public void LuaDoString(string command) { int nSize = command.Length + 0x100; uint codeCave = process.AllocateMemory(nSize); uint moduleBase = (uint)process.MainModule.BaseAddress; process.WriteASCIIString(codeCave, command); process.Asm.Clear(); String[] asm = new String[] { "mov eax, " + codeCave, "push 0", "push eax", "push eax", "mov eax, " + (moduleBase + Offsets.Endscene.Lua_DoStringAddress), "call eax", "add esp, 0xC", "retn", }; aHook.InjectAndExecute(asm); process.FreeMemory(codeCave); }
private void CreateTrampolineDX() { _mTrampolineDX = Memory.AllocateMemory(0x1000); Console.WriteLine("m_trampoline : " + _mTrampolineDX.ToString("X")); var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("pushad"); fasm.AddLine("pushfd"); fasm.AddLine("mov eax, [{0}]", _mLocked); // _mLockedDX fasm.AddLine("@execution:"); fasm.AddLine("mov eax, [{0}]", _mExecuteRequested); // DX fasm.AddLine("test eax, eax"); fasm.AddLine("je @lockcheck"); /*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker)); * fasm.AddLine("mov eax, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff1 + "]"); * fasm.AddLine("mov esi, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "]"); * fasm.AddLine("mov [" + _mSavedAntiban + "], esi"); * fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], eax");*/ fasm.AddLine("call {0}", _mInjectionCode); fasm.AddLine("mov [" + _mResult + "], eax"); /*fasm.AddLine("mov edx, {0}", (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker)); * fasm.AddLine("call " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.WoWTextCaller)); * fasm.AddLine("push happilyeverafter"); * fasm.AddLine("push " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.RetFromFunctionBelow)); * fasm.AddLine("jmp " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker2)); * fasm.AddLine("happilyeverafter:");*/ /*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker)); * fasm.AddLine("mov esi, [" + _mSavedAntiban + "]"); * fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], esi");*/ fasm.AddLine("xor eax, eax"); fasm.AddLine("mov [" + _mExecuteRequested + "], eax"); // DX fasm.AddLine("@lockcheck:"); fasm.AddLine("mov eax, [{0}]", _mLocked); // DX fasm.AddLine("test eax, eax"); fasm.AddLine("jne @execution"); fasm.AddLine("push 0"); fasm.AddLine("add esp, 4"); fasm.AddLine("popfd"); fasm.AddLine("popad"); Memory.WriteBytes(_mTrampolineDX, D3D.OriginalBytesDX); fasm.AddLine("jmp " + (JumpAddressDX + D3D.OriginalBytesDX.Length)); fasm.Inject((uint)(_mTrampolineDX + D3D.OriginalBytesDX.Length)); }
/// <summary> /// Target an player/mob usefull for friendly players and bg peps. /// </summary> public void Target() { try { uint CodeLocation = 0x0725AA0; uint codeCave = Memory.AllocateMemory(0x108); ThreadManager.suspendMainThread(objectList.getProcessId()); Memory.WriteUInt64(codeCave + 0x100, GUID); Memory.Asm.Clear(); Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X")); Memory.Asm.AddLine("PUSH EAX"); Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X")); Memory.Asm.AddLine("PUSH EAX"); Memory.Asm.AddLine("CALL 0x{0}", CodeLocation.ToString("X")); Memory.Asm.AddLine("ADD ESP, 0x08"); Memory.Asm.AddLine("RETN"); Memory.Asm.InjectAndExecute(codeCave); Memory.FreeMemory(codeCave); Thread.Sleep(50); ThreadManager.resumeMainThread(objectList.getProcessId()); objectList.DoString("TargetUnit(\"playertarget\")"); } catch { }; }
private uint AllocateMemory(string name, int size) { uint address = d3.AllocateMemory(size); allocatedMemory[name] = new Tuple <uint, int>(address, size); return(address); }
/// <summary> /// Execute the given LUA command inside WoW's MainThread /// </summary> /// <param name="command">lua command to run</param> public static void LuaDoString(string command) { AmeisenLogger.Instance.Log(LogLevel.VERBOSE, $"Doing string: Command [{command}]", "AmeisenCore"); uint argCC = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1); BlackMagic.WriteBytes(argCC, Encoding.UTF8.GetBytes(command)); string[] asm = new string[] { $"MOV EAX, {(argCC)}", "PUSH 0", "PUSH EAX", "PUSH EAX", $"CALL {(Offsets.luaDoString)}", "ADD ESP, 0xC", "RETN", }; HookJob hookJob = new HookJob(asm, false); AmeisenHook.AddHookJob(ref hookJob); while (!hookJob.IsFinished) { Thread.Sleep(1); } AmeisenLogger.Instance.Log(LogLevel.VERBOSE, $"Command returned: Command [{command}]", "AmeisenCore"); BlackMagic.FreeMemory(argCC); }
/// <summary> /// Get Localized Text for command /// </summary> /// <param name="command">lua command to run</param> /// <param name="variable">variable to read</param> /// <returns>localized text for the executed functions return value</returns> public static string GetLocalizedText(string command, string variable) { if (command.Length > 0 && variable.Length > 0) { uint argCCCommand = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1); BlackMagic.WriteBytes(argCCCommand, Encoding.UTF8.GetBytes(command)); string[] asmDoString = new string[] { $"MOV EAX, {(argCCCommand) }", "PUSH 0", "PUSH EAX", "PUSH EAX", $"CALL {(Offsets.luaDoString)}", "ADD ESP, 0xC", "RETN", }; uint argCC = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(variable).Length + 1); BlackMagic.WriteBytes(argCC, Encoding.UTF8.GetBytes(variable)); uint playerBase = BlackMagic.ReadUInt(Offsets.playerBase); playerBase = BlackMagic.ReadUInt(playerBase + 0x34); playerBase = BlackMagic.ReadUInt(playerBase + 0x24); string[] asmLocalText = new string[] { $"CALL {(Offsets.clientObjectManagerGetActivePlayerObject)}", "MOV ECX, EAX", "PUSH -1", $"PUSH {(argCC)}", $"CALL {(Offsets.luaGetLocalizedText)}", "RETN", }; HookJob hookJobLocaltext = new HookJob(asmLocalText, true); ReturnHookJob hookJobDoString = new ReturnHookJob(asmDoString, false, hookJobLocaltext); AmeisenHook.AddHookJob(ref hookJobDoString); while (!hookJobDoString.IsFinished || !hookJobDoString.IsFinished) { Thread.Sleep(5); } string result = Encoding.UTF8.GetString((byte[])hookJobDoString.ReturnValue); AmeisenLogger.Instance.Log(LogLevel.VERBOSE, "DoString(" + command + "); => " + variable + " = " + result, "AmeisenCore"); BlackMagic.FreeMemory(argCCCommand); BlackMagic.FreeMemory(argCC); return(result); } return(""); }
/* public void DoString(string pszString) * { * uint s_curMgr = wow.ReadUInt(wow.ReadUInt(CurrMgr_Ptr) + CurrMgr_Offs); * uint pScript = wow.AllocateMemory(0x1024); * wow.WriteASCIIString(pScript + 0x1024, pszString); * * uint codeCave = wow.AllocateMemory(0x1024); * * wow.Asm.Clear(); * wow.Asm.AddLine("FS mov EAX, [0x2C]"); * wow.Asm.AddLine("mov eax, [eax]"); * wow.Asm.AddLine("add eax, 8"); * wow.Asm.AddLine("mov edx, {0}", s_curMgr); * wow.Asm.AddLine("mov [eax], edx"); * * wow.Asm.AddLine("mov ecx, {0}", pScript + pszString.Length - 1); * wow.Asm.AddLine("mov eax, " + pScript); * * wow.Asm.AddLine("push ecx"); * wow.Asm.AddLine("push eax"); * wow.Asm.AddLine("push eax"); * * wow.Asm.AddLine("mov eax, 0x004B32B0"); * wow.Asm.AddLine("call eax"); * wow.Asm.AddLine("add esp, 0xC"); * wow.Asm.AddLine("retn"); * * wow.Asm.InjectAndExecute(codeCave); * wow.FreeMemory(codeCave); * * return; * }*/ public void Lua_DoString(string luaString) { uint cave = 0; try { wow.SuspendThread(wow.ThreadHandle); cave = wow.AllocateMemory(0x2048); wow.WriteASCIIString(cave + 0x1024, luaString); wow.Asm.Clear(); wow.Asm.AddLine("mov EDX, [0x00BB43F0]"); wow.Asm.AddLine("mov EDX, [EDX+0x00002EB0]"); wow.Asm.AddLine("FS mov EAX, [0x2C]"); wow.Asm.AddLine("mov EAX, [EAX]"); wow.Asm.AddLine("add EAX, 10"); wow.Asm.AddLine("mov [EAX], edx"); wow.Asm.AddLine("push 0"); wow.Asm.AddLine("mov eax, " + (cave + 0x1024)); wow.Asm.AddLine("push eax"); wow.Asm.AddLine("push eax"); wow.Asm.AddLine("call 0x004B32B0"); wow.Asm.AddLine("add esp, 0xC"); wow.Asm.AddLine("retn"); wow.Asm.InjectAndExecute(cave); wow.ResumeThread(wow.ThreadHandle); wow.FreeMemory(cave); wow.Asm.Clear(); } catch { wow.ResumeThread(wow.ThreadHandle); wow.FreeMemory(cave); wow.Asm.Clear(); } }
//Returning Object name if you supply the object //To do: Redo this function to use offsets based on object Types instead of injection! public string getObjectName(uint curObject) { if (curObject == 0) { return("Not a valid object"); } try { uint codecave = Memory.AllocateMemory(); uint VMT = Memory.ReadUInt(curObject); Memory.Asm.Clear(); Memory.Asm.AddLine("fs mov eax, [0x2C]"); Memory.Asm.AddLine("mov eax, [eax]"); Memory.Asm.AddLine("add eax, 8"); Memory.Asm.AddLine("mov dword [eax], {0}", curMgr); Memory.Asm.AddLine("mov ecx, {0}", curObject); Memory.Asm.AddLine("call {0}", Memory.ReadUInt(VMT + VMT_GetName)); //read pointer to GetName method Memory.Asm.AddLine("retn"); uint pCurName = Memory.Asm.InjectAndExecute(codecave); string curName; if (pCurName != uint.MaxValue) { curName = Memory.ReadASCIIString(pCurName, 100); } else { curName = String.Empty; } return(curName); } catch { return(null); } }
public WndProcExecutor(BlackMagic memory) { try { m_WindowHandle = Memory.WowProcess.MainWindowHandle; m_Random = new Random(); m_CustomMessageCode = m_Random.Next(0x8000, 0xBFFF); // From MSDN : WM_APP (0x8000) through 0xBFFF m_WndProcFunction = memory.AllocateMemory(0x500); // WndProc m_OriginalWndProc = memory.AllocateMemory(0x4); // WndProcOriginalWndProc IntPtr l_User32 = GetModuleHandle("user32.dll"); IntPtr l_CallWindowProcW = GetProcAddress(l_User32, "CallWindowProcW"); IntPtr l_SetWindowLongW = GetProcAddress(l_User32, "SetWindowLongW"); var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("mov eax, [esp+0x8]"); // Get the message code from the stack); fasm.AddLine("cmp eax, " + m_CustomMessageCode); // Check if the message code is our custom one fasm.AddLine("jne @call_original"); // Otherwise simply call the original WndProc fasm.AddLine("mov eax, [esp+0xC]"); // Function pointer fasm.AddLine("mov edx, [esp+0x10]"); // Result pointer fasm.AddLine("push edx"); // Save result pointer fasm.AddLine("call eax"); // Call the user function fasm.AddLine("pop edx"); // Restore the result pointer fasm.AddLine("mov [edx], eax"); // Save user function result fasm.AddLine("xor eax, eax"); // We handled the message fasm.AddLine("retn"); fasm.AddLine("@call_original:"); fasm.AddLine("mov ecx, [esp+0x4]"); // Hwnd fasm.AddLine("mov edx, [esp+0x8]"); // Msg fasm.AddLine("mov esi, [esp+0xC]"); // WParam fasm.AddLine("mov edi, [esp+0x10]"); // LParam fasm.AddLine("mov eax, [" + m_OriginalWndProc + "]"); fasm.AddLine("push edi"); // LParam fasm.AddLine("push esi"); // WParam fasm.AddLine("push edx"); // Msg fasm.AddLine("push ecx"); // Hwnd fasm.AddLine("push eax"); // WndProc original //fasm.AddLine("call " + l_CallWindowProcW); // Call the original WndProc fasm.AddLine("retn 0x14"); // Setup our WndProc callback //memory.WriteBytes(m_WndProcFunction, D3D.OriginalBytesDX); fasm.Inject(m_WndProcFunction); // Register our WndProc callback var fasm2 = new ManagedFasm(Memory.WowProcess.ProcessHandle); fasm2.SetMemorySize(0x500); fasm2.SetPassLimit(100); fasm2.AddLine("push " + m_WndProcFunction); fasm2.AddLine("push " + GWL_WNDPROC); fasm2.AddLine("push " + m_WindowHandle); fasm2.AddLine("call " + l_SetWindowLongW); fasm2.AddLine("mov [" + m_OriginalWndProc + "], eax"); fasm2.AddLine("retn"); var ptrInject = memory.AllocateMemory(0x500); fasm2.InjectAndExecute(ptrInject); /*var l_Process = System.Diagnostics.Process.GetProcessesByName("Wow").First(); * Console.WriteLine("Using process : " + l_Process.Id + ", window " + l_Process.MainWindowHandle + ""); * * using (RemoteProcess l_RemoteProcess = new RemoteProcess((uint)l_Process.Id)) * using (var l_WndProcExecutor = new WndProcExecutor2(l_RemoteProcess, l_Process.MainWindowHandle)) * { * * LuaTest(l_RemoteProcess, l_WndProcExecutor, "print(\"Hello world motha !\")"); * * }*/ /*var t = new MyMemory.RemoteProcess((uint)Memory.WowProcess.ProcessId); * var remoteM = t.MemoryManager.AllocateMemory(0x1000); * var ptrInject = (uint)remoteM.Pointer; //memory.AllocateMemory(0x500); * * fasm2.Inject(ptrInject); * var prot = new RemoteMemoryProtection(t, remoteM.Pointer, remoteM.Size, Enumerations.MemoryProtectionFlags.Execute); * * var th = t.ThreadsManager.CreateRemoteThread((IntPtr) ptrInject, IntPtr.Zero, Enumerations.ThreadCreationFlags.Run); */ } catch (Exception e) { Logging.WriteError(e.ToString()); } }
public void Hooking() { // Process Connect: if (!Memory.IsProcessOpen) { Memory.OpenProcessAndThread(processId); } if (Memory.IsProcessOpen) { txtDebug.Text += "VirtualAlloc Hook: " + vaHookPtr.ToString("X") + " | " + Memory.ReadByte(vaHookPtr).ToString("X") + "\r\n"; if (Memory.ReadByte(vaHookPtr) == 0xE9 && (injected_code == 0 || eaxStore == 0)) // check if wow is already hooked and dispose Hook { DisposeHooking(); } if (Memory.ReadByte(vaHookPtr) != 0xE9) // check if wow is already hooked { try { threadHooked = false; // allocate memory to store injected code: (Das ist die codecave wohin die Endscene umgeleitet wird) injected_code = Memory.AllocateMemory(2048); txtDebug.Text += "injected_code: " + injected_code.ToString("X") + "\r\n"; // die Adresse in welche EAX hingespeichert wird eaxStore = Memory.AllocateMemory(0x4); txtDebug.Text += "eaxStore: " + eaxStore.ToString("X") + "\r\n"; // allocate memory the pointer return value: retnInjectionAsm = Memory.AllocateMemory(0x4); txtDebug.Text += "retnInjectionAsm: " + retnInjectionAsm.ToString("X") + "\r\n"; Memory.WriteInt(retnInjectionAsm, 0); // Generate the STUB to be injected Memory.Asm.Clear(); // $Asm // save regs //Memory.Asm.AddLine("pushad"); //Memory.Asm.AddLine("pushfd"); Memory.Asm.AddLine("mov [" + eaxStore + "],eax"); // Size asm jumpback int sizeJumpBack = 5; Memory.Asm.AddLine("jmp " + (vaHookPtr + sizeJumpBack)); // inject code in codecave uint sizeAsm = (uint)(Memory.Asm.Assemble().Length); Memory.Asm.Inject(injected_code); txtDebug.Text += "Injecting ...\r\n"; // create hook jump Memory.Asm.Clear(); // $jmpto Memory.Asm.AddLine("jmp " + (injected_code)); Memory.Asm.AddLine("retn 10h"); Memory.Asm.Inject(vaHookPtr); } catch { threadHooked = false; return; } } threadHooked = true; } }
private void HookApplication() { if (!process.IsProcessOpen) { throw new Exception("Process is not open"); } uint baseAddress = (uint)process.MainModule.BaseAddress; uint pDevice = process.ReadUInt(baseAddress + Offsets.Direct3D.Direct3D9__Device); uint pEnd = process.ReadUInt(pDevice + Offsets.Direct3D.Direct3D9__Device__OffsetA); uint pScene = process.ReadUInt(pEnd); uint pEndScene = process.ReadUInt(pScene + Offsets.Direct3D.Direct3D9__Device__OffsetB); if (process.ReadUInt(pEndScene) == 0xE9 && (codeCave == 0 || injectionAddress == 0)) { DisposeOfHook(); } if (process.ReadUInt(pEndScene) != 0xE9) { try { mainThreadHooked = false; codeCave = process.AllocateMemory(2048); injectionAddress = process.AllocateMemory(0x4); process.WriteInt(injectionAddress, 0); returnAddress = process.AllocateMemory(0x4); process.WriteInt(returnAddress, 0); process.Asm.Clear(); process.Asm.AddLine("mov edi, edi"); process.Asm.AddLine("push ebp"); process.Asm.AddLine("mov ebp, esp"); process.Asm.AddLine("pushfd"); process.Asm.AddLine("pushad"); process.Asm.AddLine("mov eax, [" + injectionAddress + "]"); process.Asm.AddLine("test eax, eax"); process.Asm.AddLine("je @out"); process.Asm.AddLine("mov eax, [" + injectionAddress + "]"); process.Asm.AddLine("call eax"); process.Asm.AddLine("mov [" + returnAddress + "], eax"); process.Asm.AddLine("mov edx, " + injectionAddress); process.Asm.AddLine("mov ecx, 0"); process.Asm.AddLine("mov [edx], ecx"); process.Asm.AddLine("@out:"); uint sizeAsm = (uint)(process.Asm.Assemble().Length); process.Asm.Inject(codeCave); int sizeJumpBack = 5; process.Asm.Clear(); process.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack)); process.Asm.Inject(codeCave + sizeAsm); // + (uint)sizeJumpBack); process.Asm.Clear(); // $jmpto process.Asm.AddLine("jmp " + (codeCave)); process.Asm.Inject(pEndScene); } catch { mainThreadHooked = false; return; } mainThreadHooked = true; } }
public void Hooking() { // Offset: uint DX_DEVICE = 0xAD773C + baseAdress; uint DX_DEVICE_IDX = 0x27F8; uint ENDSCENE_IDX = 0xA8; // Process Connect: if (!Memory.IsProcessOpen) { Memory = new BlackMagic((int)_processId); } if (Memory.IsProcessOpen) { // Get address of EndScene uint pDevice = Memory.ReadUInt(DX_DEVICE); uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX); uint pScene = Memory.ReadUInt(pEnd); uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX); if (Memory.ReadByte(pEndScene) == 0xE9 && (injected_code == 0 || addresseInjection == 0)) // check if wow is already hooked and dispose Hook { DisposeHooking(); } if (Memory.ReadByte(pEndScene) != 0xE9) // check if wow is already hooked { try { threadHooked = false; // allocate memory to store injected code: injected_code = Memory.AllocateMemory(2048); // allocate memory the new injection code pointer: addresseInjection = Memory.AllocateMemory(0x4); Memory.WriteInt(addresseInjection, 0); // allocate memory the pointer return value: retnInjectionAsm = Memory.AllocateMemory(0x4); Memory.WriteInt(retnInjectionAsm, 0); Memory.Asm.Clear(); Memory.Asm.AddLine("mov edi, edi"); Memory.Asm.AddLine("push ebp"); Memory.Asm.AddLine("mov ebp, esp"); Memory.Asm.AddLine("pushfd"); Memory.Asm.AddLine("pushad"); //Test for waiting code Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("test eax, ebx"); Memory.Asm.AddLine("je @out"); //Execute waiting code Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("call eax"); //Copy pointer to return value Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax"); Memory.Asm.AddLine("mov edx, " + addresseInjection); Memory.Asm.AddLine("mov ecx, 0"); Memory.Asm.AddLine("mov [edx], ecx"); //Close Function Memory.Asm.AddLine("@out:"); //Inject Code uint sizeAsm = (uint)(Memory.Asm.Assemble().Length); Memory.Asm.Inject(injected_code); int sizeJumpBack = 5; // create jump back stub Memory.Asm.Clear(); Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack)); Memory.Asm.Inject(injected_code + sizeAsm);// + (uint)sizeJumpBack); // create hook jump Memory.Asm.Clear(); // $jmpto Memory.Asm.AddLine("jmp " + (injected_code)); Memory.Asm.Inject(pEndScene); } catch { threadHooked = false; return; } } threadHooked = true; } }