Fastcall function crashes

Question

trying to call a process function using fastcall convention from my program, but got a crash everytime trying to. Have passed so much time on it and can't solve that... need some help please... Here's all needed informations and my trying:

The picture shows the instruction context after a breakpoint when the function's program is running...

And here's my code source:

typedef void (__fastcall * MyFoo)(void * client,DWORD trash, DWORD ConstantD, DWORD objBattid, DWORD zeroParam, DWORD thousParam, float fVal,DWORD targetID);
MyFoo launchMe;

DWORD getProcessBaseAdress(DWORD ProcessID);

char *flyffServer = "insanity flyff\0";

HWND neuzWindow = NULL;
DWORD neuzProcessID = NULL;
DWORD neuzRamAdress = NULL;
HANDLE neuzHandle = NULL;
DWORD clientAdr = NULL;

int main(){
neuzWindow = FindWindowA(0,flyffServer);
//--------------------------------------
if(neuzWindow){
    GetWindowThreadProcessId(neuzWindow,&neuzProcessID);

    if(neuzProcessID){
        neuzHandle = OpenProcess(PROCESS_ALL_ACCESS,false,neuzProcessID);

        if(neuzHandle){
            neuzRamAdress = getProcessBaseAdress(neuzProcessID); // Extracting Neuz's base address

            if(neuzRamAdress){
                launchMe = (MyFoo)((DWORD)neuzRamAdress + 0x5C400);
                clientAdr = (DWORD)neuzRamAdress + 0x8D0DC0;

                printf("Instruction: 0x%08X\n",launchMe);
                printf("Client ADR: 0x%08X\n",clientAdr);

                for(;;Sleep(100)){
                    //------------ init params ------------
                    void * client = (void*)clientAdr;
                    DWORD trashDX = (DWORD)0x0000000B;
                    DWORD msge = (DWORD)0x0000001D;
                    DWORD selectedBattID = 0x04D4A929;
                    DWORD zeroParam = (DWORD) 0x00000000;
                    DWORD milleParam = 0x00010000;
                    float speedAtt = 0.07f;
                    DWORD targetID = 0x0089B964;

                    printf("0x%08X\n0x%08X\n0x%08X\n0x%08X\n0x%08X\n0x%08X\n%f\n0x%08X\n",
                        client,
                        trashDX,
                        msge,
                        selectedBattID,
                        zeroParam,
                        thousParam,
                        speedAtt,
                        targetID
                    );

                        launchMe(client,trashDX,msge,selectedBattID,zeroParam,milleParam,speedAtt,targetID); // -> Error 
                        scanf("%d",&trashDX); // for blocking the program
                        return 0;
                }
            }
            else printf("Unable to access to Neuz's Ram Adress\n");
        }
        else printf("Unable to obtain neuz's handle\n");
    }
    else printf("Unable to detect neuz's process ID\n");
}
else printf("Unable to detect neuz's window\n");
return 0;
}

DWORD getProcessBaseAdress(DWORD ProcessID){
    HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID);
    MODULEENTRY32 me32;
    me32.dwSize = sizeof(MODULEENTRY32);
    Module32First(hModuleSnap,&me32);
    return (DWORD) me32.modBaseAddr;
}

Thanks in advance :) ...

This question cannot be answered, given the information presented (I didn't click the image link to a random image hosting site). There is no way for us to know, what calling convention the function at offset `0x5C400` expects, but if it results in a *"crash"* it stands to reason that it's not the one you have specified. — IInspectable, Aug 09 '17 at 15:03
If you check the picture you'll see a picture with cheatengine debbugging the process to get the instruction's adress with full stack elements to check for the parameeters, and my adresses/parameeters have the same values as the ones shown in the debbuger... What should i provider more so that you can answer me ? — Mssm, Aug 09 '17 at 15:17
The **true** signature of the function at offset `0x5C400`. So far we only see your best guess. — IInspectable, Aug 09 '17 at 15:31
If you don't, then why do you assume that we would? Lacking that information, the least you could do is post the disassembly of the function in question, so that we could make an educated guess at its calling convention. — IInspectable, Aug 09 '17 at 15:52
A glaring issue with your code is, that you are trying to call a function in a foreign process, but perform the call in the context of **your** process. That ain't going to pan out well. This isn't 16-bit Windows where all applications shared the same memory. Each process has its very own address space. The fact that you used the term *"RAM address"* should have given it away, but I missed it. First step in solving your problem: You need to familiarize yourself with memory management in Windows. — IInspectable, Aug 09 '17 at 17:33
Thanks so much, i've looked at memory management in Windows , and found out the DLL injection method to access the target process virtual space, it works like a charm now (y) — Mssm, Aug 11 '17 at 10:42

Mssm · Accepted Answer · 2020-05-19T11:32:46.310

1

As said IInspectable in his comment, the problem came from accessing virtual space of another process. Checking Windows memory management and DLL injection have solved the problem for me ... maybe anyone would face that in the futur.

edited May 19 '20 at 11:32

answered Aug 11 '17 at 10:44

Mssm

717
11
29

Fastcall function crashes

1 Answers1