Getting the return value of Lua_DoString()

[Nesox]

Here's the code snippet i use to run lua functions but how would i get the return value, im only getting bogus from the ExitCode.. ?

Code:

        private uint BlackLua_DoString(Process _process, string pszString)
        {
            BlackMagic wow = new BlackMagic(_process.Id);

            uint pScript = wow.AllocateMemory(0x1024);
            wow.WriteASCIIString(pScript, pszString);

            ObjectManager.WoWObjectManager _ObjectManager =
                ObjectManager.GetWowObjectManager(_process.Handle);

            uint codeCave = wow.AllocateMemory(0x1024);

            wow.Asm.Clear();
            wow.Asm.AddLine("mov EDX, [0x0" + _ObjectManager.g_clientConnection.ToString("X") + "]");   //Start UpdateCurMgr
            wow.Asm.AddLine("mov EDX, [EDX+0x" + _ObjectManager.Offset.ToString("X") + "]");
            wow.Asm.AddLine("FS mov EAX, [0x2C]");
            wow.Asm.AddLine("mov EAX, [EAX]");
            wow.Asm.AddLine("add EAX, 8");
            wow.Asm.AddLine("mov [EAX], EDX"); // End UpdateCurMgr

            wow.Asm.AddLine("mov ecx, 0x0092E887");
            wow.Asm.AddLine("mov eax, " + pScript);
            wow.Asm.AddLine("push ecx");
            wow.Asm.AddLine("push eax");

            wow.Asm.AddLine("push eax");
            wow.Asm.AddLine("mov eax, 0x0077DEF0");
            wow.Asm.AddLine("call eax");
            wow.Asm.AddLine("add esp, 0xC");
            wow.Asm.AddLine("retn");

            wow.Asm.InjectAndExecute(_process.Handle, codeCave, 0);

            uint ret = wow.Asm.InjectAndExecute(codeCave);
            wow.FreeMemory(codeCave);

            return ret;
        }

Here's how it looks in Olly

[hypnodok]

Tasty copypasta for Shamun!
Ive thought about this too and Ive come to think that it can be done if you call some of the other lua functions in the game.
Here are the right addresses for 3.0.3 (credits WoWX):

Code:

[17:39:07]: 0x0077DEF0 -> Lua_Dostring
[17:39:07]: 0x0077CD20 -> Lua_Register
[17:39:07]: 0x00401980 -> Lua_Reload
[17:39:07]: 0x007AD380 -> lua_gettop
[17:39:07]: 0x007AD7E0 -> lua_tonumber
[17:39:07]: 0x007AD820 -> lua_tointeger
[17:39:07]: 0x007AD890 -> lua_tostring
[17:39:07]: 0x007AD9C0 -> lua_touserdata
[17:39:07]: 0x007AD860 -> lua_toboolean
[17:39:07]: 0x007ADA50 -> lua_pushnumber
[17:39:08]: 0x007ADA80 -> lua_pushinteger
[17:39:08]: 0x007ADAB0 -> lua_pushstring
[17:39:08]: 0x007ADC80 -> lua_pushboolean
[17:39:08]: 0x007ADBB0 -> lua_pushcclosure
[17:39:08]: 0x007ADA30 -> lua_pushnil
[17:39:08]: 0x007AE0B0 -> lua_setfield
[17:39:08]: 0x007AF010 -> lua_getfield
[17:39:08]: 0x007AD520 -> lua_replace

I just googled some of them, gettop seems to return the size of the lua stack. The tointeger, toboolean etc functions are probably responsible for popping values off the lua stack, so thats what I would look into. Im just guessimating here, hope this helps regardless.

Edit:
Ive taken a further look, heres tointeger in IDA:

Code:

.text:007AD820 lua_tointeger   proc near               ; CODE XREF: sub_49C810+2Dp
.text:007AD820                                         ; sub_49C8B0+1Fp ...
.text:007AD820
.text:007AD820 var_1C          = dword ptr -1Ch
.text:007AD820 var_C           = qword ptr -0Ch
.text:007AD820 var_4           = dword ptr -4
.text:007AD820 arg_0           = dword ptr  8
.text:007AD820 arg_4           = dword ptr  0Ch
.text:007AD820
.text:007AD820                 push    ebp
.text:007AD821                 mov     ebp, esp
.text:007AD823                 mov     eax, [ebp+arg_4]
.text:007AD826                 mov     ecx, [ebp+arg_0]
.text:007AD829                 sub     esp, 1Ch
.text:007AD82C                 call    sub_7AD170
.text:007AD831                 cmp     dword ptr [eax+8], 3
.text:007AD835                 jz      short loc_7AD84C ; push float to FPUstack
.text:007AD837                 lea     ecx, [ebp+var_1C]
.text:007AD83A                 push    ecx
.text:007AD83B                 push    eax
.text:007AD83C                 call    sub_7B7AC0
.text:007AD841                 add     esp, 8
.text:007AD844                 test    eax, eax
.text:007AD846                 jnz     short loc_7AD84C ; push float to FPUstack
.text:007AD848                 mov     esp, ebp
.text:007AD84A                 pop     ebp
.text:007AD84B                 retn
.text:007AD84C ; ---------------------------------------------------------------------------
.text:007AD84C
.text:007AD84C loc_7AD84C:                             ; CODE XREF: lua_tointeger+15j
.text:007AD84C                                         ; lua_tointeger+26j
.text:007AD84C                 fld     qword ptr [eax] ; push float to FPUstack
.text:007AD84E                 fstp    [ebp+var_C]     ; pop that float at epb-12
.text:007AD851                 fld     [ebp+var_C]     ; reload the value
.text:007AD854                 fistp   [ebp+var_4]     ; pop integer to epb-4
.text:007AD857                 mov     eax, [ebp+var_4] ; move said integer to eax
.text:007AD85A                 mov     esp, ebp
.text:007AD85C                 pop     ebp
.text:007AD85D                 retn                    ; end of story
.text:007AD85D lua_tointeger   endp

