Lua Do String

[Ellesar1]

it just means that the whole TLS rewriting which noone knows what it is for doesn't break something.

since the address for the lua function seems to be okay, i think that you push the arguments in a wrong order or push wrong arguments. maybe you should push the location of the 2nd last byte from your lua string instead of 0. so, luastr addr + luastr length - 1

[furang]

Nope... Checked that. luastr length doesn't help.

As you can see function takes 3 parameters. But there's a variable (global as i understand). Can it be so my code overwrites it so it crashes wow?

[Ellesar1]

nope since it works without calling the function actually. if it would make something bad, wow would also crash when it trys to call dostring().


call() just pushes the current IP on the stack and moves the instruction pointer to the given location.

[flo8464]

Huh? You don't have to overwrite any globals...

The way to go is:

1. Get the address of the TLS of WoWs Mainthread
2. Write that address to your threads TLS-pointer so your thread accesses the mainthreads storage
3. Simply call lua_doString

[furang]

Ok. TLS is at fs:[0x2C] (judging by this Win32 Thread Information Block - Wikipedia, the free encyclopedia).
So it should be:

1.

Code:

mov EDX, [0x012705B0]
mov EDX, [EDX+0x00002D94]// edx = wow's main thread's tls

2.

Code:

mov EAX, FS:[0x2C]
mov EAX, [EAX]
add EAX, 8 //eax = this thread tls
mov [EAX], EDX

3.

Code:

call 0x007CF6B0
retn

Right? And what about luastr?

[flo8464]

lua_doString is a cdecl-call. So call it pushing parameters from right to left.

Code:

push 0 //lua-state
push address-of-your-lua-string
push address-of-your-lua-string //again
call lua_doString

[furang]

So what we've got?

Code:

mov EDX, [0x012705B0]
mov EDX, [EDX+0x00002D94]// edx = wow's main thread's tls. right?
mov EAX, FS:[0x2C]
mov EAX, [EAX]
add EAX, 8 //eax = this thread tls. right?
mov [EAX], EDX
push 0
push offset luastr
push offset luastr
call 0x007CF6B0// lua_DoString addr
add esp, 0xC//fixing stack
retn

Is that right? Correct me please if i'm mistaken.

[Ellesar1]

thanks flo, your explanation gives this whole TLS thing a sense.

Since we run an additional (!) thread with our code, it doesn't have access to wow's main process memory. due to this fact, we get the TLS or our new thread from FS:[0x2] and change the pointer to WoW's main TLS.

makes perfectly sense. +rep!

[furang]

Ya. Thats why TLS is called Thread's Local Storage.
But can anyone please tell me is my code correct and if it's not can anyone tell what am i doing wrong?

[flo8464]

Ya. Thats why TLS is called Thread's Local Storage.
But can anyone please tell me is my code correct and if it's not can anyone tell what am i doing wrong?

Your code seems pretty ok, did you test it?
Btw, if you are using C/C++ its possible to do it out-of-process without using any asm, take a look at Cyphers RtlRemoteCall-Rewrite. With some modifications (you have to fix the TLS before) it should work perfectly.

[furang]

Nope...(((
Here's they real code i'm using

Code:

mov         edx,[0012705B0]
mov         edx,[edx][000002D94]
mov         eax,fs:[00000002C]
mov         eax,[eax]
add         eax,8
mov         [eax],edx
push        0
mov         eax,12345678
push        eax
push        eax
call        0007CF6B0 
add         esp,00C
retn
nop

When i allocate memory for luastr i rewrite 12345678 with it. Checked and debuged it. The address is rewritten corectly. But it crashes wow(
Don't know what to do. I enabled break on new thread. But i haven't find my code near breakpoint. I'm confused.