[Wow] WorldFrameTraceline crash and how to involk main thread using c#

**tommingc** · 11-04-2022

Hello everyone,

New to here, I got the Traceline function using this signature.
//48 83 EC 58 8B 42 08 F2 0F 10 02 48 8D 54 24 ?? 89 44 24 28 41 8B 40 08 89 44 24 34 48 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? F2 0F 11 44 24 ?? F2 41 0F 10 00 48 89 44 24 ?? F2 0F 11 44 24 ?? 4C 89 4C 24 ?? E8 ?? ?? ?? ?? 48 83 C4 58 C3

by looking at the structure it apears this function requires (worldptr &end, &start, &hit, &distance, intersectFlags)

I then get the worldptr using
ulong worldPtr = Client.Read<ulong>(MainModule.BaseAddress + WorldFrameOffset)

applied the end/start/hit and distance code cave in the memory.

I then use CreateRemoteThread to execute below shell code,

Code:

       string[] mnemonics =
            {

                "mov rax, " + (uint)IntersectFlags.LineOfSight, //0x5D,//0b01011011  
                "mov [rsp+0x28], rax",
                "mov rax, " + distanceCave,
                "mov [rsp+0x20], rax", 
                "mov r9, " + hitCave,
                "mov r8, " + startCave,
                "mov rdx, " + endCave,
                "mov rcx, " + worldPtr,
                "mov rbx, " + ((long)ps.MainModule.BaseAddress + (long)caddr.WorldFrameIntersect),

                "sub rsp, 0x28",
                "call rbx",
                "mov [" + resultCollisionCave + "], rax"
                "add rsp, 0x28",

                "ret"
            };

the client froze for 1 second and disappeared, unlike other calls, if i call using a wrong parameter it will crash by #138 or such.

and this is how it looks like in the memory

Code:

  
            000002098C260000                  | 48:C74424 28 11001000                   | mov qword ptr ss:[rsp+28],100011                        |
            000002098C260009                  | 48:B8 2A00248C09020000                  | mov rax,2098C24002A                                     |
            000002098C260013                  | 48:894424 20                            | mov qword ptr ss:[rsp+20],rax                           |
            000002098C260018                  | 49:B9 1E00248C09020000                  | mov r9,2098C24001E                                      |
            000002098C260022                  | 49:B8 1C00248C09020000                  | mov r8,2098C24001C                                      |
            000002098C26002C                  | 48:BA 1000248C09020000                  | mov rdx,2098C240010                                     |
            000002098C260036                  | 48:B9 A098BAF709020000                  | mov rcx,209F7BA98A0                                     |
            000002098C260040                  | 48:B8 90B3B9C5F77F0000                  | mov rax,wowclassict.7FF7C5B9B390                        |
            000002098C26004A                  | 48:83EC 28                              | sub rsp,28                                              |
            000002098C26004E                  | FFD0                                    | call rax                                                |
            000002098C260050                  | 48:83C4 28                              | add rsp,28                                              |
            000002098C260054                  | C3                                      | ret

I have done similar calls using createremotethread for functions like click move, spell cast, etc, for the intersect I tried hard and never succeeded.

I'm new to the Shellcode, I believe I did something wrong to the above processes, and I don't know how to invoke the main thread using C#, do we have to execute in the main thread? how to?
Kindly please review and give suggestions.

Cheers!.

**tommingc** · 11-04-2022

oops, correct the typo in the subject.

**air999** · 11-05-2022

Prototype should be WorldIntersect(INT_PTR currentWorldFrame, INT_PTR start, INT_PTR end, INT_PTR result, INT_PTR distance, unsigned int flags, INT_PTR hitTestResult)
you missed INT_PTR hitTestResult

**tommingc** · 11-05-2022

Originally Posted by air999

Prototype should be WorldIntersect(INT_PTR currentWorldFrame, INT_PTR start, INT_PTR end, INT_PTR result, INT_PTR distance, unsigned int flags, INT_PTR hitTestResult)
you missed INT_PTR hitTestResult

Thanks, I tried to look into again, it appears there is no hittestresult parameter, it has return value to RAX, I'm working on wow classic by the way.
there is also the possible I found the wrong call. I will look into it further.
Snipaste_2022-11-05_21-36-10.jpg

**ChrisIsMe** · 11-05-2022

aaaaaaaaaaaaaaaaaaaa

**tommingc** · 11-06-2022

Originally Posted by ChrisIsMe

Code:

Vector3 TraceLine(Vector3 from, Vector3 to, int32_t hitFlags)
{
    uintptr_t S_CurWorldFrame = *(uintptr_t*)(base + CUR_WORLD_FRAME);
    Vector3 res = { 0, 0, 0 };
    float distance = 1;
    Hit test = {
        from,
        to,
        &res,
        &distance,
        hitFlags,
    };
    WorldIntersect(*(uintptr_t*)(S_CurWorldFrame + 8LL * *(unsigned int*)(S_CurWorldFrame + 32) + 16), &test);
    return res;
}

You can find intersect easy because you know the common hitflags used in the client.

in ida search immediate value `9437521`

Appreciate, this is indeed a much easier way to find the call. Appears I found the correct one. I will keep working on it,
Cheers!

Shout-Out

User Tag List

Thread: [Wow] WorldFrameTraceline crash and how to involk main thread using c#

Thread Tools

Search Thread

[Wow] WorldFrameIntersect crash and how to invoke main thread using c#

Similar Threads

[Tool] [HELP] i need wow luncher to work on LAN and how to set up server

[How-To] Which language for wow hacks/bots and how to do em?

The essentials of the WoW Economy, and how to dominate it

Stealth Tools and how to use it to hide keyloggers,to get WoW accounts

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino