size asm jumpback
                            int sizeJumpBack = 5;
    
                            // copy and save original instructions
                            Memory.Asm.Clear();
                            Memory.Asm.AddLine("mov edi, edi");
                            Memory.Asm.AddLine("push ebp");
                            Memory.Asm.AddLine("mov ebp, esp");
                            Memory.Asm.Inject(injected_code + sizeAsm);
    
                            // create jump back stub
                            Memory.Asm.Clear();
                            Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                            Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);
    
                            // create hook jump
                            Memory.Asm.Clear(); // $jmpto
                            Memory.Asm.AddLine("jmp " + (injected_code));
                            Memory.Asm.Inject(pEndScene);
                        }
                        catch { threadHooked = false; return; }
                    }
                    threadHooked = true;
                }
    
            }
    
            public void DisposeHooking()
            {
                try
                {
                    // Offset:
                    uint DX_DEVICE = 0xC5DF88;
                    uint DX_DEVICE_IDX = 0x397C;
                    uint ENDSCENE_IDX = 0xA8;
    
                    // Get address of EndScene:
                    uint pDevice = Memory.ReadUInt(DX_DEVICE);
                    uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                    uint pScene = Memory.ReadUInt(pEnd);
                    uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);
    
                    if (Memory.ReadByte(pEndScene) == 0xE9) // check if wow is already hooked and dispose Hook
                    {
                        // Restore origine endscene:
                        Memory.Asm.Clear();
                        Memory.Asm.AddLine("mov edi, edi");
                        Memory.Asm.AddLine("push ebp");
                        Memory.Asm.AddLine("mov ebp, esp");
                        Memory.Asm.Inject(pEndScene);
                    }
    
                    // free memory:
                    Memory.FreeMemory(injected_code);
                    Memory.FreeMemory(addresseInjection);
                    Memory.FreeMemory(retnInjectionAsm);
    
                } catch {}
            }
    
            public byte[] InjectAndExecute(string[] asm, int returnLength = 0)
            {
                while (InjectionUsed)
                { Thread.Sleep(5); }
                InjectionUsed = true;
    
                // Hook Wow:
                Hooking();
    
                byte[] tempsByte = new byte[0];
    
                // reset return value pointer
                Memory.WriteInt(retnInjectionAsm, 0);
    
                if (Memory.IsProcessOpen && threadHooked)
                {
                    // Write the asm stuff
                    Memory.Asm.Clear();
                    foreach (string tempLineAsm in asm)
                    {
                        Memory.Asm.AddLine(tempLineAsm);
                    }
    
                    // Allocation Memory
                    uint injectionAsm_Codecave = Memory.AllocateMemory(Memory.Asm.Assemble().Length);
    
    
                    try
                    {
                        // Inject
                        Memory.Asm.Inject(injectionAsm_Codecave);
                        Memory.WriteInt(addresseInjection, (int)injectionAsm_Codecave);
                        while (Memory.ReadInt(addresseInjection) > 0) { Thread.Sleep(5); } // Wait to launch code
    
    
                        if (returnLength > 0)
                        {
                            tempsByte = Memory.ReadBytes(Memory.ReadUInt(retnInjectionAsm), returnLength);
                        }
                        else
                        {
                            byte Buf = new Byte();
                            List<byte> retnByte = new List<byte>();
                            uint dwAddress = Memory.ReadUInt(retnInjectionAsm);
                            Buf = Memory.ReadByte(dwAddress);
                            while (Buf != 0)
                            {
                                retnByte.Add(Buf);
                                dwAddress = dwAddress + 1;
                                Buf = Memory.ReadByte(dwAddress);
                            }
                            tempsByte = retnByte.ToArray();
                        }
                    }
                    catch { }
                    
                    // Free memory allocated 
                    Memory.FreeMemory(injectionAsm_Codecave);
                }
                InjectionUsed = false;
                // return
                return tempsByte;
            }
        }
    }
    Create new instance:
    Code:
    MyHook = new Hook(processId);
    Lua DoString:
    Code:
    public static void LuaDoString(string command)
            {
                // Allocate memory
                uint DoStringArg_Codecave = MyHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
                // offset:
                FrameScript__Execute = 0x819210;
    
