My failed try :)

[Therrm]

Hi everyone !!!

First of all : please Cypher apologize for my dumb question yesterday in my PM ^^ It was really too silly after all

Well my current gold is to execute functions in order to control my char in game with DLL injection.

I wanted to start by jumping.

So I started IDA and look after "JumpOrAscendStart" into String
I found it at :

Code:

.rdata:0095BEC0 aJumporascendst db 'JumpOrAscendStart',0 ; DATA XREF: .data:off_FCCFD8o

I press Ctrl-x in order to see what calls this string and it leads to :

Code:

.data:00FCCFD8 off_FCCFD8      dd offset aJumporascendst ; DATA XREF: sub_552A00+9r
.data:00FCCFD8                                         ; sub_552A30:loc_552A33r
.data:00FCCFD8                                         ; "JumpOrAscendStart"

There are 2 functions : sub_552A00 and sub_552A30.

First of all : does those functions are used by WoW to Jump your char ? Moreover, I saw that some LUA functions (as JumpOrAscendStart) are disable by Blizzard. Is it only disable for addons or is it disable for using in memory ? (can I use them with DLL injection ?) Well they are not fully disable because WoW use them but perhaps they have to be enable before used.

Then I tried to use the first function with a DLL injection with :

Code:

#include <windows.h>

void (__stdcall *sub_552A00) () = (void(__stdcall *)()) 0x00552A00;

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,L"DLL loaded successfuly",L"Sucess",MB_OK);
        sub_552A00;
        break;

    case DLL_PROCESS_DETACH:
        //Should have inserted something here but it was just for test
        break;
    }
    return true;
}

First in my code I declare the sub_552A00 function but I dont really think it is the right way... (I put stdcall but I didnt know what else I could put... there is nothing in IDA that call help me, or I dont know it)
Then I call the function but nothing happened in game...

To summarize :
Does the sub_552A00 is really used by WoW to jump ? If it's not, how could I find the correct function. I've read that I could call JumpOrAscendStart with DoString in order to call the function by LUA, but I wanted to find the direct function to jump.
Moreover : Sub functions never have parameters... Well those i saw in IDA... This is very strange and I think i'm missing something here...

This thread can be considered as a newb post and I apologize for it

And I apologize also for my crappy english ^^

[Nesox]

isn't that releated to fall damage? to see if u have started falling or began a jump
edit: i fail it's for jumping but u still need to unprotect it xD

[Cypher]

Its a LUA function, you can't call it like that. You have to use another of WoWs internal functions to 'proxy' the call. Furthermore, the string is part of an array, storing the LUA functions name, and its address, start at the top and whether the sub is above or below will be obvious.

WoW never calls those functions in the way you're implying, they're part of the publicly exposed API, a wrapper if you will. The actual implementation is in the functions that the wrapper calls.

You can call the LUA functions to do what you want, but as I said, you need to pass it through another layer to get WoW to parse and manage it.

EDIT: And your function declaration and calling is totally wrong, even if you could call the function like that.

Dude you need to learn ASM and C++ before you go around trying to reverse functions.

[ostapus]

Quote:

Originally Posted by Therrm

Hi everyone !!!

First of all : please Cypher apologize for my dumb question yesterday in my PM ^^ It was really too silly after all

Well my current gold is to execute functions in order to control my char in game with DLL injection.

I wanted to start by jumping.

So I started IDA and look after "JumpOrAscendStart" into String
I found it at :

Code:

.rdata:0095BEC0 aJumporascendst db 'JumpOrAscendStart',0 ; DATA XREF: .data:off_FCCFD8o

I press Ctrl-x in order to see what calls this string and it leads to :

Code:

.data:00FCCFD8 off_FCCFD8      dd offset aJumporascendst ; DATA XREF: sub_552A00+9r
.data:00FCCFD8                                         ; sub_552A30:loc_552A33r
.data:00FCCFD8                                         ; "JumpOrAscendStart"

There are 2 functions : sub_552A00 and sub_552A30.

First of all : does those functions are used by WoW to Jump your char ? Moreover, I saw that some LUA functions (as JumpOrAscendStart) are disable by Blizzard. Is it only disable for addons or is it disable for using in memory ? (can I use them with DLL injection ?) Well they are not fully disable because WoW use them but perhaps they have to be enable before used.

Then I tried to use the first function with a DLL injection with :

Code:

#include <windows.h>

void (__stdcall *sub_552A00) () = (void(__stdcall *)()) 0x00552A00;

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,L"DLL loaded successfuly",L"Sucess",MB_OK);
        sub_552A00;
        break;

    case DLL_PROCESS_DETACH:
        //Should have inserted something here but it was just for test
        break;
    }
    return true;
}

First in my code I declare the sub_552A00 function but I dont really think it is the right way... (I put stdcall but I didnt know what else I could put... there is nothing in IDA that call help me, or I dont know it)
Then I call the function but nothing happened in game...

