I've been looking into this as well. I can unlock lua with some hwbps but this method is public and at high risk of blizzard attention. I've been looking at using asmjit to build a fake stack frame for my call to execute buffer . Right now I use the old handle exception for my registered function addresses and use a executebuffer callback to process my lua instead of a patch or hwbp unlock . This is great except my call is outside the text section. I have used blackbone library to successfully generate a call to execute buffer but I cannot get a jmp to work. I'm using x64.
Basically I have tired to find a call rax instruction mov the execute buffer address to rax after moving all args to the rcx Rdx r8 regs and jmp to the call rax address however this results in a crash I make it to the execute buffer function as I've debugged it with cheatengine but I crash later on due to stack currupton I'd assume .
Code:
typedef int(*MyFn)();
a->mov(asmjit::host::rcx, (DWORD_PTR)buffer);
a->mov(asmjit::host::rdx, (DWORD_PTR)buffer);
a->mov(asmjit::host::r8, 0);
a->mov(asmjit::host::r13, executeBufferAddress); move my function address into r13
a->jmp(((DWORD_PTR)GetModuleHandle(NULL) + 0x7B6BDD)); // this is a call r13 address
MyFn fn = (MyFn)(a->make());
fn();
Code:
- 09130000 - 48 89 4C 24 08 - mov [rsp+08],rcx
- 09130005 - 48 89 54 24 10 - mov [rsp+10],rdx
- 0913000A - 4C 89 44 24 18 - mov [rsp+18],r8
- 0913000F - 4C 89 4C 24 20 - mov [rsp+20],r9
- 09130014 - 48 83 EC 38 - sub rsp,38
- 09130018 - 48 C7 C1 58469C3C - mov rcx,3C9C4658 : ["CastSpellByID(136)"]
- 0913001F - 48 C7 C2 58469C3C - mov rdx,3C9C4658 : ["CastSpellByID(136)"]
- 09130026 - 49 C7 C0 00000000 - mov r8,00000000
- 0913002D - 48 B8 20CDE03F01000000 -mov rax,Wow-64.exe+3CD20
- 09130037 - FF D0 - call eax
- 09130039 - 48 83 C4 38 - add rsp,38
- 0913003D - 48 8B 4C 24 08 - mov rcx,[rsp+08]
- 09130042 - 48 8B 54 24 10 - mov rdx,[rsp+10]
- 09130047 - 4C 8B 44 24 18 - mov r8,[rsp+18]
- 0913004C - 4C 8B 4C 24 20 - mov r9,[rsp+20]
- 09130051 - C3 - ret
Edit:added working asm call to Executebuffer.