public void LuaDoString(string command)
{
int nSize = command.Length + 0x100;
uint codeCave = process.AllocateMemory(nSize);
uint moduleBase = (uint)process.MainModule.BaseAddress;
process.WriteASCIIString(codeCave, command);
process.Asm.Clear();
String[] asm = new String[]
{
"mov eax, " + codeCave,
"push 0",
"push eax",
"push eax",
"mov eax, " + (moduleBase + Offsets.Endscene.Lua_DoStringAddress),
"call eax",
"add esp, 0xC",
"retn",
};
aHook.InjectAndExecute(asm);
process.FreeMemory(codeCave);
}
private void CreateTrampolineDX()
{
_mTrampolineDX = Memory.AllocateMemory(0x1000);
Console.WriteLine("m_trampoline : " + _mTrampolineDX.ToString("X"));
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("pushad");
fasm.AddLine("pushfd");
fasm.AddLine("mov eax, [{0}]", _mLocked); // _mLockedDX
fasm.AddLine("@execution:");
fasm.AddLine("mov eax, [{0}]", _mExecuteRequested); // DX
fasm.AddLine("test eax, eax");
fasm.AddLine("je @lockcheck");
/*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker));
* fasm.AddLine("mov eax, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff1 + "]");
* fasm.AddLine("mov esi, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "]");
* fasm.AddLine("mov [" + _mSavedAntiban + "], esi");
* fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], eax");*/
fasm.AddLine("call {0}", _mInjectionCode);
fasm.AddLine("mov [" + _mResult + "], eax");
/*fasm.AddLine("mov edx, {0}", (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker));
* fasm.AddLine("call " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.WoWTextCaller));
* fasm.AddLine("push happilyeverafter");
* fasm.AddLine("push " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.RetFromFunctionBelow));
* fasm.AddLine("jmp " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker2));
* fasm.AddLine("happilyeverafter:");*/
/*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker));
* fasm.AddLine("mov esi, [" + _mSavedAntiban + "]");
* fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], esi");*/
fasm.AddLine("xor eax, eax");
fasm.AddLine("mov [" + _mExecuteRequested + "], eax"); // DX
fasm.AddLine("@lockcheck:");
fasm.AddLine("mov eax, [{0}]", _mLocked); // DX
fasm.AddLine("test eax, eax");
fasm.AddLine("jne @execution");
fasm.AddLine("push 0");
fasm.AddLine("add esp, 4");
fasm.AddLine("popfd");
fasm.AddLine("popad");
Memory.WriteBytes(_mTrampolineDX, D3D.OriginalBytesDX);
fasm.AddLine("jmp " + (JumpAddressDX + D3D.OriginalBytesDX.Length));
fasm.Inject((uint)(_mTrampolineDX + D3D.OriginalBytesDX.Length));
}
/// <summary>
/// Target an player/mob usefull for friendly players and bg peps.
/// </summary>
public void Target()
{
try
{
uint CodeLocation = 0x0725AA0;
uint codeCave = Memory.AllocateMemory(0x108);
ThreadManager.suspendMainThread(objectList.getProcessId());
Memory.WriteUInt64(codeCave + 0x100, GUID);
Memory.Asm.Clear();
Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X"));
Memory.Asm.AddLine("PUSH EAX");
Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
Memory.Asm.AddLine("PUSH EAX");
Memory.Asm.AddLine("CALL 0x{0}", CodeLocation.ToString("X"));
Memory.Asm.AddLine("ADD ESP, 0x08");
Memory.Asm.AddLine("RETN");
Memory.Asm.InjectAndExecute(codeCave);
Memory.FreeMemory(codeCave);
Thread.Sleep(50);
ThreadManager.resumeMainThread(objectList.getProcessId());
objectList.DoString("TargetUnit(\"playertarget\")");
}
catch { };
}
private uint AllocateMemory(string name, int size)
{
uint address = d3.AllocateMemory(size);
allocatedMemory[name] = new Tuple <uint, int>(address, size);
return(address);
}
/// <summary>
/// Execute the given LUA command inside WoW's MainThread
/// </summary>
/// <param name="command">lua command to run</param>
public static void LuaDoString(string command)
{
AmeisenLogger.Instance.Log(LogLevel.VERBOSE, $"Doing string: Command [{command}]", "AmeisenCore");
uint argCC = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
BlackMagic.WriteBytes(argCC, Encoding.UTF8.GetBytes(command));
string[] asm = new string[]
{
$"MOV EAX, {(argCC)}",
"PUSH 0",
"PUSH EAX",
"PUSH EAX",
$"CALL {(Offsets.luaDoString)}",
"ADD ESP, 0xC",
"RETN",
};
HookJob hookJob = new HookJob(asm, false);
AmeisenHook.AddHookJob(ref hookJob);
while (!hookJob.IsFinished)
{
Thread.Sleep(1);
}
AmeisenLogger.Instance.Log(LogLevel.VERBOSE, $"Command returned: Command [{command}]", "AmeisenCore");
BlackMagic.FreeMemory(argCC);
}
/// <summary>
/// Get Localized Text for command
/// </summary>
/// <param name="command">lua command to run</param>
/// <param name="variable">variable to read</param>
/// <returns>localized text for the executed functions return value</returns>
public static string GetLocalizedText(string command, string variable)
{
if (command.Length > 0 && variable.Length > 0)
{
uint argCCCommand = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
BlackMagic.WriteBytes(argCCCommand, Encoding.UTF8.GetBytes(command));
string[] asmDoString = new string[]
{
$"MOV EAX, {(argCCCommand) }",
"PUSH 0",
"PUSH EAX",
"PUSH EAX",
$"CALL {(Offsets.luaDoString)}",
"ADD ESP, 0xC",
"RETN",
};
uint argCC = BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(variable).Length + 1);
BlackMagic.WriteBytes(argCC, Encoding.UTF8.GetBytes(variable));
uint playerBase = BlackMagic.ReadUInt(Offsets.playerBase);
playerBase = BlackMagic.ReadUInt(playerBase + 0x34);
playerBase = BlackMagic.ReadUInt(playerBase + 0x24);
string[] asmLocalText = new string[]
{
$"CALL {(Offsets.clientObjectManagerGetActivePlayerObject)}",
"MOV ECX, EAX",
"PUSH -1",
$"PUSH {(argCC)}",
$"CALL {(Offsets.luaGetLocalizedText)}",
"RETN",
};
HookJob hookJobLocaltext = new HookJob(asmLocalText, true);
ReturnHookJob hookJobDoString = new ReturnHookJob(asmDoString, false, hookJobLocaltext);
AmeisenHook.AddHookJob(ref hookJobDoString);
while (!hookJobDoString.IsFinished || !hookJobDoString.IsFinished)
{
Thread.Sleep(5);
}
string result = Encoding.UTF8.GetString((byte[])hookJobDoString.ReturnValue);
AmeisenLogger.Instance.Log(LogLevel.VERBOSE, "DoString(" + command + "); => " + variable + " = " + result, "AmeisenCore");
BlackMagic.FreeMemory(argCCCommand);
BlackMagic.FreeMemory(argCC);
return(result);
}
return("");
}
/* public void DoString(string pszString)
* {
* uint s_curMgr = wow.ReadUInt(wow.ReadUInt(CurrMgr_Ptr) + CurrMgr_Offs);
* uint pScript = wow.AllocateMemory(0x1024);
* wow.WriteASCIIString(pScript + 0x1024, pszString);
*
* uint codeCave = wow.AllocateMemory(0x1024);
*
* wow.Asm.Clear();
* wow.Asm.AddLine("FS mov EAX, [0x2C]");
* wow.Asm.AddLine("mov eax, [eax]");
* wow.Asm.AddLine("add eax, 8");
* wow.Asm.AddLine("mov edx, {0}", s_curMgr);
* wow.Asm.AddLine("mov [eax], edx");
*
* wow.Asm.AddLine("mov ecx, {0}", pScript + pszString.Length - 1);
* wow.Asm.AddLine("mov eax, " + pScript);
*
* wow.Asm.AddLine("push ecx");
* wow.Asm.AddLine("push eax");
* wow.Asm.AddLine("push eax");
*
* wow.Asm.AddLine("mov eax, 0x004B32B0");
* wow.Asm.AddLine("call eax");
* wow.Asm.AddLine("add esp, 0xC");
* wow.Asm.AddLine("retn");
*
* wow.Asm.InjectAndExecute(codeCave);
* wow.FreeMemory(codeCave);
*
* return;
* }*/
public void Lua_DoString(string luaString)
{
uint cave = 0;
try
{
wow.SuspendThread(wow.ThreadHandle);
cave = wow.AllocateMemory(0x2048);
wow.WriteASCIIString(cave + 0x1024, luaString);
wow.Asm.Clear();
wow.Asm.AddLine("mov EDX, [0x00BB43F0]");
wow.Asm.AddLine("mov EDX, [EDX+0x00002EB0]");
wow.Asm.AddLine("FS mov EAX, [0x2C]");
wow.Asm.AddLine("mov EAX, [EAX]");
wow.Asm.AddLine("add EAX, 10");
wow.Asm.AddLine("mov [EAX], edx");
wow.Asm.AddLine("push 0");
wow.Asm.AddLine("mov eax, " + (cave + 0x1024));
wow.Asm.AddLine("push eax");
wow.Asm.AddLine("push eax");
wow.Asm.AddLine("call 0x004B32B0");
wow.Asm.AddLine("add esp, 0xC");
wow.Asm.AddLine("retn");
wow.Asm.InjectAndExecute(cave);
wow.ResumeThread(wow.ThreadHandle);
wow.FreeMemory(cave);
wow.Asm.Clear();
}
catch
{
wow.ResumeThread(wow.ThreadHandle);
wow.FreeMemory(cave);
wow.Asm.Clear();
}
}
//Returning Object name if you supply the object
//To do: Redo this function to use offsets based on object Types instead of injection!
public string getObjectName(uint curObject)
{
if (curObject == 0)
{
return("Not a valid object");
}
try
{
uint codecave = Memory.AllocateMemory();
uint VMT = Memory.ReadUInt(curObject);
Memory.Asm.Clear();
Memory.Asm.AddLine("fs mov eax, [0x2C]");
Memory.Asm.AddLine("mov eax, [eax]");
Memory.Asm.AddLine("add eax, 8");
Memory.Asm.AddLine("mov dword [eax], {0}", curMgr);
Memory.Asm.AddLine("mov ecx, {0}", curObject);
Memory.Asm.AddLine("call {0}", Memory.ReadUInt(VMT + VMT_GetName)); //read pointer to GetName method
Memory.Asm.AddLine("retn");
uint pCurName = Memory.Asm.InjectAndExecute(codecave);
string curName;
if (pCurName != uint.MaxValue)
{
curName = Memory.ReadASCIIString(pCurName, 100);
}
else
{
curName = String.Empty;
}
return(curName);
}
catch
{
return(null);
}
}
public WndProcExecutor(BlackMagic memory)
{
try
{
m_WindowHandle = Memory.WowProcess.MainWindowHandle;
m_Random = new Random();
m_CustomMessageCode = m_Random.Next(0x8000, 0xBFFF); // From MSDN : WM_APP (0x8000) through 0xBFFF
m_WndProcFunction = memory.AllocateMemory(0x500); // WndProc
m_OriginalWndProc = memory.AllocateMemory(0x4); // WndProcOriginalWndProc
IntPtr l_User32 = GetModuleHandle("user32.dll");
IntPtr l_CallWindowProcW = GetProcAddress(l_User32, "CallWindowProcW");
IntPtr l_SetWindowLongW = GetProcAddress(l_User32, "SetWindowLongW");
var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("mov eax, [esp+0x8]"); // Get the message code from the stack);
fasm.AddLine("cmp eax, " + m_CustomMessageCode); // Check if the message code is our custom one
fasm.AddLine("jne @call_original"); // Otherwise simply call the original WndProc
fasm.AddLine("mov eax, [esp+0xC]"); // Function pointer
fasm.AddLine("mov edx, [esp+0x10]"); // Result pointer
fasm.AddLine("push edx"); // Save result pointer
fasm.AddLine("call eax"); // Call the user function
fasm.AddLine("pop edx"); // Restore the result pointer
fasm.AddLine("mov [edx], eax"); // Save user function result
fasm.AddLine("xor eax, eax"); // We handled the message
fasm.AddLine("retn");
fasm.AddLine("@call_original:");
fasm.AddLine("mov ecx, [esp+0x4]"); // Hwnd
fasm.AddLine("mov edx, [esp+0x8]"); // Msg
fasm.AddLine("mov esi, [esp+0xC]"); // WParam
fasm.AddLine("mov edi, [esp+0x10]"); // LParam
fasm.AddLine("mov eax, [" + m_OriginalWndProc + "]");
fasm.AddLine("push edi"); // LParam
fasm.AddLine("push esi"); // WParam
fasm.AddLine("push edx"); // Msg
fasm.AddLine("push ecx"); // Hwnd
fasm.AddLine("push eax"); // WndProc original
//fasm.AddLine("call " + l_CallWindowProcW); // Call the original WndProc
fasm.AddLine("retn 0x14");
// Setup our WndProc callback
//memory.WriteBytes(m_WndProcFunction, D3D.OriginalBytesDX);
fasm.Inject(m_WndProcFunction);
// Register our WndProc callback
var fasm2 = new ManagedFasm(Memory.WowProcess.ProcessHandle);
fasm2.SetMemorySize(0x500);
fasm2.SetPassLimit(100);
fasm2.AddLine("push " + m_WndProcFunction);
fasm2.AddLine("push " + GWL_WNDPROC);
fasm2.AddLine("push " + m_WindowHandle);
fasm2.AddLine("call " + l_SetWindowLongW);
fasm2.AddLine("mov [" + m_OriginalWndProc + "], eax");
fasm2.AddLine("retn");
var ptrInject = memory.AllocateMemory(0x500);
fasm2.InjectAndExecute(ptrInject);
/*var l_Process = System.Diagnostics.Process.GetProcessesByName("Wow").First();
* Console.WriteLine("Using process : " + l_Process.Id + ", window " + l_Process.MainWindowHandle + "");
*
