How to bypass framescript_execute call return address check? menu

User Tag List

Results 1 to 5 of 5
  1. #1
    59589305's Avatar Member
    Reputation
    2
    Join Date
    Oct 2017
    Posts
    17
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to bypass framescript_execute call return address check?

    Hi everyone ,how to use this check_retaddr func to call framescript_execute?


    Code:
    int
    check_retaddr(uint8_t *ret)
    {
            uint8_t *mem = 0;
    
            /* check 1. return address is inside .text */
            if (ret < (uint8_t*)0x14001000 || ret > (uint8_t*)0x142400B75)
                    return 0;
    
            /* check 2. invoked from a call.  rop check? */
            /* patterns: 0xe8, 0xff 0x1x, 0xff 0x5x, 0xff 0x9x, 0xff 0xdx */
            int iscall = 0; 
            uint64_t reti = (uint64_t)ret;
    
            if (mem[reti-5] == 0xe8) // call off4
                    iscall = 1;
            if (mem[reti-6] == 0xff && (((mem[reti-5] & 0x38) - 16 ) & 0xf7) == 0) // call [reg + off4]
                    iscall = 1;
            if (mem[reti-3] == 0xff && (((mem[reti-2] & 0x38) - 16 ) & 0xf7) == 0) // call [reg + off1]
                    iscall = 1;
            if (mem[reti-2] == 0xff && (((mem[reti-1] & 0x38) - 16 ) & 0xf7) == 0) // call reg, call [reg]
                    iscall = 1;
    
            if (! iscall)
                    return 0;
    
    
            /* check 3. the return address is on the good list */
    
            /* step 1. get the array of good return addresses */
            uint32_t *rettab = (void*)0x01400BBC84;
            uint64_t ret_offset = (uint64_t)ret - 0x140000000;
            uint32_t array_offset = rettab[ret_offset / 0x4000];
            if (array_offset == 0)
                    return 0;
    
            /* step 2. traverse the array. check if this address is listed */
            uint32_t *pgoodaddr = (uint32_t *)&rettab[array_offset/4];
            while (*pgoodaddr > 0) { 
                    if ( (*pgoodaddr - ret_offset) <= 64)
                            return 1;
                    pgoodaddr++;
            }
    
            return 0;
    }
    from https://www.ownedcore.com/forums/wor...4-42940-a.html (reversing the return address check in 2.5.4.42940)
    Last edited by 59589305; 01-26-2023 at 05:42 AM.

    How to bypass framescript_execute call return address check?
  2. #2
    scimmy's Avatar Active Member
    Reputation
    52
    Join Date
    Jul 2020
    Posts
    54
    Thanks G/R
    1/33
    Trade Feedback
    0 (0%)
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by 59589305 View Post
    Hi everyone ,how to use this check_retaddr func to call framescript_execute?


    Code:
    int
    check_retaddr(uint8_t *ret)
    {
            uint8_t *mem = 0;
    
            /* check 1. return address is inside .text */
            if (ret < (uint8_t*)0x14001000 || ret > (uint8_t*)0x142400B75)
                    return 0;
    
            /* check 2. invoked from a call.  rop check? */
            /* patterns: 0xe8, 0xff 0x1x, 0xff 0x5x, 0xff 0x9x, 0xff 0xdx */
            int iscall = 0; 
            uint64_t reti = (uint64_t)ret;
    
            if (mem[reti-5] == 0xe8) // call off4
                    iscall = 1;
            if (mem[reti-6] == 0xff && (((mem[reti-5] & 0x38) - 16 ) & 0xf7) == 0) // call [reg + off4]
                    iscall = 1;
            if (mem[reti-3] == 0xff && (((mem[reti-2] & 0x38) - 16 ) & 0xf7) == 0) // call [reg + off1]
                    iscall = 1;
            if (mem[reti-2] == 0xff && (((mem[reti-1] & 0x38) - 16 ) & 0xf7) == 0) // call reg, call [reg]
                    iscall = 1;
    
            if (! iscall)
                    return 0;
    
    
            /* check 3. the return address is on the good list */
    
            /* step 1. get the array of good return addresses */
            uint32_t *rettab = (void*)0x01400BBC84;
            uint64_t ret_offset = (uint64_t)ret - 0x140000000;
            uint32_t array_offset = rettab[ret_offset / 0x4000];
            if (array_offset == 0)
                    return 0;
    
            /* step 2. traverse the array. check if this address is listed */
            uint32_t *pgoodaddr = (uint32_t *)&rettab[array_offset/4];
            while (*pgoodaddr > 0) { 
                    if ( (*pgoodaddr - ret_offset) <= 64)
                            return 1;
                    pgoodaddr++;
            }
    
            return 0;
    }
    from https://www.ownedcore.com/forums/wor...4-42940-a.html (reversing the return address check in 2.5.4.42940)
    1. Can't use pseudocode that checks return addresses to bypass return address checks like what
    2. Don't use FrameScript_Execute

  3. #3
    59589305's Avatar Member
    Reputation
    2
    Join Date
    Oct 2017
    Posts
    17
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    2. Don't use FrameScript_Execute

    Is there a better choice?

  4. #4
    scizzydo's Avatar Active Member
    Reputation
    79
    Join Date
    Oct 2019
    Posts
    83
    Thanks G/R
    4/35
    Trade Feedback
    0 (0%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by 59589305 View Post
    2. Don't use FrameScript_Execute

    Is there a better choice?
    I think there's like 16 functions that have the return checks, and like it was said "Don't use XXXX" it really is an easy call. What I ended up doing was just remaking the functions with my own code on all the ret checked calls that lead up to luaL_loadbuffer and lua_pcall. With those 2 you can FrameScript_Execute (and also get the return from it)

    We know that wow uses a modified lua 5.1.4, so get lua 5.1.4 source code, compile a test app on 64 bit, dump it in ida, bindiff or just pattern scan some of the basic functions and bam you can easily find out the differences to wows lua state. Or you don't even need to compile it, and search for some of the strings that are in the lua source, and find the ones in WoW

  5. #5
    59589305's Avatar Member
    Reputation
    2
    Join Date
    Oct 2017
    Posts
    17
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks buddy. May be it's hard for me to do all of this.

Similar Threads

  1. [Question] does anyone know how to bypass graphic checks?
    By -Ryuk- in forum Diablo 3 General
    Replies: 5
    Last Post: 05-15-2012, 07:37 PM
  2. how to bypass blocked sites
    By ds1343 in forum Community Chat
    Replies: 5
    Last Post: 12-12-2007, 09:14 PM
  3. How to bypass the raid group req?
    By kepappi in forum World of Warcraft Emulator Servers
    Replies: 5
    Last Post: 10-19-2007, 10:11 AM
  4. how to bypass MOST school filtering [PICS]
    By WTF LOL in forum Community Chat
    Replies: 14
    Last Post: 03-23-2007, 11:42 PM
  5. How To: Find put ur IP address by clicking on an icon
    By ttttllllrrrr in forum Community Chat
    Replies: 1
    Last Post: 01-27-2007, 08:47 PM
All times are GMT -5. The time now is 06:14 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search