    
                // Write value:
                MyHook.Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));
    
                // Write the asm stuff for Lua_DoString
                String[] asm = new String[] 
                {
                    "mov eax, " + DoStringArg_Codecave,
                    "push 0",
                    "push eax",
                    "push eax",
                    "mov eax, " + (uint)FrameScript__Execute, // Lua_DoString
                    "call eax",
                    "add esp, 0xC",
                    "retn",    
                };
    
                // Inject
                MyHook.InjectAndExecute(asm);
                // Free memory allocated 
                MyHook.Memory.FreeMemory(DoStringArg_Codecave);
            }
    GetLocalizedText:
    Code:
    public static string GetLocalizedText(string Commandline)
    {
                // Command to send using LUA
                String Command = Commandline;
    
                // Allocate memory for command
                uint Lua_GetLocalizedText_Space = MyHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(Command).Length + 1);
                
                // offset:
                uint ClntObjMgrGetActivePlayerObj = 0x4038F0;
                uint FrameScript__GetLocalizedText = 0x7225E0;
                
                // Write command in the allocated memory
                MyHook.Memory.WriteBytes(Lua_GetLocalizedText_Space, Encoding.UTF8.GetBytes(Command));
    
                String[] asm = new String[] 
                {
                "call " + (uint)ClntObjMgrGetActivePlayerObj,
                "mov ecx, eax",
                "push -1",
                "mov edx, " + Lua_GetLocalizedText_Space + "",
                "push edx",
                "call " + (uint)FrameScript__GetLocalizedText,
                "retn",
                };
                // Inject the shit
                string sResult = Encoding.ASCII.GetString(MyHook.InjectAndExecute(asm));
    
                // Free memory allocated for command
                MyHook.Memory.FreeMemory(Lua_GetLocalizedText_Space);
    
                // Uninstall the hook
                return sResult;
    }
    Use Lua DoString + GetLocalizedText:
    Code:
            public static int GetContainerNumFreeSlots()
            {
                LuaDoString("freeslots = GetContainerNumFreeSlots(0) + GetContainerNumFreeSlots(1) + GetContainerNumFreeSlots(2) + GetContainerNumFreeSlots(3) + GetContainerNumFreeSlots(4)");
                return Convert.ToInt32(GetLocalizedText("freeslots"));
            }
    Click To Move:
    Code:
    public static void CGPlayer_C__ClickToMove(Single x, Single y, Single z, UInt64 guid, Int32 action, Single precision)
            {
                // Allocate Memory:
                UInt32 Pos_Codecave = MyHook.Memory.AllocateMemory(0x4 * 3);
                UInt32 GUID_Codecave = MyHook.Memory.AllocateMemory(0x8);
                UInt32 Precision_Codecave = MyHook.Memory.AllocateMemory(0x4);
                
                // Offset:
                uint CGPlayer_C__ClickToMove = 0x727400;
                uint ClntObjMgrGetActivePlayerObj = 0x4038F0;
    
                // Write value:
                MyHook.Memory.WriteUInt64(GUID_Codecave, guid);
                MyHook.Memory.WriteFloat(Precision_Codecave, precision);
    
                MyHook.Memory.WriteFloat(Pos_Codecave, x);
                MyHook.Memory.WriteFloat(Pos_Codecave + 0x4, y);
                MyHook.Memory.WriteFloat(Pos_Codecave + 0x8, z);
    
                // BOOL __thiscall CGPlayer_C__ClickToMove(WoWActivePlayer *this, CLICKTOMOVETYPE clickType, WGUID *interactGuid, WOWPOS *clickPos, float precision)
                string[] asm = new string[]
                {
                    "mov edx, [" + Precision_Codecave + "]",
                    "push edx",
    
                    "call " + (uint)ClntObjMgrGetActivePlayerObj,
                    "mov ecx, eax",
                    
                    "push " + Pos_Codecave,
                    "push " + GUID_Codecave,
                    "push " + action,
    