* using (RemoteProcess l_RemoteProcess = new RemoteProcess((uint)l_Process.Id))
* using (var l_WndProcExecutor = new WndProcExecutor2(l_RemoteProcess, l_Process.MainWindowHandle))
* {
*
* LuaTest(l_RemoteProcess, l_WndProcExecutor, "print(\"Hello world motha !\")");
*
* }*/
/*var t = new MyMemory.RemoteProcess((uint)Memory.WowProcess.ProcessId);
* var remoteM = t.MemoryManager.AllocateMemory(0x1000);
* var ptrInject = (uint)remoteM.Pointer; //memory.AllocateMemory(0x500);
*
* fasm2.Inject(ptrInject);
* var prot = new RemoteMemoryProtection(t, remoteM.Pointer, remoteM.Size, Enumerations.MemoryProtectionFlags.Execute);
*
* var th = t.ThreadsManager.CreateRemoteThread((IntPtr) ptrInject, IntPtr.Zero, Enumerations.ThreadCreationFlags.Run);
*/
}
catch (Exception e)
{
Logging.WriteError(e.ToString());
}
}
public void Hooking()
{
// Process Connect:
if (!Memory.IsProcessOpen)
{
Memory.OpenProcessAndThread(processId);
}
if (Memory.IsProcessOpen)
{
txtDebug.Text += "VirtualAlloc Hook: " + vaHookPtr.ToString("X") + " | " + Memory.ReadByte(vaHookPtr).ToString("X") + "\r\n";
if (Memory.ReadByte(vaHookPtr) == 0xE9 && (injected_code == 0 || eaxStore == 0)) // check if wow is already hooked and dispose Hook
{
DisposeHooking();
}
if (Memory.ReadByte(vaHookPtr) != 0xE9) // check if wow is already hooked
{
try
{
threadHooked = false;
// allocate memory to store injected code: (Das ist die codecave wohin die Endscene umgeleitet wird)
injected_code = Memory.AllocateMemory(2048);
txtDebug.Text += "injected_code: " + injected_code.ToString("X") + "\r\n";
// die Adresse in welche EAX hingespeichert wird
eaxStore = Memory.AllocateMemory(0x4);
txtDebug.Text += "eaxStore: " + eaxStore.ToString("X") + "\r\n";
// allocate memory the pointer return value:
retnInjectionAsm = Memory.AllocateMemory(0x4);
txtDebug.Text += "retnInjectionAsm: " + retnInjectionAsm.ToString("X") + "\r\n";
Memory.WriteInt(retnInjectionAsm, 0);
// Generate the STUB to be injected
Memory.Asm.Clear(); // $Asm
// save regs
//Memory.Asm.AddLine("pushad");
//Memory.Asm.AddLine("pushfd");
Memory.Asm.AddLine("mov [" + eaxStore + "],eax");
// Size asm jumpback
int sizeJumpBack = 5;
Memory.Asm.AddLine("jmp " + (vaHookPtr + sizeJumpBack));
// inject code in codecave
uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
Memory.Asm.Inject(injected_code);
txtDebug.Text += "Injecting ...\r\n";
// create hook jump
Memory.Asm.Clear(); // $jmpto
Memory.Asm.AddLine("jmp " + (injected_code));
Memory.Asm.AddLine("retn 10h");
Memory.Asm.Inject(vaHookPtr);
}
catch { threadHooked = false; return; }
}
threadHooked = true;
}
}
private void HookApplication()
{
if (!process.IsProcessOpen)
{
throw new Exception("Process is not open");
}
uint baseAddress = (uint)process.MainModule.BaseAddress;
uint pDevice = process.ReadUInt(baseAddress + Offsets.Direct3D.Direct3D9__Device);
uint pEnd = process.ReadUInt(pDevice + Offsets.Direct3D.Direct3D9__Device__OffsetA);
uint pScene = process.ReadUInt(pEnd);
uint pEndScene = process.ReadUInt(pScene + Offsets.Direct3D.Direct3D9__Device__OffsetB);
if (process.ReadUInt(pEndScene) == 0xE9 && (codeCave == 0 || injectionAddress == 0))
{
DisposeOfHook();
}
if (process.ReadUInt(pEndScene) != 0xE9)
{
try
{
mainThreadHooked = false;
codeCave = process.AllocateMemory(2048);
injectionAddress = process.AllocateMemory(0x4);
process.WriteInt(injectionAddress, 0);
returnAddress = process.AllocateMemory(0x4);