What Im not sure about is how to push values to the lua stack when you call lua_dostring. Would DoString("return 1;") be enough or do you actually have to declare a variable as in DoString("bla=1;")? Maybe Ill do some testing later today.

[Nesox]

Tasty copypasta for Shamun!
Ive thought about this too and Ive come to think that it can be done if you call some of the other lua functions in the game.
Here are the right addresses for 3.0.3 (credits WoWX):

Code:

[17:39:07]: 0x0077DEF0 -> Lua_Dostring
[17:39:07]: 0x0077CD20 -> Lua_Register
[17:39:07]: 0x00401980 -> Lua_Reload
[17:39:07]: 0x007AD380 -> lua_gettop
[17:39:07]: 0x007AD7E0 -> lua_tonumber
[17:39:07]: 0x007AD820 -> lua_tointeger
[17:39:07]: 0x007AD890 -> lua_tostring
[17:39:07]: 0x007AD9C0 -> lua_touserdata
[17:39:07]: 0x007AD860 -> lua_toboolean
[17:39:07]: 0x007ADA50 -> lua_pushnumber
[17:39:08]: 0x007ADA80 -> lua_pushinteger
[17:39:08]: 0x007ADAB0 -> lua_pushstring
[17:39:08]: 0x007ADC80 -> lua_pushboolean
[17:39:08]: 0x007ADBB0 -> lua_pushcclosure
[17:39:08]: 0x007ADA30 -> lua_pushnil
[17:39:08]: 0x007AE0B0 -> lua_setfield
[17:39:08]: 0x007AF010 -> lua_getfield
[17:39:08]: 0x007AD520 -> lua_replace

I just googled some of them, gettop seems to return the size of the lua stack. The tointeger, toboolean etc functions are probably responsible for popping values off the lua stack, so thats what I would look into. Im just guessimating here, hope this helps regardless.

Edit:
Ive taken a further look, heres tointeger in IDA:

Code:

.text:007AD820 lua_tointeger   proc near               ; CODE XREF: sub_49C810+2Dp
.text:007AD820                                         ; sub_49C8B0+1Fp ...
.text:007AD820
.text:007AD820 var_1C          = dword ptr -1Ch
.text:007AD820 var_C           = qword ptr -0Ch
.text:007AD820 var_4           = dword ptr -4
.text:007AD820 arg_0           = dword ptr  8
.text:007AD820 arg_4           = dword ptr  0Ch
.text:007AD820
.text:007AD820                 push    ebp
.text:007AD821                 mov     ebp, esp
.text:007AD823                 mov     eax, [ebp+arg_4]
.text:007AD826                 mov     ecx, [ebp+arg_0]
.text:007AD829                 sub     esp, 1Ch
.text:007AD82C                 call    sub_7AD170
.text:007AD831                 cmp     dword ptr [eax+8], 3
.text:007AD835                 jz      short loc_7AD84C ; push float to FPUstack
.text:007AD837                 lea     ecx, [ebp+var_1C]
.text:007AD83A                 push    ecx
.text:007AD83B                 push    eax
.text:007AD83C                 call    sub_7B7AC0
.text:007AD841                 add     esp, 8
.text:007AD844                 test    eax, eax
.text:007AD846                 jnz     short loc_7AD84C ; push float to FPUstack
.text:007AD848                 mov     esp, ebp
.text:007AD84A                 pop     ebp
.text:007AD84B                 retn
.text:007AD84C ; ---------------------------------------------------------------------------
.text:007AD84C
.text:007AD84C loc_7AD84C:                             ; CODE XREF: lua_tointeger+15j
.text:007AD84C                                         ; lua_tointeger+26j
.text:007AD84C                 fld     qword ptr [eax] ; push float to FPUstack
.text:007AD84E                 fstp    [ebp+var_C]     ; pop that float at epb-12
.text:007AD851                 fld     [ebp+var_C]     ; reload the value
.text:007AD854                 fistp   [ebp+var_4]     ; pop integer to epb-4
.text:007AD857                 mov     eax, [ebp+var_4] ; move said integer to eax
.text:007AD85A                 mov     esp, ebp
.text:007AD85C                 pop     ebp
.text:007AD85D                 retn                    ; end of story
.text:007AD85D lua_tointeger   endp

