Invalid address specified to RtlFreeHeap

[PenguinGuy]

I've been debugging and looking over my source for hours on this problem.
Google brought some insight on what could be the issue, but I still don't see what could be the problem.

EDX 0012F0F1 ASCII "nvalid address specified to RtlFreeHeap( 023B0000, 00224C88 )
"

    char* szArg = "What";

    MUID* uidChar = new MUID( );
    MUID* uidChan = new MUID( );
    uidChar->uidLow = GetMyUID( );
    uidChan->uidHigh = GetChannelUID( );

    MCommand* pCmd = MCommand::NewCmd( 0x4C9 );
    pCmd->AddParameter( new MCommandParameterMUID( uidChar ) );
    pCmd->AddParameter( new MCommandParameterMUID( uidChan ) );
    pCmd->AddParameter( new MCommandParameterString( szArg ) );

    MCommand::ZPost( pCmd );

As far as I digged into it, "MCommand::ZPost( pCmd );" is causing the issue.

    static void ZPost( MCommand* pCmd )
    {
        __asm
        {
            MOV EAX, ZGetGameClientAddress
            CALL EAX
            PUSH pCmd
            MOV EDX, [EAX]
            MOV ECX, EAX
            CALL [EDX + 0x30] //  ;;; MClient::Post
        }
    }

I've been up almost all night attempting to resolve this. I'm not mixing debug and release mode either.

What could be the issue?

Edit-
Should of mentioned...
When debugging, it stops in ntdll after an interrupt 3/INT3/Whatever.

771D467F   A3 48F01E77      MOV DWORD PTR DS:[771EF048],EAX
771D4684   CC               INT3
771D4685   C605 4DF01E77 00 MOV BYTE PTR DS:[771EF04D],0 ;;Stops here
771D468C   5D               POP EBP
771D468D   C2 0400          RETN 4

After just continuing execution, the code works fine (no crashes, nothing) and does as it's intended.

 

[sachav]

Can you post the code of ZGetGameClientAddress and MClient:ost?

 

[PenguinGuy]

Can you post the code of ZGetGameClientAddress and MClient:ost?

ZGetGameClientAddress is just an address pointing to a function,

const unsigned long ZGetGameClientAddress     = 0x004AE700;

and there is no MClient:ost in my code. It just reminds me what's "CALL DWORD PTR DS:[EDX+30]"

004C5FCB  |> E8 3087FEFF    CALL thedueld.004AE700 ; ZGetGameClient
004C5FD0  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
004C5FD3  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
004C5FD5  |. 51             PUSH ECX
004C5FD6  |. 8BC8           MOV ECX,EAX
004C5FD8  |. FF52 30        CALL DWORD PTR DS:[EDX+30] ; This calls MClient::Post

MClient:ost

00517B30   . 53             PUSH EBX
00517B31   . 56             PUSH ESI
00517B32   . 57             PUSH EDI
00517B33   . 8BF1           MOV ESI,ECX
00517B35   . 8DBE 58010000  LEA EDI,DWORD PTR DS:[ESI+158]
00517B3B   . 57             PUSH EDI                                          ; /pCriticalSection
00517B3C   . FF15 64716200  CALL DWORD PTR DS:[<&KERNEL32.EnterCriticalSectio>; \EnterCriticalSection
00517B42   . 8B4424 10      MOV EAX,DWORD PTR SS:[ESP+10]
00517B46   . 50             PUSH EAX
00517B47   . 8BCE           MOV ECX,ESI
00517B49   . E8 12DAFFFF    CALL thedueld.00515560
00517B4E   . 57             PUSH EDI                                          ; /pCriticalSection
00517B4F   . 8AD8           MOV BL,AL                                         ; |
00517B51   . FF15 68716200  CALL DWORD PTR DS:[<&KERNEL32.LeaveCriticalSectio>; \LeaveCriticalSection
00517B57   . 5F             POP EDI
00517B58   . 5E             POP ESI
00517B59   . 8AC3           MOV AL,BL
00517B5B   . 5B             POP EBX
00517B5C   . C2 0400        RETN 4

ZGetGameClient:

004AE700   $^E9 7BBFFEFF    JMP thedueld.0049A680

(ZApplication::GetGameClient, which is what the JMP goes to)

0049A680  /$ A1 284B6B00    MOV EAX,DWORD PTR DS:[6B4B28]
0049A685  |. 85C0           TEST EAX,EAX
0049A687  |. 75 07          JNZ SHORT thedueld.0049A690
0049A689  |. 8B80 EC020000  MOV EAX,DWORD PTR DS:[EAX+2EC]
0049A68F  |. C3             RETN
0049A690  |> 8B00           MOV EAX,DWORD PTR DS:[EAX]
0049A692  |. 8B80 EC020000  MOV EAX,DWORD PTR DS:[EAX+2EC]
0049A698  \. C3             RETN

 

[PenguinGuy]

Travis __ says (5:27 PM)

You must be registered to see links

what o.o
Jacob says (5:27 PM)
OH
LOL
TURN OFF UNICODe
Travis __ says (5:27 PM)
SOB
I thought of that then Phoenix made me forget LOL
Jacob says (5:27 PM)
#undef UNICODE
Travis __ says (5:41 PM)
Dude
i love you
Jacob says (5:41 PM)
rofl

    static MCommand* Create(unsigned long packetId)
    {
        return ((MCommand* (__cdecl*)(unsigned long))ZNewCMDAddress)(packetId);
    }

When I debugged it in Debug mode (I forgot to switch from Release to Debug), I added a watch to pCmd->AddParameter and noticed it said this:

CXX0069: Error: variable needs stack frame

After I showed him this:

You must be registered to see links

He noticed right off the spot it was because MCommandParameterString was using Unicode, which it isn't supposed to.
Now, this works perfectly:

void MainThread( void )
{
	for( ;;Sleep( 80 ) )
	{
		if( GetAsyncKeyState( VK_MENU )&0x8000 && GetAsyncKeyState( 'Z' )&0x8000 )
		{
			MCommand* pCmd = ZNewCmd( 0x982 );
			pCmd->AddParameter( new MCommandParameterString( "Hello World!" ) );
			MCommand::Post( pCmd );

			delete pCmd;

			Sleep( 1000 );
		}
	}
}

Just showing what was the problem and how to resolve it. Thank you, sachav, for attempting to help me.
Closed.