process.WriteInt(returnAddress, 0);
process.Asm.Clear();
process.Asm.AddLine("mov edi, edi");
process.Asm.AddLine("push ebp");
process.Asm.AddLine("mov ebp, esp");
process.Asm.AddLine("pushfd");
process.Asm.AddLine("pushad");
process.Asm.AddLine("mov eax, [" + injectionAddress + "]");
process.Asm.AddLine("test eax, eax");
process.Asm.AddLine("je @out");
process.Asm.AddLine("mov eax, [" + injectionAddress + "]");
process.Asm.AddLine("call eax");
process.Asm.AddLine("mov [" + returnAddress + "], eax");
process.Asm.AddLine("mov edx, " + injectionAddress);
process.Asm.AddLine("mov ecx, 0");
process.Asm.AddLine("mov [edx], ecx");
process.Asm.AddLine("@out:");
uint sizeAsm = (uint)(process.Asm.Assemble().Length);
process.Asm.Inject(codeCave);
int sizeJumpBack = 5;
process.Asm.Clear();
process.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
process.Asm.Inject(codeCave + sizeAsm); // + (uint)sizeJumpBack);
process.Asm.Clear(); // $jmpto
process.Asm.AddLine("jmp " + (codeCave));
process.Asm.Inject(pEndScene);
}
catch
{
mainThreadHooked = false; return;
}
mainThreadHooked = true;
}
}
public void Hooking()
{
// Offset:
uint DX_DEVICE = 0xAD773C + baseAdress;
uint DX_DEVICE_IDX = 0x27F8;
uint ENDSCENE_IDX = 0xA8;
// Process Connect:
if (!Memory.IsProcessOpen)
{
Memory = new BlackMagic((int)_processId);
}
if (Memory.IsProcessOpen)
{
// Get address of EndScene
uint pDevice = Memory.ReadUInt(DX_DEVICE);
uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
uint pScene = Memory.ReadUInt(pEnd);
uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);
if (Memory.ReadByte(pEndScene) == 0xE9 && (injected_code == 0 || addresseInjection == 0)) // check if wow is already hooked and dispose Hook
{
DisposeHooking();
}
if (Memory.ReadByte(pEndScene) != 0xE9) // check if wow is already hooked
{
try
{
threadHooked = false;
// allocate memory to store injected code:
injected_code = Memory.AllocateMemory(2048);
// allocate memory the new injection code pointer:
addresseInjection = Memory.AllocateMemory(0x4);
Memory.WriteInt(addresseInjection, 0);
// allocate memory the pointer return value:
retnInjectionAsm = Memory.AllocateMemory(0x4);
Memory.WriteInt(retnInjectionAsm, 0);
Memory.Asm.Clear();
Memory.Asm.AddLine("mov edi, edi");
Memory.Asm.AddLine("push ebp");
Memory.Asm.AddLine("mov ebp, esp");
Memory.Asm.AddLine("pushfd");
Memory.Asm.AddLine("pushad");
//Test for waiting code
Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
Memory.Asm.AddLine("test eax, ebx");
Memory.Asm.AddLine("je @out");
//Execute waiting code
Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
Memory.Asm.AddLine("call eax");
//Copy pointer to return value
Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
Memory.Asm.AddLine("mov edx, " + addresseInjection);
Memory.Asm.AddLine("mov ecx, 0");
Memory.Asm.AddLine("mov [edx], ecx");
//Close Function
Memory.Asm.AddLine("@out:");
//Inject Code
uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
Memory.Asm.Inject(injected_code);
int sizeJumpBack = 5;
// create jump back stub
Memory.Asm.Clear();
Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
Memory.Asm.Inject(injected_code + sizeAsm);// + (uint)sizeJumpBack);
// create hook jump
Memory.Asm.Clear(); // $jmpto
Memory.Asm.AddLine("jmp " + (injected_code));
Memory.Asm.Inject(pEndScene);
}
catch { threadHooked = false; return; }
}
threadHooked = true;
}
}