What Im not sure about is how to push values to the lua stack when you call lua_dostring. Would DoString("return 1;") be enough or do you actually have to declare a variable as in DoString("bla=1;")? Maybe Ill do some testing later today.

thx for the reply im gonna do some wild wow chrasshing now ill edit with results

[Shynd]

I don't really have anything to add, but I'd like to point out that you don't FreeMemory on pScript and you execute your code twice.

[Shamun]

Tasty copypasta for Shamun!

Damn you are a funny guy!
Hypnodok just for you to know my code for DoString was almost the same...

[Nesox]

I don't really have anything to add, but I'd like to point out that you don't FreeMemory on pScript and you execute your code twice.

i changed it. Can call any void function, no return value yet xD

Edit: btw Shamun u know how to get the return values? ^^

[Shamun]

nope sorry...
If I find a way I'll tell you

[luciferc]

nuuu where art thou return values Can't find them either

[Nesox]

hehe well i think Lua_DoString() is a void pretty stupid question in that case xD

[Shynd]

From what I remember from messing with LUA a few years ago (had nothing to do with WoW), you have to call lua_gettop(LUA_State *) to see how many return values are on the stack, and then lua_tostring(LUA_State *, index) or lua_tointeger(LUA_State *, index) to read them off of the stack. That means, however, that you need to create your own LUA_State for use with lua_dostring, and then use that to read from the return stack. Never bothered to find out how to create a lua_State object in the WoW context, though, so I can't help there.

[Shamun]

are you sure it's void?

[Cypher]

You don't create your own lua state you can just hijack WoWs.

[Shynd]

Probably be easy to find if one actually wanted to look for it. Find where lua_tointeger or something is referenced, reverse until you find where the main lua_State is held in memory.

I seriously have no idea what I'm talking about when I ask the next question: would that cause any problems with other things accessing the same state?

[Nesox]

hmm ok, btw.. GetSpellById(string name) i cant seem to get it working it tells me i got an error on line 11 where the call is.. Any suggestions?

Code:

uint pSpellName = wow.AllocateMemory(0x1024);
wow.WriteASCIIString(pSpellName, SpellName);

wow.Asm.AddLine("lea eax, " + dwUnknown);
wow.Asm.AddLine("push eax");
wow.Asm.AddLine("push " + pSpellName.ToString("X"));
wow.Asm.AddLine("mov eax, 0x004D0A60");
wow.Asm.AddLine("call eax");
wow.Asm.AddLine("add esp, 8");

return wow.ReadInt( wow.Asm.InjectAndExecute(_process.Handle, codeCave, 0) );

olly:

Code:

004F8B89  |.  8D8F 6C050000 LEA ECX,DWORD PTR DS:[EDI+56C]           
004F8B8F  |.  51            PUSH ECX                                 ; |Arg2
004F8B90  |.  50            PUSH EAX                                 ; |Arg1
004F8B91  |.  E8 CA7EFDFF   CALL Wow.004D0A60       ; \Wow. 004D0A60

[hypnodok]

This works:

Code:

            wow.Asm.Clear();
            uint codeCave = wow.AllocateMemory(0x1000);
            uint GetSpellIdByName = (uint)Offsets.eStaticPointers.GetSpellIdByName;
            //Start UpdateCurMgr
            wow.Asm.AddLine("fs mov eax, [0x2C]");
            wow.Asm.AddLine("mov eax, [eax]");
            wow.Asm.AddLine("add eax, 8");
            wow.Asm.AddLine("mov dword [eax], {0}", ObjectMgr.GetCurMgr(wow.ProcessHandle));
             //End UpdateCurMgr
            wow.Asm.AddLine("push " + 0x0019F9BC);//not sure what this is, seems to be static in olly
            wow.Asm.AddLine("push " + (codeCave + 0x500));
            wow.Asm.AddLine("call " + GetSpellIdByName);
            wow.Asm.AddLine("add esp,8");
            wow.Asm.AddLine("retn");
            wow.WriteASCIIString(codeCave + 0x500, name);
            uint result = wow.Asm.InjectAndExecute(codeCave);
            
            wow.FreeMemory(codeCave);
            Console.WriteLine("Getspellidbyname {0} result {1}", name, result);
            if (result != uint.MaxValue)
                return result;
            else
                return 0;

What about a sticky for BlackMagic function calls so the nubs (like Shamun) can just c/p right off the bat?