writing to process memory (internal)

[Van152]

So I guess i found the correct adress for luastate and the taint check..
I want to patch both, but somehow it always throw me an exception of my virtualProtect call.
Does warden block this? How are you wrote into protected processes, i even tried Syscalls on ZwProtectVirtualMemory but also without any success.

these are my patters i made of the luastate and taint check (maybe these are wrong? ) I validated both before using, so i dont think so. I am fairly new to WoW stuff but experienced on other games with EAC or BE.

Taint_Check:
\x0F\xB6\x01\xC3
mask: xxxx

Lua_State:
\x48\x8B\x05\x00\x00\x00\x00\xC3
mask: xxx????x

I would appreciate every little hint that could direct me in the right direction

[Makkah]

you have to change the addresses premissions.

[Van152]

this is what i try with virtualProtect/virtualQuery but it throws me an exception, well i try to change the permission of the page (from page entry -> the function end)

[Makkah]

try something like this

Code:

bool change_address_protection(void* address, size_t size, DWORD new_protect, DWORD& old_protect) {
    if (!VirtualProtect(address, size, new_protect, &old_protect)) {
        DWORD errorCode = GetLastError();
        std::cerr << "VirtualProtect failed. Error code: " << errorCode << "\n";
        return false;
    }
    return true;
}

I'd suggest getting the type of protection the address your trying to use is using

Code:

std::string get_protection_string(DWORD protect) {
    switch (protect) {
        case PAGE_EXECUTE: return "Execute only";
        case PAGE_EXECUTE_READ: return "Execute + Read";
        case PAGE_EXECUTE_READWRITE: return "Execute + Read + Write";
        case PAGE_EXECUTE_WRITECOPY: return "Execute + Write Copy";
        case PAGE_NOACCESS: return "No access";
        case PAGE_READONLY: return "Read only";
        case PAGE_READWRITE: return "Read + Write";
        case PAGE_WRITECOPY: return "Write Copy";
        case PAGE_GUARD: return "Guard page";
        case PAGE_NOCACHE: return "No cache";
        case PAGE_WRITECOMBINE: return "Write combine";
        default: return "Unknown or combined flags";
    }
}

DWORD get_address_protection(void* address) {
    MEMORY_BASIC_INFORMATION mbi;
    if (VirtualQuery(address, &mbi, sizeof(mbi)) == 0) {
        std::cerr << "VirtualQuery failed. Error code: " << GetLastError() << "\n";
        return 0;
    }

    std::string protStr = get_protection_string(mbi.Protect);
    std::cout << "Protection: 0x" << std::hex << mbi.Protect << " (" << protStr << ")\n";

    return mbi.Protect;
}

[Van152]

ah thank you mate!
I added you on Discord, I hope it is okay if i can ask you some other questions too.
Not asking for spoonfeeding just for some tips or hints obviously!

[Van152]

So I am still trying to patch the taint flag in the luaState
the problem still is: ACCESS VIOLATION and then a crash of WoW

here is what i have currently, tbh i feel stuck:

Getting LuaState ptr:

Code:

    const char* pattern = "\x48\x8B\x05\x00\x00\x00\x00\xC3";
    const char* mask = "xxx????x";

    uintptr_t getter_func_addr = PatternScanner::FindPattern(pattern, mask);

    if (!getter_func_addr) {
        SafePrint("[-] LuaUnlocker: Could not find the lua_State.");
        return false;
    }

    char buffer[256];
    sprintf_s(buffer, "[+] LuaUnlocker: Found lua_State at 0x%llX", getter_func_addr);
    SafePrint(buffer);
    typedef LuaState* (*GetLuaStateFn)();
    GetLuaStateFn get_lua_state = (GetLuaStateFn)getter_func_addr;
    g_luaState = get_lua_state();

patching taint_flag in LuaState

Code:

                uintptr_t taint_structure_address = (uintptr_t)g_luaState;
                *(uint64_t*)taint_structure_address = 0;

                if (*(uint64_t*)taint_structure_address == 0) {
                    SafePrint("[+] Taint structure successfully zeroed out!");
                }
                else {
                    SafePrint("[-] FAILED to zero out taint structure!");
                }

LuaState Struct:

Code:

struct LuaState {
    char pad[0x28];
    uintptr_t top;
    uintptr_t base;
    uintptr_t l_G;
    char pad2[0x10];
    uintptr_t stack;
};

also the ForceTaint_Strong alert is still appearing what shows me that my patch does not have any effect, i am wondering what could be the problem in this case
so it could be wrong pattern, or wrong placement of the force_flag (so i try to change the complete wrong value in the LuaState Struct)
as far as i know the taint_flag is on 0x0 of LuaState Struct or is it wrong?
any hint is helpfull appreciate your time!

