XP says i messed with ESP??but i didnt

[thetempest]

calling this function from within starcraft, when the function exits (hits the ret ASM command) i get a pop up from XP saying that the ESP has been messed with...

does anyone have any ideas?

btw, all the DWORD addresses are valid and correct...this is for the hack i'm making so i can't relase the addresses...all the code executes fine, i even put a MessageBox() at the end and it poped up, but when it leaves, it says the ESP has been messed with: "abort retry ignore" all crash?

this is a function that sc calles because i injected a DLL and sc calles it, but now i have this problem...

Code Select Expand


void _stdcall dontDropMe()
{
   int playerNumber = -1;
   char *buffer = new char[256];   
   DWORD jmpto = 0x00??????;
   DWORD callto = 0x00??????;
   DWORD textBuffer_temp = 0x00000000;
   
   _asm
   {
      mov playerNumber,ecx
      mov textBuffer_temp,edx

   }
   
   if(textBuffer_temp == 0x00000000)
      return;

   buffer = (char*)textBuffer_temp;

   if(playerNumber == -1)
   {
      MessageBox(0,"PlayerNumber = -1","error",0);
      return;
   }
   
   if(playerNumber == 0)
   {
      for(int i = 0; i < 69; i++)
         if(buffer[i] == '\x0C')
         {
            buffer[i] = '\x41';            
         }      
   }

   _asm call callto   
   _asm test eax,eax
}


any help?
Thanks

[Skywing]

What calling convention is callto?  You might need to save appropriate registers on the stack before the call.

[thetempest]

oh, thats a good point  

Basicly the call and the test statement at the end are the two statements that i overwrote to call this function...

so perhaps i should push all the registers at the beggining of this function and pop them all before i call the other =)

I'll try that and post what i results i get...
Thanks

[thetempest]

nope,

that didn't work ethier...i can't push all the registers untill after the pre-calling stuff is done, ie:

Code Select Expand


mov ebp,esp
sub esp,220 //or whatever


it even messes with EAX which i'm thinking is a problem and the call'd function returns 0 so i nkow there is a problem with the registers.

do you have any suggestions on a possible fix?  i'm thinking of pushing all the registers before this call (ie: jumping to a code cave to do a pushad then call, then upon return popad and call the function then test eax,eax then jmp back) but i'm too lazy...

any shorter way?
thx

[Adron]

I think you should rewrite the code that calls this... Instead of "call callto", put "call dontDropMe", and then at the end of dontDropMe, "return callto();". Make sure to use the same calling convention for callto and dontDropMe.

[Adron]

Actually, are you at all sure of the calling conventions of and arguments to callto? Perhaps it wants a lot of arguments that you're not passing in?

You could try chaining it in:

* Declare your function naked
* Preserve all registers
* Allocate space on stack for your variables yourself
* End your function by restoring the stack and registers, then jumping to callto

That way, you're not dependent on the calling convention of callto.

[thetempest]

well the thing is...

callto isn't one of my functions, it's a function that SC calls.  And it happens to be the function that i overwrote to call this DLL function that i wrote...

right now in stead of

Code Select Expand


call callto


in starcraft...it is:

Code Select Expand


call [004e5400] //dont drop me
nop


the nop is to balance the op code...but anyways, i'm just going to write a new code cave to do this:

Code Select Expand


jmp codecave
nop


Code Select Expand


//code cave
pushad
call [004e5400]
popad
call callto
test eax,eax
jmp <address after jmp to this code cave>


it's long and i'm lazy but i guess thats what i'm going to have to do

[Adron]

well the thing is...

callto isn't one of my functions, it's a function that SC calls.  And it happens to be the function that i overwrote to call this DLL function that i wrote...

right now in stead of

Code Select Expand


call callto


in starcraft...it is:

Code Select Expand


call [004e5400] //dont drop me
nop


What's the call callto like? I don't see why it would be a longer op-code than your call, it's more likely that it'd be shorter. I suggest replacing call callto with a call directly to your function, not modifying any other code, declaring your function with the same arguments and calling convention as callto and then just passing through. That should work.

[Kp]

Code Select Expand


void _stdcall dontDropMe()
{
  int playerNumber = -1;
  char *buffer = new char[256];  
  DWORD jmpto = 0x00??????;
  DWORD callto = 0x00??????;
  DWORD textBuffer_temp = 0x00000000;
 
  _asm
  {
     mov playerNumber,ecx
     mov textBuffer_temp,edx

  }
 
  if(textBuffer_temp == 0x00000000)
     return;

  buffer = (char*)textBuffer_temp;
/* more stuff */
}

You're allocating a 256-byte array of char, saving its address to buffer, then overwriting the pointer in buffer without freeing the allocated array.  As best I can see, you aren't giving that address to any other code, so no one else can free it on your behalf.  Conclusion: your function will leak 256 bytes of memory every time it is called.

[thetempest]

lol...hehe, i feel really stupid now...almost like M$ =(

ya, i was working so hard on just getting SC to run w/it that i completly forgot to call delete:

Code Select Expand


delete [] textBuffer_temp;