Lua_Register

[Ellesar1]

@flo
thats true, put it there since I want to try some other things where I need it when I'm done with this (which can take quite a while since I'm really new to this topic).
If you are also new here the explanation: Since the function gets executed in WoW's main thread and not anymore in my dll thread, the TLS patch is not needed anymore since we are already in the thread we want.

@berserk85:
what do you understand under "callback"? For me, a callback is a function pointer which is stored somewhere which is invoked later, when some event occurs.

I've also read about HWBP: do you think about setting some of them to the warden checks to change the memory back before a scan and reapplying the patch after the check?

about the "code cave" (which is essentially a single jmp instruction):
- are we able to edit the contents of the .code section where we have to go into?
- isn't there a crc-check over this section so that we get detected?

[lanman92]

The CRC is only at login time. I don't think the client even sends info about that, because corrupt memory isn't always because of a hack.

To do what they're saying with registering your function, search the .code section for 5 bytes of C3. It's just for function alignment. Write the jump to that location and register your callback to that location.

EDIT: You could also use a push 0xDEADBEEF + retn instead of jmp. Same thing really.

[Ellesar1]

taking the CC's as victim makes sense. thanks for the hint. also thanks for the hint that warden does not check this range.

Injected the DLL, registered the function to some unused space <A> inside of the allowed range, printed the address <B> of my function to a file, and added a "JMP <B>" instruction to the location <A> using ollydbg.

however, I'm not able to write the "JMP" instruction from my DLL. Seems that the .code section is not writable from the thread.

Access violation when writing to [<A>] - Shift+Run/Step to pass exception to the program

[lanman92]

Use VirtualProtect and make it writable. By default the code section is read+execute only I think.

[Ellesar1]

VirtualProtect worked fine. +rep.

updated the first post of the thread with the final code.