Lua do most of the strings?

[Cypher]

No one wants to hear it man. Just take a chill pill, just because I dont study wow all day and night doesnt mean my work is 'copypasta' I built my own script, I had help since my bots dont use injection simple as that. I wanted to learn how to so I ask for help, get over yourself man. Everyone knows your a nerd.

1. Actually, a lot of people want to hear it, just normally not the people that it's aimed at.

Cypher 1 - Retard 0

2. Chill pill? I'm not angry, you're the one throwing personal attacks.

Cypher 2 - Retard 0

3. Study WoW all day and night? Noone is asking you to do that, I'm simply asking that you read the forum rules. There's an expected prerequisite level of knowledge for this section, you don't meet it, and I called you on it. If you had taken the time to research the topic before posting (30 minutes work maximum) rather than expecting us to spoonfeed you, not only would I not have to rip into you, but you would've actually learned something new.

Cypher 3 - Retard 0

4. You want to learn so you asked.... Simple as that eh? No, it really isn't. If you bothered to read the rules of this section you'd notice that you're expected to do your own research and show that you have put some forethought into your inquiry. You have not done this. We do not spoonfeed people just because they 'want to learn'. You have to demonstrate you DESERVE to be taught.

Cypher 4 - Retard 0

5. Everyone knows I'm a nerd? Awesome, that saves me time on my introductions. You say 'nerd' as if it's a bad thing. According to princeton, a nerd is "an intelligent but single-minded expert in a particular technical field or profession". That seems like a compliment. Thanks.

Cypher 5 - Retard 0.

And the winner is?
CYPHER!

Thanks for playing.

But don't worry, you don't go home empty handed. Sorry, we're out of the "play at home" packages, so instead, have this picture of a cat with cheese on its head:

[amadmonk]

Emphasis added.

The fact you don't even know whether you're running in the main thread or not goes to show that pretty much all your 'work' is copypasta. Go back to basics, hit the books/tutorials, and come back when you actually UNDERSTAND what is happening, not just when you can copypasta and pray shit works.

So, possibly noob question, but I don't really run in-process like you fighter jocks.

I've seen a lot of TEB TLS punking for LUA injection. I wonder; could you freeze the thread externally, save its context, point it to your function, and go it? Then you'd have the TLS stuff pre-baked for you. Just restore the context when you're done.

Er wait. That's probably actually more work than just setting the TLS stuff manually, huh. NM.

[Nesox]

You can freeze it save the context change the EIP to your codecave resume it wait until the code finish running and then set the old Context back.. works but it's kinda unstable so it's useless...
tried lots of stuff like that before i started messingn with DLL Injection

[amadmonk]

How come it's unstable? Stack issues?

Stack and timing are the two things I can see getting messed up with the context swap method. On the plus side it eliminates one method of detection (thread attach hooks) and avoids the TLS issues of not running in the main thread. Of course, I still think it's overkill when four or five lines of asm achieves the same goal...

EDIT: scratch the stack -- thinking about it, unless your function modifiers the caller stack (which I can't really see happening in well-written code), your stack should be fine. So it must be timing. Or is there something else about it that I'm overlooking?

EDIT 2: I don't think thread attach is a really great detection vector anyway, on further thought. Too many "normal" things add threads to your process all the time; this would result in lots of false positives. I'm mostly curious on an intellectual level (personally I'm still happy with packet sniffing and input injection for my bot )

[Nesox]

yea stack issues! so it's really not reliable, now what would be better is if you can enter a adress and when it hits that it runs your could ie. Hooking out of process ^^
saw a thread about in on GD and tried to port it but i couldn't get it to work

[amadmonk]

Well, you'd need to set the DR's and hook SEH/VEH, right? In theory you could use that for up to 4 (iirc, it's DR0-DR3) semi-stealthy hooks.

Of course, it's relatively trivial for WoW to detect/zero out the DR registers.

Oh wait, you mean it runs your code in like an RPC sense? Interesting... I wonder if you can mimic a full process context swap in userland.

Back when I had my rootkit in the XP days, I had a bit of code that double-mapped memory pages into my out-of-process code, so that (e.g.) 1000000h in WoW was exactly the same memory as 1000000h in my process. It was tricky but it allowed some really interesting and fun tricks. No more ReadProcessMemory... it's all just local. So there's no reason, in theory, that you couldn't do a full thread swap. Doing it without a blue screen or Gp fault would be the tricky bit.

I seem to recall a research paper about someone who'd done something where they could hook code without detours or DR magic. Of course, it involved kernel work (so not sure how interesting it is in a Vista/KPP world). Basically IIRC they would play with the memory protection flags on a page that contained some "interesting" code (set it as a guard page). Then they would trap the interrupt in kernel, see where the call came from (since you know the exact address that it was trying to read/execute), and reroute it (again, all in kernel) to "their" code. Of course, it was potentially slow due to all the context swaps, and it was a little more involved than I'm making it out to be because the page protection flags had to be flipped on the fly to keep from going into a death spiral of exceptions, but it looked really interesting. I wonder if there's any way to mimic that in userland... Guess it would depend, again, on hooking the exception handlers.

[jjaa]

yea stack issues! so it's really not reliable, now what would be better is if you can enter a adress and when it hits that it runs your could ie. Hooking out of process ^^
saw a thread about in on GD and tried to port it but i couldn't get it to work

*cough*cough*
http://www.mmowned.com/forums/wow-me...detouring.html

[Cypher]

So, possibly noob question, but I don't really run in-process like you fighter jocks.

I've seen a lot of TEB TLS punking for LUA injection. I wonder; could you freeze the thread externally, save its context, point it to your function, and go it? Then you'd have the TLS stuff pre-baked for you. Just restore the context when you're done.

Er wait. That's probably actually more work than just setting the TLS stuff manually, huh. NM.

I run all my code from WoWs main thread. The not-quite-out-and-not-quite-in process people are the ones with threading issues. (The people using remote threads)

If you execute all your code from a D3D hook you don't have to do anything at all.

How come it's unstable? Stack issues?

Stack and timing are the two things I can see getting messed up with the context swap method. On the plus side it eliminates one method of detection (thread attach hooks) and avoids the TLS issues of not running in the main thread. Of course, I still think it's overkill when four or five lines of asm achieves the same goal...

EDIT: scratch the stack -- thinking about it, unless your function modifiers the caller stack (which I can't really see happening in well-written code), your stack should be fine. So it must be timing. Or is there something else about it that I'm overlooking?

EDIT 2: I don't think thread attach is a really great detection vector anyway, on further thought. Too many "normal" things add threads to your process all the time; this would result in lots of false positives. I'm mostly curious on an intellectual level (personally I'm still happy with packet sniffing and input injection for my bot )

When using remote threads, instability is introduced by the fact that program state may be 'invalid' at any given point in time, because it's only designed to be used by one thread. So if it's mid-modification during a context switch and you try to use an invalid pointer that's marked as valid (due to it being half-way through the modifications), KABOOM.

Synchronizing WoWs main thread with an arbitrary one is a pain.

Well, you'd need to set the DR's and hook SEH/VEH, right? In theory you could use that for up to 4 (iirc, it's DR0-DR3) semi-stealthy hooks.

Of course, it's relatively trivial for WoW to detect/zero out the DR registers.

Oh wait, you mean it runs your code in like an RPC sense? Interesting... I wonder if you can mimic a full process context swap in userland.

Back when I had my rootkit in the XP days, I had a bit of code that double-mapped memory pages into my out-of-process code, so that (e.g.) 1000000h in WoW was exactly the same memory as 1000000h in my process. It was tricky but it allowed some really interesting and fun tricks. No more ReadProcessMemory... it's all just local. So there's no reason, in theory, that you couldn't do a full thread swap. Doing it without a blue screen or Gp fault would be the tricky bit.

I seem to recall a research paper about someone who'd done something where they could hook code without detours or DR magic. Of course, it involved kernel work (so not sure how interesting it is in a Vista/KPP world). Basically IIRC they would play with the memory protection flags on a page that contained some "interesting" code (set it as a guard page). Then they would trap the interrupt in kernel, see where the call came from (since you know the exact address that it was trying to read/execute), and reroute it (again, all in kernel) to "their" code. Of course, it was potentially slow due to all the context swaps, and it was a little more involved than I'm making it out to be because the page protection flags had to be flipped on the fly to keep from going into a death spiral of exceptions, but it looked really interesting. I wonder if there's any way to mimic that in userland... Guess it would depend, again, on hooking the exception handlers.

By the time you use DRs you also have to hook about 7 APIs to protect them, at which point it's no longer stealthy.

VEH is also detectable. Both in documented, and undocumented ways (*cough* ADDVeh returns an undocumented structure *cough *cough*).

[Nesox]

*cough*cough*
http://www.mmowned.com/forums/wow-me...detouring.html

Oh hai thar ! Afaik i dont need to do that C++ and pipes ftw