Valhalla Legends Forums Archive | Advanced Programming | XP says i messed with ESP??but i didnt

AuthorMessageTime
thetempest
calling this function from within starcraft, when the function exits (hits the ret ASM command) i get a pop up from XP saying that the ESP has been messed with...

does anyone have any ideas?

btw, all the DWORD addresses are valid and correct...this is for the hack i'm making so i can't relase the addresses...all the code executes fine, i even put a MessageBox() at the end and it poped up, but when it leaves, it says the ESP has been messed with: "abort retry ignore" all crash????

this is a function that sc calles because i injected a DLL and sc calles it, but now i have this problem...

[code]
void _stdcall dontDropMe()
{
   int playerNumber = -1;
   char *buffer = new char[256];   
   DWORD jmpto = 0x00??????;
   DWORD callto = 0x00??????;
   DWORD textBuffer_temp = 0x00000000;
   
   _asm
   {
      mov playerNumber,ecx
      mov textBuffer_temp,edx

   }
   
   if(textBuffer_temp == 0x00000000)
      return;

   buffer = (char*)textBuffer_temp;

   if(playerNumber == -1)
   {
      MessageBox(0,"PlayerNumber = -1","error",0);
      return;
   }
   
   if(playerNumber == 0)
   {
      for(int i = 0; i < 69; i++)
         if(buffer[i] == '\x0C')
         {
            buffer[i] = '\x41';            
         }      
   }

   _asm call callto   
   _asm test eax,eax
}
[/code]

any help?
Thanks
December 2, 2003, 4:35 AM
Skywing
What calling convention is callto? You might need to save appropriate registers on the stack before the call.
December 2, 2003, 4:39 AM
thetempest
oh, thats a good point :D

Basicly the call and the test statement at the end are the two statements that i overwrote to call this function...

so perhaps i should push all the registers at the beggining of this function and pop them all before i call the other =)

I'll try that and post what i results i get...
Thanks
December 2, 2003, 6:46 AM
thetempest
nope,

that didn't work ethier...i can't push all the registers untill after the pre-calling stuff is done, ie:
[code]
mov ebp,esp
sub esp,220 //or whatever
[/code]

it even messes with EAX which i'm thinking is a problem :( and the call'd function returns 0 so i nkow there is a problem with the registers.

do you have any suggestions on a possible fix? i'm thinking of pushing all the registers before this call (ie: jumping to a code cave to do a pushad then call, then upon return popad and call the function then test eax,eax then jmp back) but i'm too lazy...

any shorter way?
thx
December 2, 2003, 7:10 AM
Adron
I think you should rewrite the code that calls this... Instead of "call callto", put "call dontDropMe", and then at the end of dontDropMe, "return callto();". Make sure to use the same calling convention for callto and dontDropMe.
December 2, 2003, 9:57 AM
Adron
Actually, are you at all sure of the calling conventions of and arguments to callto? Perhaps it wants a lot of arguments that you're not passing in?

You could try chaining it in:

* Declare your function naked
* Preserve all registers
* Allocate space on stack for your variables yourself
* End your function by restoring the stack and registers, then jumping to callto

That way, you're not dependent on the calling convention of callto.
December 2, 2003, 10:08 AM
thetempest
well the thing is...

callto isn't one of my functions, it's a function that SC calls. And it happens to be the function that i overwrote to call this DLL function that i wrote...

right now in stead of
[code]
call callto
[/code]

in starcraft...it is:
[code]
call [004e5400] //dont drop me
nop
[/code]

the nop is to balance the op code...but anyways, i'm just going to write a new code cave to do this:
[code]
jmp codecave
nop
[/code]

[code]
//code cave
pushad
call [004e5400]
popad
call callto
test eax,eax
jmp <address after jmp to this code cave>
[/code]

it's long and i'm lazy but i guess thats what i'm going to have to do
December 2, 2003, 4:30 PM
Adron
[quote author=thetempest link=board=23;threadid=4010;start=0#msg33196 date=1070382622]
well the thing is...

callto isn't one of my functions, it's a function that SC calls. And it happens to be the function that i overwrote to call this DLL function that i wrote...

right now in stead of
[code]
call callto
[/code]

in starcraft...it is:
[code]
call [004e5400] //dont drop me
nop
[/code]
[/quote]

What's the call callto like? I don't see why it would be a longer op-code than your call, it's more likely that it'd be shorter. I suggest replacing call callto with a call directly to your function, not modifying any other code, declaring your function with the same arguments and calling convention as callto and then just passing through. That should work.
December 2, 2003, 10:16 PM
Kp
[quote author=thetempest link=board=23;threadid=4010;start=0#msg33142 date=1070339735]
[code]
void _stdcall dontDropMe()
{
int playerNumber = -1;
char *buffer = new char[256];
DWORD jmpto = 0x00??????;
DWORD callto = 0x00??????;
DWORD textBuffer_temp = 0x00000000;

_asm
{
mov playerNumber,ecx
mov textBuffer_temp,edx

}

if(textBuffer_temp == 0x00000000)
return;

buffer = (char*)textBuffer_temp;
/* more stuff */
}[/code][/quote]

You're allocating a 256-byte array of char, saving its address to buffer, then overwriting the pointer in buffer without freeing the allocated array. As best I can see, you aren't giving that address to any other code, so no one else can free it on your behalf. Conclusion: your function will leak 256 bytes of memory every time it is called.
December 2, 2003, 11:27 PM
thetempest
lol...hehe, i feel really stupid now...almost like M$ =(

ya, i was working so hard on just getting SC to run w/it that i completly forgot to call delete:
[code]
delete [] textBuffer_temp;
[/code]
December 3, 2003, 1:45 PM

Search