                    "call " + (uint)CGPlayer_C__ClickToMove,
                    "retn",
                };
    
                MyHook.InjectAndExecute(asm);
    
                MyHook.Memory.FreeMemory(Pos_Codecave);
                MyHook.Memory.FreeMemory(GUID_Codecave);
                MyHook.Memory.FreeMemory(Precision_Codecave);
            }
    GetName:
    Code:
    public static string GetName(uint BaseAddress)
            {
                        GetNameVMT = 54;
                        string sResult = "";
    
                        uint VMT = MyHook.Memory.ReadUInt((MyHook.Memory.ReadUInt(BaseAddress) + ((uint)GetNameVMT * 4)));
    
                        string[] asm = new string[]
                        {
                    "mov ecx, " + BaseAddress,
                    "mov eax, " + VMT,
                    "call eax",
                    "retn",
                    };
                    
                        sResult = Encoding.ASCII.GetString(MyHook.InjectAndExecute(asm));
                        return sResult;
            }
    Interact:
    Code:
          
    public static void InteractGameObject(uint baseAddress)
            {
            uint InteractVMT = 44;
                if (baseAddress > 0)
                {
                    uint VMT44 = MyHook.Memory.ReadUInt(MyHook.Memory.ReadUInt(baseAddress) + ((uint)InteractVMT * 4));
                    var objectManagerBase = 0x2ED0;
    
                    string[] asm = new string[]
                    {
                "fs mov eax, [0x2C]",
                "mov eax, [eax]",
                "add eax, 0x10",
                "mov dword [eax], " + objectManagerBase,
                "mov ecx, " + baseAddress,
                "call " + VMT44,
                "retn",
                     };
    
    
                    MyHook.InjectAndExecute(asm);
                }
            }




    Sample projet: http://www.multiupload.com/TAWE0RFMWL

    Why is the hook endscene?
    To not do detect on public project, because if you want you can hook any function that it will work. Programs other than the bot Hook endscene like Fraps for video capture, Ventrilo to see who speaks in the game, xfire ... and also make a jmp, so the warden can not tell whether the jmp to this function and to jmp a legal software or not (this is the software required to hook the endscene to add graphic elements to the game).


    I want to thank Jujuboss and mdperdu for their help.
    Attached Thumbnails Attached Thumbnails [Sample Code] EndScene Hook with ASM and blackmagic-1279875659-sans-titre-jpg  
    Last edited by RivaLfr; 03-16-2011 at 02:56 PM.

    [Sample Code] EndScene Hook with ASM and blackmagic
  2. #2
    Steveiwonder's Avatar Active Member
    Reputation
    31
    Join Date
    Oct 2009
    Posts
    122
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excellent, i need something like this to get started on injection (not that there isn't a million other things on ).

    Ty

  3. #3
    streppel's Avatar Active Member
    Reputation
    77
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    great post,thanks for this even tho my bot already had it,+rep

  4. #4
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1356
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "Why is the hook endscene?
    To not do detect on public project, because if you want you can hook any function that it will work. Programs other than the bot Hook endscene like Fraps for video capture, Ventrilo to see who speaks in the game, xfire ... and also make a jmp, so the warden can not tell whether the jmp to this function and to jmp a legal software or not (this is the software required to hook the endscene to add graphic elements to the game)."

    Actually, Warden COULD detect that if it wanted. Last time I checked, PunkBuster has a hook whitelist for 'known' legitimate software (Fraps, Xfire, etc) and kicks if your hook does not match an entry in the whitelist.

    What you mean to say is that whilst it could, it doesn't.

  5. #5
    namreeb's Avatar Legendary

    Reputation
    658
    Join Date
    Sep 2008
    Posts
    1,023
    Thanks G/R
    7/215
    Trade Feedback
    0 (0%)
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Interesting. What data does it use to check a hook against this whitelist? The code at the function it jumps to? That seems rather unreliable.

  6. #6
    Chinchy's Avatar Active Member
    Reputation
    21
    Join Date
    Mar 2009
    Posts
    71
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by namreeb View Post
    Interesting. What data does it use to check a hook against this whitelist? The code at the function it jumps to? That seems rather unreliable.
    It's reliable as it needs to be. There is a reason PB only kicks for it rather than bans.

  7. #7
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank for this info Cypher, but if the warden detect all endscene hook, a lot of video capture software not work by sample. They can not make a white list for all software that exists, and can not prohibit the capture of video.

    To protect the code you need your random injection, so that the warden can not make a pattern.

    The injection is always risky on the public projects, even if the injection is protected.

  8. #8
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Cypher View Post
    /facepalm



    10 points to Gryffindor!
    I'm not saying I'm right, I said just my point of view, after listening to what you said.

    I post this code because it can be useful.

  9. #9
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1356
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by RivaLfr View Post
    I'm not saying I'm right, I said just my point of view, after listening to what you said.

    I post this code because it can be useful.
    Your 'opinion' is irrelevant though. I wasn't giving my opinion on the functionality being implemented into Warden, I was simply stating facts and correcting an error in your post (i.e. that such functionality DOES in fact exist in other live and widespread AC systems and it would be quite possible to implement it in Warden).

    Tl;dr: Nobody cares. (Or at least, I don't.)

  10. #10
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, no problem, thank you for your contribution Cypher.

  11. #11
    Seifer's Avatar Site Donator
    Reputation
    129
    Join Date
    Apr 2007
    Posts
    270
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Basically what Cypher is saying is that it's about as secure as cheating on your wife in her bedroom, while she's asleep. Literally.

  12. #12
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Last edited by RivaLfr; 09-20-2010 at 10:32 AM.

  13. #13
    DamonT's Avatar Member
    Reputation
    6
    Join Date
    Aug 2008
    Posts
    23
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by RivaLfr View Post
    Did you ever notice the "MOV EDI,EDI" instruction in the beginning? It seems to be useless... but there's a reason for it.
    I'd really like to see anybody using this to make a "cleaner" hook instead of overwriting the stackframe creation.

    Here's the example:

    Note: if you'll use a CALL, you have to change/increase the return address since it will end up in an infinite loop

    Also keep in mind that offset scanning is not warden's only way to detect hacks...

  14. #14
    KuRIoS's Avatar Admin
    Authenticator enabled
    Reputation
    2982
    Join Date
    Apr 2006
    Posts
    9,805
    Thanks G/R
    350/296
    Trade Feedback
    9 (100%)
    Mentioned
    3 Post(s)
    Tagged
    1 Thread(s)
    Stop posting the pathetic pics we do not allow them for a reason.
    Only thing they are good for is starting spam - grow up.

  15. #15
    RivaLfr's Avatar Contributor CoreCoins Purchaser Authenticator enabled
    Reputation
    221
    Join Date
    Sep 2010
    Posts
    258
    Thanks G/R
    2/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Stop spamming me of PM.

    Go to this post for the last offset: http://www.mmowned.com/forums/world-...ml#post1977673

    And added the addres of the Wow.exe module at all Wow function in asm code and at DX_DEVICE.

Page 1 of 6 12345 ... LastLast

Similar Threads

  1. [C# DLL] aHook, use ASM through EndScene hook
    By JuJuBoSc in forum WoW Memory Editing
    Replies: 80
    Last Post: 11-26-2011, 03:29 AM
  2. Sample Code - Another way of getting the EndScene address
    By _Mike in forum WoW Memory Editing
    Replies: 22
    Last Post: 05-14-2011, 08:30 PM
  3. [C#] CLR hosting using C# and BlackMagic (ASM)
    By JuJuBoSc in forum WoW Memory Editing
    Replies: 9
    Last Post: 05-10-2011, 08:44 AM
  4. Replies: 11
    Last Post: 12-23-2010, 09:30 PM
  5. [Test Theory] EndScene hook without Native Code (Kinda)
    By Apoc in forum WoW Memory Editing
    Replies: 7
    Last Post: 09-04-2009, 12:46 PM
All times are GMT -5. The time now is 06:38 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search