Calling Jass Natives

This is a discussion on Calling Jass Natives within the Warcraft 3 Hacks, bots and tools board part of the Warcraft 3 forum category; First, I'd like to thank YourName whose SelfHack source and list of JASS offsets has been a great source of ...

Results 1 to 8 of 8
  1. #1
    BullJam's Avatar
    BullJam is offline Wannabe Member
    Array
    Join Date
    Feb 2012
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    5

    Calling Jass Natives

    First, I'd like to thank YourName whose SelfHack source and list of JASS offsets has been a great source of info for my latest project.

    As I understand it, in order to call a JASS native you must hook out of WC3's thread.
    YourName's old SelfHack called the PingMiniMap natives out of functions planted by:

    Code:
    void PlantDetourJMP(BYTE* source, const BYTE* destination, const int length)
    {
        BYTE* jump = (BYTE*) malloc(length + 5);
    
    
        DWORD oldProtection;
        VirtualProtect(source, length, PAGE_EXECUTE_READWRITE, &oldProtection);
        memcpy(jump, source, length);
    
    
        jump[length] = 0xE9;
        *(DWORD*)(jump + length) = (DWORD)((source + length) - (jump + length)) - 5;
    
    
        source[0] = 0xE9;
        *(DWORD*)(source + 1) = (DWORD)(destination - source) - 5;
    
    
        for(int i = 5; i < length; i++)
            source[i] = 0x90;
    
    
        VirtualProtect(source, length, oldProtection, &oldProtection);
    }
    which takes the address at source and replaces 5 bytes with 0xE9 + destination.
    Am I right so far?

    Sometimes SelfHack calls PlantDetourJMP with a length > 5 (ie. the rune function) and replaces these extra bytes with NOPs. What is the point of this?

    In my project so far I only detour 5 bytes, usually on a CALL line. Should I be looking for reasons to replace more bytes before I jump back into Game.dll?


  2. #2
    ZeD's Avatar
    ZeD
    ZeD is offline RoR 0x266E


    Array
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    1,440
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    14
    Reputation
    698
    Quote Originally Posted by BullJam View Post
    First, I'd like to thank YourName whose SelfHack source and list of JASS offsets has been a great source of info for my latest project.

    As I understand it, in order to call a JASS native you must hook out of WC3's thread.
    YourName's old SelfHack called the PingMiniMap natives out of functions planted by:

    Code:
    void PlantDetourJMP(BYTE* source, const BYTE* destination, const int length)
    {
        BYTE* jump = (BYTE*) malloc(length + 5);
    
    
        DWORD oldProtection;
        VirtualProtect(source, length, PAGE_EXECUTE_READWRITE, &oldProtection);
        memcpy(jump, source, length);
    
    
        jump[length] = 0xE9;
        *(DWORD*)(jump + length) = (DWORD)((source + length) - (jump + length)) - 5;
    
    
        source[0] = 0xE9;
        *(DWORD*)(source + 1) = (DWORD)(destination - source) - 5;
    
    
        for(int i = 5; i < length; i++)
            source[i] = 0x90;
    
    
        VirtualProtect(source, length, oldProtection, &oldProtection);
    }
    which takes the address at source and replaces 5 bytes with 0xE9 + destination.
    Am I right so far?

    Sometimes SelfHack calls PlantDetourJMP with a length > 5 (ie. the rune function) and replaces these extra bytes with NOPs. What is the point of this?

    In my project so far I only detour 5 bytes, usually on a CALL line. Should I be looking for reasons to replace more bytes before I jump back into Game.dll?
    If you plant a detour jump it uses a 5er length just for the jump itself, if you "replace" code that is longer, it would just patch those first 5 opcodes.

    e.g.:

    Code:
    <ADDRESS> E8 F465AB6F    Call Game.6FAB65F4 -> DetourJump replaces all 5 opcodes, no need to take a length longer than 5.
    
    <ADDRESS> 8B5424 1C       mov edx, dword ptr ss:[esp+1C] -> DetourJump would again just replace 5 Opcodes, a rest of 24 1C which is
    
    <ADDRESS+5> 24 1C          and al, 1C.
    To stop that from happening and giving the game a critical error, you'd just nop that out and place it's original code
    (mov edx, dword ptr ss:[esp+1C] in your detour function before you jump back to this function.

  3. #3
    BullJam's Avatar
    BullJam is offline Wannabe Member
    Array
    Join Date
    Feb 2012
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    5
    Code:
    <ADDRESS> E8 F465AB6F    Call Game.6FAB65F4 -> DetourJump replaces all 5 opcodes, no need to take a length longer than 5.
    
    <ADDRESS> 8B5424 1C       mov edx, dword ptr ss:[esp+1C] -> DetourJump would again just replace 5 Opcodes, a rest of 24 1C which is
    
    <ADDRESS+5> 24 1C          and al, 1C.
    I'm confused. Shouldn't it be more like:

    Code:
    <ADDRESS>   8B5424 1C   ->   E9 AABBCC   patching all 4 bytes of mov edx, dword ptr ss:[esp+1C]
    <ADDRESS+4> XX          ->   DD          and the first byte of the next line
    Now say I have:

    Code:
    <ADDRESS>   8B5424 1C    mov edx, dword ptr ss:[esp+1C]
    <ADDRESS+4> 6A 00        push 0
    <ADDRESS+6> 6A 00        push 0
    <ADDRESS+8> 6A 00        push 0
    
    After patch becomes:
    
    <ADDRESS>   E9 XXXXXXXX  jmp SomeAddress
    then something like:
    <ADDRESS+5> 006A00       some junk
    <ADDRESS+8> 6A 00        push 0
    Now if I place the destroyed code (push 0; push 0) in my detour function and then jump back into the original function at ADDRESS+8, do i still need to NOP out the junk?

    If so, how much do I need to NOP? Just the byte after E9 XXXXXXXX or every byte before my JumpBackAddress?

    Thanks for your reply.

  4. #4
    ZeD's Avatar
    ZeD
    ZeD is offline RoR 0x266E


    Array
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    1,440
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    14
    Reputation
    698
    You have to add those 0 pushes in your detourfunczion before jumping back, and the junkcode has to be nopped, yes.

  5. #5
    MountainDew's Avatar
    MountainDew is offline Mentor
    Array
    Join Date
    Feb 2012
    Posts
    138
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    154
    Wait a sec, I'm a bit new to this but, I just called a bunch of JASS natives on battle.net without jumping and EnableFog(true) worked fine. EnableFog(true) actually disables the fog, and then I did the one for removing the black mask, and they both worked OK, and I played the whole game. It was on ladder too!

    Am I missing something? Or is my stuff gonna be banned in the morning? lol. Gotta buncha keys so I can test all I need to.

    (I obviously needed to play the game while considering that I needed my warcraft to act the same as if I didn't have fog removed, ie not attack other units in the fog LOL, or else d/c)

  6. #6
    BullJam's Avatar
    BullJam is offline Wannabe Member
    Array
    Join Date
    Feb 2012
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    5
    I guess I named this thread a little poorly. My question was more about hooking out of the WC3 thread into a detour function, than about calling JASS functions. Thanks again to Zero.

    Anyway, you can call some natives out of a WC3 thread without desync, as long as they don't make any major variables mismatch the host's. This leaves mostly visuals (ie. ping) and functions that return without tampering too much (ie. GetUnitState/GetOwningPlayer which simply return a real/handle). You can't call things like CreateUnit.

    I don't really know enough about how you're calling EnableFog to tell you if you're doing something wrong.

  7. #7
    MountainDew's Avatar
    MountainDew is offline Mentor
    Array
    Join Date
    Feb 2012
    Posts
    138
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    154
    Yeah... I took advantage of your inability to title threads, since traffic seems a little slow here and I could easily fill up the whole first page with threads.

    Anywho: it works lol. That's funny that you can just use warcraft's own jass natives to maphack.

    It's not by any means useful though; the chances of a desync are too high. I played 5 games and the furthest I made it was 5 minutes
    Last edited by MountainDew; 02-14-2012 at 02:10 AM.

  8. #8
    YourName's Avatar
    YourName is offline THE ONE AND ONLY DARK KNIGHTY


    Array
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    1,553
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    16
    Reputation
    1088
    Yeah like, you just have to right-click any unit under fog and it instantly desyncs. It works but the risk is too high
    Providing you with foolish stuff since 2007.

Similar Threads

  1. [World Edit] [ Jass ] Set SinglePlayer
    By danny18801 in forum Warcraft 3 Custom Maps
    Replies: 4
    Last Post: 05-10-2011, 08:58 AM
  2. Calling all Neo Classical Fans
    By spartanix in forum Entertainment
    Replies: 0
    Last Post: 01-23-2009, 09:24 PM
  3. [Tut] JASS
    By risker in forum Warcraft 3 Custom Maps
    Replies: 1
    Last Post: 11-29-2008, 05:51 PM
  4. FreeCall - Free calling :D
    By KavanaK in forum Operating Systems
    Replies: 3
    Last Post: 06-20-2008, 12:46 PM
  5. Jass???
    By Megmaconqueror in forum Warcraft 3 forum
    Replies: 2
    Last Post: 03-10-2008, 05:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •