Lua_DoString

[xzidez]

Im trying to reach the lua functions and Id suppose Lua_DoString is the easiest way for this. I actually did a Shamun and copied Nesox code but I still cant seem to get it work. Anyone who might want to tell me what im doing wrong here? I cant find anything about the code.. :/

Code:

        public uint BlackLua_DoString(string pszString)
        {
            //clientConnection = 0x011CA260;
            //curMgrOffset = 0x2864;

            Magic.BlackMagic wow = new Magic.BlackMagic(P.Id);

            uint pScript = wow.AllocateMemory(0x1024);
            wow.WriteASCIIString(pScript, "DoEmote(\"DANCE\")");
            
            uint codeCave = wow.AllocateMemory(0x1024);

            wow.Asm.Clear();
            wow.Asm.AddLine("mov EDX, 0x011CA260");
            wow.Asm.AddLine("mov EDX, [EDX+0x2864]");
            wow.Asm.AddLine("FS mov EAX, [0x2C]");
            wow.Asm.AddLine("mov EAX, [EAX]");
            wow.Asm.AddLine("add EAX, 8");
            wow.Asm.AddLine("mov [EAX], EDX");

            wow.Asm.AddLine("mov ecx, 0x0092E887");
            wow.Asm.AddLine("mov eax, " + pScript);
            wow.Asm.AddLine("push ecx");
            wow.Asm.AddLine("push eax");

            wow.Asm.AddLine("push eax");
            wow.Asm.AddLine("mov eax, 0x0077DEF0");
            wow.Asm.AddLine("call eax");
            wow.Asm.AddLine("add esp, 0xC");
            wow.Asm.AddLine("retn");

            uint ret = wow.Asm.InjectAndExecute(codeCave);
            wow.FreeMemory(codeCave);

            return ret;
        }

And by the way, can anyone explain for me what you find @ 0x0092E887 ?

[Cursed]

Im trying to reach the lua functions and Id suppose Lua_DoString is the easiest way for this. I actually did a Shamun and copied Nesox code but I still cant seem to get it work. Anyone who might want to tell me what im doing wrong here? I cant find anything about the code.. :/

Code:

        public uint BlackLua_DoString(string pszString)
        {
            //clientConnection = 0x011CA260;
            //curMgrOffset = 0x2864;

            Magic.BlackMagic wow = new Magic.BlackMagic(P.Id);

            uint pScript = wow.AllocateMemory(0x1024);
            wow.WriteASCIIString(pScript, "DoEmote(\"DANCE\")");
            
            uint codeCave = wow.AllocateMemory(0x1024);

            wow.Asm.Clear();
            wow.Asm.AddLine("mov EDX, 0x011CA260");
            wow.Asm.AddLine("mov EDX, [EDX+0x2864]");
            wow.Asm.AddLine("FS mov EAX, [0x2C]");
            wow.Asm.AddLine("mov EAX, [EAX]");
            wow.Asm.AddLine("add EAX, 8");
            wow.Asm.AddLine("mov [EAX], EDX");

            wow.Asm.AddLine("mov ecx, 0x0092E887");
            wow.Asm.AddLine("mov eax, " + pScript);
            wow.Asm.AddLine("push ecx");
            wow.Asm.AddLine("push eax");

            wow.Asm.AddLine("push eax");
            wow.Asm.AddLine("mov eax, 0x0077DEF0");
            wow.Asm.AddLine("call eax");
            wow.Asm.AddLine("add esp, 0xC");
            wow.Asm.AddLine("retn");

            uint ret = wow.Asm.InjectAndExecute(codeCave);
            wow.FreeMemory(codeCave);

            return ret;
        }

And by the way, can anyone explain for me what you find @ 0x0092E887 ?

Copy&Pasta is delicious... Would you like some?!

[xzidez]

Copy&Pasta is delicious... Would you like some?!

Sigh, as I wrote yes its copy/paste. All creds to Nesox. However it still doesnt keep people like you from trying to be cool with that unnecessary comments. I really hope your E-peen just grew a lot

[Nesox]

Sigh, as I wrote yes its copy/paste. All creds to Nesox. However it still doesnt keep people like you from trying to be cool with that unnecessary comments. I really hope your E-peen just grew a lot

i just updated an old version i found somewhere, i dont use that anymore it's some static class pointer that you move into ecx. but that code is missing 2 of the arguments, not really important (or are they? o_O). wasnt really hard to figure how to push the arguemnts.. gl ^^

[xzidez]

Hmm this is obivously on a different level that I am. Been struggling for a while now without any whatsoever progress.

Just wanted to make sure Im trying to hunt the right thing here.. Basicly what im supposed to do is launch up IDA and examine the functions at the static adresses I have there and make sure they are called with valid parameters ( through asm )..

Too much information for me to process today.. think Ill sleep on it an perhaps it will make some sense tomorrow : P

[Sillyboy72]

Not that I think this will help you much (heck, the last pasta didn't taste good), but here is my code for similar testing. since my assembly is "hard coded" in c++, not generated from strings... its a bit different, but maybe it helps you figure stuff out.

Code:

void __declspec(naked) RunScriptAsm()
{
    __asm {
		mov eax, dword ptr FS:[0x2c] 		
		mov eax, [eax]
		add eax, 8
		mov dword ptr [eax],  0xDEADBEE0  // patch with Mgr
		
		push 0xDEADBEE3  // address of ""
		push 0xDEADBEE2  // address of "DoEmote(\"dance\")"
		push 0xDEADBEE1  // address of "DoEmote(\"dance\")"

		mov eax, 0x0077DEF0	   // lua_RunScript
		call eax  
		add esp, 12  // cleanup my args off the stack
		retn
    }
}

void Monkey()
{
	BYTE DanceString[] = "DoEmote(\"dance\")";
	int DanceStringLength = sizeof(DanceString) + sizeof(DanceString) % 4;		
	BYTE AsmBuffer[0x100];
	int AsmBufferLength = sizeof(AsmBuffer);
	int TotalBufferLength = AsmBufferLength + DanceStringLength;

	// Alloc some mem in their space
	void *pvBase = VirtualAllocEx(hProcess, 0, TotalBufferLength, MEM_COMMIT, PAGE_READWRITE );	

	// Unprotect the page
	DWORD old;
	VirtualProtectEx(hProcess, pvBase, TotalBufferLength, PAGE_EXECUTE_READWRITE, &old);

	// Write out DoEmote("dance") in their space.  17 bytes in including the null.
	WriteProcessMemory(hProcess, pvBase, DanceString, sizeof(DanceString), NULL);	
	BYTE *pvAsm = (BYTE*)pvBase + DanceStringLength;

	// Copy assembly in a local buffer
	memcpy(AsmBuffer, RunScriptAsm, sizeof(AsmBuffer));

	// Patch up the local buffer withour params
	DWORD db = 0xDEADBEE0;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &Mgr);	
	db = 0xDEADBEE1;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &pvBase);
	db = 0xDEADBEE2;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &pvBase);	
	db = 0xDEADBEE3;
	DWORD tmp = (DWORD) pvBase + sizeof(DanceString) - 1; // point to the null term
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &tmp);
	
	// Jam the local buffer into their space
	WriteProcessMemory(hProcess, pvAsm, AsmBuffer, sizeof(AsmBuffer), NULL);	
	
	DWORD ThreadId;
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) (BYTE*)pvAsm, NULL, NULL, &ThreadId);
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, pvBase, TotalBufferLength, MEM_RELEASE);
}

[xzidez]

dang. Now it works! Thanks a lot for the help.

Code:

            Magic.BlackMagic wow = new Magic.BlackMagic(P.Id);

            int clientConnection = ma.ReadInteger(Adresses.clientConnection);
            int curMgr = ma.ReadInteger(clientConnection + Adresses.curMgrOffset);

            uint pScript = wow.AllocateMemory(0x1024);
            wow.WriteASCIIString(pScript, "DoEmote(\"dance\")");
            
            uint codeCave = wow.AllocateMemory(0x1024);

            wow.Asm.Clear();
            wow.Asm.AddLine("FS mov EAX, [0x2C]");
            wow.Asm.AddLine("mov eax, [eax]");
            wow.Asm.AddLine("add eax, 8");
            wow.Asm.AddLine("mov edx, {0}", curMgr);
            wow.Asm.AddLine("mov [eax], edx");

            wow.Asm.AddLine("mov ecx, {0}", pScript + pszString.Length -1);
            wow.Asm.AddLine("mov eax, " + pScript);

            wow.Asm.AddLine("push ecx");
            wow.Asm.AddLine("push eax");
            wow.Asm.AddLine("push eax");

            wow.Asm.AddLine("mov eax, 0x0077DEF0");
            wow.Asm.AddLine("call eax");
            wow.Asm.AddLine("add esp, 0xC");
            wow.Asm.AddLine("retn");

            wow.Asm.InjectAndExecute(codeCave);
            wow.FreeMemory(codeCave);

            return;

For anyone who is interested in the code. If you see something fishy about the code please tell me so I can clean or and perhaps learn something from it.

