How to? Lua_tostring

[Fraak]

Hello, I am trying to get Lua_toString to work however I think I am doing something wrong.

Here is wat the method looks like when I call it (out of proces with the help of shynd's awsome BlackMagic lib.)

Code:

uint codeCave = _magic.AllocateMemory(0x2048);
_magic.Asm.Clear();
_magic.Asm.AddLine("push {0}", length);
_magic.Asm.AddLine("push {0}", argument);
_magic.Asm.AddLine("push {0}", State);
_magic.Asm.AddLine("call {0}", Utils.GetOffset("luaToString"));
_magic.Asm.AddLine("add esp, 0x8");
_magic.Asm.AddLine("retn");

uint result = _magic.Asm.InjectAndExecute(codeCave);
System.Console.WriteLine("ToString: {0:X}", result);
_magic.FreeMemory(codeCave);

I came up with this snippet using the definition of the method I found in the WoWX framework.

Code:

typedef const char * ( __cdecl * tlua_tostring )( void * L, int idx, size_t * len );

Now when I run the ASM snippet wow just crashes. I took a look in Olly to find out how the method lua_tostring looks like this.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
007ADBF0  /$  55            PUSH EBP
007ADBF1  |.  8BEC          MOV EBP,ESP
007ADBF3  |.  56            PUSH ESI
007ADBF4  |.  8B75 08       MOV ESI,DWORD PTR SS:[ARG.1]
007ADBF7  |.  57            PUSH EDI
007ADBF8  |.  8B7D 0C       MOV EDI,DWORD PTR SS:[ARG.2]
007ADBFB  |.  8BC7          MOV EAX,EDI
007ADBFD  |.  8BCE          MOV ECX,ESI
007ADBFF  |.  E8 CCF8FFFF   CALL 007AD4D0                            ; [Wow.007AD4D0
007ADC04  |.  8378 08 04    CMP DWORD PTR DS:[EAX+8],4
007ADC08  |.  74 3E         JE SHORT 007ADC48
007ADC0A  |.  50            PUSH EAX                                 ; /Arg2
007ADC0B  |.  56            PUSH ESI                                 ; |Arg1 => [ARG.1]
007ADC0C  |.  E8 5FA20000   CALL 007B7E70                            ; \Wow.007B7E70
007ADC11  |.  83C4 08       ADD ESP,8
007ADC14  |.  85C0          TEST EAX,EAX
007ADC16  |.  75 13         JNE SHORT 007ADC2B
007ADC18  |.  8B45 10       MOV EAX,DWORD PTR SS:[ARG.3]
007ADC1B  |.  85C0          TEST EAX,EAX
007ADC1D  |.  74 06         JE SHORT 007ADC25
007ADC1F  |.  C700 00000000 MOV DWORD PTR DS:[EAX],0
007ADC25  |>  5F            POP EDI
007ADC26  |.  33C0          XOR EAX,EAX
007ADC28  |.  5E            POP ESI
007ADC29  |.  5D            POP EBP
007ADC2A  |.  C3            RETN
007ADC2B  |>  8B46 14       MOV EAX,DWORD PTR DS:[ESI+14]
007ADC2E  |.  8B48 44       MOV ECX,DWORD PTR DS:[EAX+44]
007ADC31  |.  3B48 40       CMP ECX,DWORD PTR DS:[EAX+40]
007ADC34  |.  72 09         JB SHORT 007ADC3F
007ADC36  |.  56            PUSH ESI                                 ; /Arg1
007ADC37  |.  E8 C49E0000   CALL 007B7B00                            ; \Wow.007B7B00
007ADC3C  |.  83C4 04       ADD ESP,4
007ADC3F  |>  8BC7          MOV EAX,EDI
007ADC41  |.  8BCE          MOV ECX,ESI
007ADC43  |.  E8 88F8FFFF   CALL 007AD4D0                            ; [Wow.007AD4D0
007ADC48  |>  8B4D 10       MOV ECX,DWORD PTR SS:[ARG.3]
007ADC4B  |.  85C9          TEST ECX,ECX
007ADC4D  |.  74 07         JE SHORT 007ADC56
007ADC4F  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
007ADC51  |.  8B52 10       MOV EDX,DWORD PTR DS:[EDX+10]
007ADC54  |.  8911          MOV DWORD PTR DS:[ECX],EDX
007ADC56  |>  8B00          MOV EAX,DWORD PTR DS:[EAX]
007ADC58  |.  5F            POP EDI
007ADC59  |.  83C0 14       ADD EAX,14
007ADC5C  |.  5E            POP ESI
007ADC5D  |.  5D            POP EBP
007ADC5E  \.  C3            RETN

Now this leads me to think that it doesnt have any arguments at all. Checking that with altering my snipet to a call to 007ADBF0 without any arguments. No wow crash.

Now either the adress 007ADBF0 is not that of tostring. Or i am trying to use it in an incorrect way. Last but not least maby I am just to silly to see any other thing I might be doing wrong.

Any help would be apriciated.

[ramey]

Well, you have the wrong address at least.

Code:

[14:27:14]: 0x0077E060 -> Lua_Dostring

-- WoWX

[Fraak]

Well, you have the wrong address at least.

Code:

[14:27:14]: 0x0077E060 -> Lua_Dostring

-- WoWX

Well I am not trying to use Lua_DoString I am trying to use the method lua_tostring.

Code:

[15:19:27]: 0x007ADBF0 -> lua_tostring

Also from wowx.

Its one of the methods to get arguments from the lua stack.

[argh44z]

What are you passing in as the lua_State (the first argument to the function). AFAIK, if I remember right, there is one lua_State variable that's allocated somewhere, and there is a function that lets you get a pointer to it. My memory is somewhat hazy though, haven't looked at it since 2.4.x.

[schlumpf]

To get the right LUAState, call 0x0077CCF0 -> GetLuaState. Pass that one to Lua_toString(LUAState *L, int idx, int *len);. Remember, that Lua_toString returns a char* containing the value on the stack at position idx.

(Is it zero-terminated? Why do you get the length back too?)

So first call GetLuaState, then pass everything into Lua_ToString.
LuaState *L = GetLuaState();
char *result = Lua_ToString(L, 0, len);

call 0077CCF0h
push <len>
push 0
push eax
call <lua_tostring>

[Fraak]

And where would i get the length from then? Now I am just guessing something.

[kynox]

const char *lua_tostring (lua_State *L, int index); Equivalent to lua_tolstring with len equal to NULL.

Passing len as NULL should be fine.

[ramey]

Well I am not trying to use Lua_DoString I am trying to use the method lua_tostring.

Code:

[15:19:27]: 0x007ADBF0 -> lua_tostring

Also from wowx.

Its one of the methods to get arguments from the lua stack.

sorry, bad eyes me

edit:Also, yes. just tested. you can pass NULL for length.

[Fraak]

Awsome, thnx guys passing null for length works perfectly!