To summarize :
Does the sub_552A00 is really used by WoW to jump ? If it's not, how could I find the correct function. I've read that I could call JumpOrAscendStart with DoString in order to call the function by LUA, but I wanted to find the direct function to jump.
Moreover : Sub functions never have parameters... Well those i saw in IDA... This is very strange and I think i'm missing something here...

This thread can be considered as a newb post and I apologize for it

And I apologize also for my crappy english ^^

you right, JumpOrAscendStart function will cause you char starts to jump. this is "public" (visible from lua addon) function and you can call it.. the problem you will face is "blizzard function" only gui message... my advice - look at the function, inspect when/where it will fail and make suggestion (pretty easy to trace so consider it as exercise)... similar code will be in any "protected" functions.. like any movement/spell cast functions...

[Cypher]

Quote:

Originally Posted by ostapus

you right, JumpOrAscendStart function will cause you char starts to jump. this is "public" (visible from lua addon) function and you can call it.. the problem you will face is "blizzard function" only gui message... my advice - look at the function, inspect when/where it will fail and make suggestion (pretty easy to trace so consider it as exercise)... similar code will be in any "protected" functions.. like any movement/spell cast functions...

He's trying to call it from a DLL not in game, you don't face the protection check when calling the function via Blizzards LUA wrapper.

You only need to patch the protection check if you want to use it from an addon, which he's not trying to do.

Furthermore, he's calling it totally incorrectly.

Please don't post unless you understand the content matter.

EDIT: Quick edit. Upon inspection of the target function it doesn't take any params. You could PROBABLY pass it a null LUA stack structure and it would work but this is not something you want to get in the habbit of doing. You're better off implementing a generic LUA system so you can call functions without having to manually manage the LUA stack.

Either way, your function typedef is wrong.

[Therrm]

Thanks Cypher =]

I'm going to look around and dig a littler deeper into forums to achieve this =]

I'll be back to show you my new crappy code/IDA procedures lol ^^ (well if you want to check them once again lol)

cya

[Therrm]

Hi it's me again !!!

So I'm always unable to use Lua functions with my DLL injection...

I've tested 2 other methods after reading/lookiing into forums and IDA (last function calling was effectively horrible lol):

The asm method :

Code:

#include <windows.h>

void Jumping()
{
    DWORD Jump = 0x00402A10;
    _asm
    {
        call Jump //there is no parameters for jump so I should be able to call it without any Push
    }
}


int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
    case DLL_PROCESS_ATTACH:
        Jumping();
        break;
    return true;
}

DLL inject correctly but nothing happen..

So I decided to use the Lua_DoString as you recommanded:

Code:

#include <windows.h>
typedef void ( __cdecl * tLua_Dostring )( char * pszString, char * pszString2, void * pState );
tLua_DoString String_function = (tLua_DoString)(0x0077DEF0); 

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
    case DLL_PROCESS_ATTACH:
        String_function("JumpOrAscendStart()","JumpOrAscendStart()",0);
        break;
    return true;
}

And it doesn't work either...

Any help ?

BTW : WoWX is a gold mine !!!! I didn't have enough time to look at the whole code but it's inscredible !!!

[Therrm]

No one can help with to deal with this ? ^^

[Xarg0]

What are you expecting it to do?

[Shynd]

Maybe you should put a __asm __emit 0xCC; somewhere in your code and inject the DLL into a WoW process that has a debugger attached. See where your INT3 breakpoint is hit, step through the code, see what happens or what doesn't happen, etc. 'Course, you'll probably have to learn a few things first, but...

[Cypher]

Quote:

Originally Posted by Shynd

Maybe you should put a __asm __emit 0xCC; somewhere in your code and inject the DLL into a WoW process that has a debugger attached. See where your INT3 breakpoint is hit, step through the code, see what happens or what doesn't happen, etc. 'Course, you'll probably have to learn a few things first, but...

I noticed you were using __emit to drop breakpoints in your code.

This works just as well and is the 'correct' way to do what you want afaik:
__asm int 3

(Breakpoints are interrupt code 3)

[Shynd]

Hmm, maybe I was neglecting the space between the int and the 3 when I tried that with VC++. I don't remember which compiler I started learning C on--I want to say lcc, but I'm not sure--but its syntax was AT&T and there was no space between int and 3, and int3 didn't work with VC++, so I resorted to using __emit instead of doing any research whatsoever. I appreciate the correction, as that was bothering me slightly =p

[Cypher]

Haha. Np.

P.S. AT&T syntax is for jews (like Kynox).

[Therrm]

Well I was able to use functions with injection. In fact the JumporAscentStart() has changed and I saw on wiki that movement functions requiere a keypressed... Not very efficient to move character etc. I guess I'll have to use CInputControl.

But I tried with other functions as logouy and it's working perfectly

One more question : I tought that with injection, there was no check if the function was protected or not but when I use ForceLogout() after Logout() it says that I dont have the permission to do that... Guess I'll have to work around this to ^^

Anyway thanks all for your answers ! (nice trick shynd i'll look for this in the future)

[Cypher]

The reason you can't use ForceLogout is because the check for that is serverside.