[pickleback]

I find 83 matches of that very short pattern... Looks like you'll need to enhance the pattern to be more specific.

[Van152]

I find 83 matches of that very short pattern... Looks like you'll need to enhance the pattern to be more specific.

oh really?? thats weird, i use Fusion in IDA to search and create patterns, it throws me just one

exactly to the eax of this (there i created the pattern with fusion):

Code:

.text:000000014039D330 ; __int64 __fastcall sub_14039D330(unsigned __int8 *)
.text:000000014039D330 sub_14039D330   proc near               ; CODE XREF: sub_1401D78C0+131↑p
.text:000000014039D330                                         ; sub_1401E8060+124↑p ...
.text:000000014039D330                 movzx   eax, byte ptr [rcx]
.text:000000014039D333                 retn
.text:000000014039D333 sub_14039D330   endp

but also my other (the latest post from me) method is not working due to the page protection, and somehow if I try to change it, wow instantly crashes

[pickleback]

If you search the process memory, that's where you'll find lots of results.

[Makkah]

GitHub - kweatherman/sigmakerex: Enhanced IDA Pro signature generator plugin.

[joshi205]

So I am still trying to patch the taint flag in the luaState
the problem still is: ACCESS VIOLATION and then a crash of WoW

here is what i have currently, tbh i feel stuck:

Getting LuaState ptr:

Code:

    const char* pattern = "\x48\x8B\x05\x00\x00\x00\x00\xC3";
    const char* mask = "xxx????x";

    uintptr_t getter_func_addr = PatternScanner::FindPattern(pattern, mask);

    if (!getter_func_addr) {
        SafePrint("[-] LuaUnlocker: Could not find the lua_State.");
        return false;
    }

    char buffer[256];
    sprintf_s(buffer, "[+] LuaUnlocker: Found lua_State at 0x%llX", getter_func_addr);
    SafePrint(buffer);
    typedef LuaState* (*GetLuaStateFn)();
    GetLuaStateFn get_lua_state = (GetLuaStateFn)getter_func_addr;
    g_luaState = get_lua_state();

patching taint_flag in LuaState

Code:

                uintptr_t taint_structure_address = (uintptr_t)g_luaState;
                *(uint64_t*)taint_structure_address = 0;

                if (*(uint64_t*)taint_structure_address == 0) {
                    SafePrint("[+] Taint structure successfully zeroed out!");
                }
                else {
                    SafePrint("[-] FAILED to zero out taint structure!");
                }

LuaState Struct:

Code:

struct LuaState {
    char pad[0x28];
    uintptr_t top;
    uintptr_t base;
    uintptr_t l_G;
    char pad2[0x10];
    uintptr_t stack;
};

also the ForceTaint_Strong alert is still appearing what shows me that my patch does not have any effect, i am wondering what could be the problem in this case
so it could be wrong pattern, or wrong placement of the force_flag (so i try to change the complete wrong value in the LuaState Struct)
as far as i know the taint_flag is on 0x0 of LuaState Struct or is it wrong?
any hint is helpfull appreciate your time!

May I ask why you think the taint is at offset 0 from the lua_state?
Im not saying thats wrong, but i never heard of that, nor does the game ever reference that when setting/getting taint, atleast I have never seen that.

Aside of that as said before, your pattern is to short, and by consequence to general. I find 96 occurecnces of your lua state pattern.
if you look at what that asm does, it moves a rip relative address into rax and returns, so its basically loading some global.. which is correct for the lua state, but also used for plenty of other globals wow uses.
you either need to improve the pattern (impossible, since all the function does is load the state and return) or find where they use the function that loads the state, make a pattern for the surroundings and find it like that.
If you want to make sure you got the state correctly, just hook any lua function and look at rcx, since all lua functions get the state as their first param. But I would only use that to confirm you found the state correctly, since hooking lua functions is probably a big no if you don't want to get banned.

[Van152]

so i figured it out now, i read somewhere that the taint flag is part of the lua_state thats why i thought it and searched for it. I got my kernel driver for memory operations done (read write etc.) and want to use it to patch the RetCheck function (directly on physmem) the question is, is it enough to simply add a ret to the function entry and nop the rest of it (i thought of 8 bytes after the ret so c3 90 90 .. etc)
I want to call loadbuffer and pcall, you said hooking it is detected, calling them directly is fine?


EDIT: after hours of working on it, i fixed the problem, i dont patch the retcheck i just call lua_DoString, also after i was looking around in IDA i found a Swapchain::Present manipulation check, i am currently just patching it with my kernel driver, directly on the physical address to avoid any page protections.

now its time to hide the presence of my dll and my threads with my kernel driver, since this is familiar for me, its an easy task