[Cursed]

Sorry if i didnt make clear what i meant.
Im not against Copy&Pasta, as long as you understand what every (!) part does...
But gratulations on getting it to work

[xzidez]

Sorry if i didnt make clear what i meant.
Im not against Copy&Pasta, as long as you understand what every (!) part does...
But gratulations on getting it to work

You have to start somewhere, dont you? : )
But I have to agree with you...

[Zombie911]

Not that I think this will help you much (heck, the last pasta didn't taste good), but here is my code for similar testing. since my assembly is "hard coded" in c++, not generated from strings... its a bit different, but maybe it helps you figure stuff out.

Code:

void __declspec(naked) RunScriptAsm()
{
    __asm {
		mov eax, dword ptr FS:[0x2c] 		
		mov eax, [eax]
		add eax, 8
		mov dword ptr [eax],  0xDEADBEE0  // patch with Mgr
		
		push 0xDEADBEE3  // address of ""
		push 0xDEADBEE2  // address of "DoEmote(\"dance\")"
		push 0xDEADBEE1  // address of "DoEmote(\"dance\")"

		mov eax, 0x0077DEF0	   // lua_RunScript
		call eax  
		add esp, 12  // cleanup my args off the stack
		retn
    }
}

void Monkey()
{
	BYTE DanceString[] = "DoEmote(\"dance\")";
	int DanceStringLength = sizeof(DanceString) + sizeof(DanceString) % 4;		
	BYTE AsmBuffer[0x100];
	int AsmBufferLength = sizeof(AsmBuffer);
	int TotalBufferLength = AsmBufferLength + DanceStringLength;

	// Alloc some mem in their space
	void *pvBase = VirtualAllocEx(hProcess, 0, TotalBufferLength, MEM_COMMIT, PAGE_READWRITE );	

	// Unprotect the page
	DWORD old;
	VirtualProtectEx(hProcess, pvBase, TotalBufferLength, PAGE_EXECUTE_READWRITE, &old);

	// Write out DoEmote("dance") in their space.  17 bytes in including the null.
	WriteProcessMemory(hProcess, pvBase, DanceString, sizeof(DanceString), NULL);	
	BYTE *pvAsm = (BYTE*)pvBase + DanceStringLength;

	// Copy assembly in a local buffer
	memcpy(AsmBuffer, RunScriptAsm, sizeof(AsmBuffer));

	// Patch up the local buffer withour params
	DWORD db = 0xDEADBEE0;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &Mgr);	
	db = 0xDEADBEE1;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &pvBase);
	db = 0xDEADBEE2;
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &pvBase);	
	db = 0xDEADBEE3;
	DWORD tmp = (DWORD) pvBase + sizeof(DanceString) - 1; // point to the null term
	PatchMem(AsmBuffer, sizeof(AsmBuffer), &db, sizeof(db), &tmp);
	
	// Jam the local buffer into their space
	WriteProcessMemory(hProcess, pvAsm, AsmBuffer, sizeof(AsmBuffer), NULL);	
	
	DWORD ThreadId;
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) (BYTE*)pvAsm, NULL, NULL, &ThreadId);
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, pvBase, TotalBufferLength, MEM_RELEASE);
}

Can u post source from PatchMem() function?

[Sillyboy72]

Can u post source from PatchMem() function?

I submit that if you need it that, you are in trouble But sure, why not. Just don't laugh its its lack of efficiency.

It's just a straight, brute force, search n' replace.

Code:

void PatchMem(BYTE *pMem, UINT cMem, void *pPattern, UINT cPattern, void *pPatch)
{	
	for (int i = 0; i < cMem - cPattern + 1; i++)
	{
		if (memcmp(pMem + i, pPattern, cPattern) == 0)
		{
			memcpy(pMem + i, pPatch, cPattern);
			return;
		}
	}
}

Though, on the "holy crap cyber was right" front... just inject a freakin' DLL. So much easier.

[Zombie911]

Thank you!
Yes, there is a problem. I will not laugh, my realization of much worse, just need the right code, I do not want to invent the wheel (at the same time stepped on a rake)!

If you are interested, I can share code, too!