Question Mid Function Hooking Crashes

[PwndDepot]

This is driving me insane, not sure why it keeps crashing. If it doesn't crash it returns 0.

I have my x coordinate that i'm trying to get the address of through mid function hooking. I right click and click find out what accesses this address. I choose one and click go to disassembler

SFMW.dll+B07EC3 - 89 48 04              - mov [eax+04],ecx
SFMW.dll+B07EC6 - 8B 50 30              - mov edx,[eax+30]
SFMW.dll+B07EC9 - 89 50 08              - mov [eax+08],edx
SFMW.dll+B07ECC - 8B 48 34              - mov ecx,[eax+34]
SFMW.dll+B07ECF - 89 48 0C              - mov [eax+0C],ecx

right click, go to address, copy the address
go to olly, go to that address and do a sig scan. OK, the sig scan highlighted two instructions. But i'm a little confused on how to find the length of PlaceJMP(). I thought it would be 6 bytes. I wrote up my code, but every time I press Spacebar (or try to modify/access XaxisPtr for that matter) it crashes. My assembly knowledge kinda sucks but I tried to do this;

	__asm
	{
		MOV [eax+0x4], ecx
		MOV XaxisRegister, eax
		MOV edx, [eax+0x30]
			JMP[FlyJmpBack]
	}

and the add 0x4 to XaxisRegister but that returns 0 I think. When I try to move ecx into xaxisregister I get a crash.
Here's my main

#include <Windows.h>
#include <iostream>  
#include "hooks.h"

HANDLE hProcHandle = NULL;

DWORD WINAPI MainThread(LPVOID param)
{

	DWORD_PTR  flyAddy = FindPattern("SFMW.dll", "\x89\x48\x04\x8B\x50\x30", "xxxxxx");
	MsgBoxAddy(flyAddy);

	DWORD JmpBack = flyAddy + 0x6;

	PlaceJMP((BYTE*)flyAddy, (DWORD)GetPlayerXaxis, 6);


	return 0;
}

DWORD WINAPI OverwriteValues()
{
	for (;; Sleep(150))
	{
		XaxisPtr = XaxisRegister + 0x4;

		if (GetAsyncKeyState(VK_SPACE))
		{
			std::cout << XaxisPtr << std::endl;
			std::cout << XaxisRegister << std::endl;
			MessageBox(NULL, (LPCSTR)XaxisPtr, "TEST", MB_OK);

                        //THIS IS WHERE I CRASH
			//*(float*)XaxisPtr += .1f;

		}

		if (GetAsyncKeyState(VK_CONTROL))
		{
			*(float*)XaxisPtr -= .1f;
		}
	}

	return 0;
}


BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,  // handle to DLL module
    DWORD fdwReason,     // reason for calling function
    LPVOID lpReserved)     // reserved
{
    // Perform actions based on the reason for calling.
    switch(fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            // Initialize once for each new process.
            // Return FALSE to fail DLL load.
            //MessageBoxA(NULL, "Attached successfuly", "", 0);
			CreateThread(0, 0, MainThread, hinstDLL, 0, 0);
			CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)OverwriteValues, NULL, NULL, NULL);
			AllocConsole();
			AttachConsole(fdwReason);
			freopen("CONIN$", "r", stdin);
			freopen("CONOUT$", "w", stdout);
			freopen("CONOUT$", "w", stderr);
			//InitiateHooks();
            break;
    }
    // Successful DLL_PROCESS_ATTACH.
    return TRUE;
}

and Functions.h

#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
#include <Psapi.h>


void MsgBoxAddy(DWORD_PTR addy)
{
	char szBuffer[1024];
	sprintf_s(szBuffer, "Pointer: 0x%02X", addy);
	MessageBox(NULL, szBuffer, "Pointer", MB_OK);
}

void PlaceJMP(BYTE* Address, DWORD jumpTo, DWORD length = 5)
{
	DWORD dwOldProtect, dwBkup, dwRelAddr;

	VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect);

	dwRelAddr = (DWORD)(jumpTo - (DWORD)Address-5);

	*Address = 0xE9;

	*((DWORD *)(Address + 0x1)) = dwRelAddr;

	for (DWORD x = 0x5; x < length; x++)
	{
		*(Address + x) = 0x90;
	}

	VirtualProtect(Address, length, dwOldProtect, &dwBkup);

}

MODULEINFO GetModuleInfo(char *szModule)
{
	MODULEINFO modinfo = { 0 };
	HMODULE hModule = GetModuleHandle(szModule);

	if (hModule == 0) return modinfo;
	GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
	return modinfo;
}

bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for (; *szMask; ++szMask, ++pData, ++bMask)
		if (*szMask == 'x' && *pData != *bMask)   return 0;
	return (*szMask) == NULL;
}

DWORD_PTR FindPattern(char* module, char* pattern, char* mask)
{
	MODULEINFO mInfo = GetModuleInfo(module);
	DWORD_PTR base = (DWORD_PTR)mInfo.lpBaseOfDll;
	DWORD_PTR size = (DWORD_PTR)mInfo.SizeOfImage;

	DWORD_PTR patternLength = (DWORD_PTR)strlen(mask);

	char buf[1024];
	sprintf(buf, "Base: 0x%02X \n Size: 0x%02X \n Pattern Length: 0x%02X", base, size, patternLength);
	MessageBox(NULL, buf, "DATA", MB_OK);

	for (DWORD_PTR i = 0; i < size - patternLength; i++)
	{
		bool found = true;
		for (DWORD_PTR j = 0; j < patternLength; j++)
		{
			found &= mask[j] == '?' || pattern[j] == *(char*)(base + i + j);
		}
		if (found)
		{
			MessageBox(NULL, "TRUE", "test", MB_OK);
			return base + i;
		}

		if (Compare((BYTE*)(base + i), (BYTE*)pattern, mask))
		{
			MessageBox(NULL, "TRUE2", "test", MB_OK);
			return (DWORD)(base + i);
		}
	} 

	return NULL;
}

hooks.h

#include "Functions.h"

DWORD FlyJmpBack = 0;
DWORD XaxisRegister = 0x0;
DWORD XaxisPtr;

__declspec(naked) void GetPlayerXaxis()
{
	__asm
	{
		MOV [eax+0x4], ecx
		MOV XaxisRegister, eax
		MOV edx, [eax+0x30]
			JMP[FlyJmpBack]
	}
}

Again, offering free blowjobs to anyone that helps

 

[mambda]

cant help ya unless i see the registers as they would be in the game at that point.

or i can guess and say: 1. is position defintely a float? Looks like an int to me, you can tell somethings a float/double by the use of movss and things of that nature.

 

[Solaire]

cant help ya unless i see the registers as they would be in the game at that point.

or i can guess and say: 1. is position defintely a float? Looks like an int to me, you can tell somethings a float/double by the use of movss and things of that nature.

Saw some of it last night, EAX is the base for the position vars, eax + 4 is the address, [eax + 4] is the position.

 

[mambda]

So it's an int then, not a float/double ? If so then you definitely dont want to dereference as a float OP, not sure if it'd cause a crash though