Patching lua registerfunction callback

[skiiippp]

I have my dll injected and hooked to endscene. Now I am trying to register my own lua function so I can retrieve data back from lua calls using a callback.

I've checked awesomeapoc's thread/code on the topic and I wrote a patch for the callback pointer that's send to FrameScript_RegisterFunction("myfunctionname", callbackfunctionpointer).
However, the result so far is a bit disappointing; I can call functions like SendChatMessage after patching but everything wrapped in the injected functionname is never executed.

Code:

//calling this (once) from endscene:
Lua.RegisterCallbackPointer();
Lua.DoString("SendChatMessage(\"yarrr\", \"WHISPER\", \"common\", \"myname\");");
Lua.GetReturnValues("SendChatMessage(\"functiontest\", \"WHISPER\", \"common\", \"myname\");");
String[] res = Lua.GetReturnValues("test = GetRealZoneText();");
foreach (string s in res) Log("Lua.GetReturnValues: " + s);
  

//bypassing IsFunctionInRange
private static IntPtr codecave_ptr = Marshal.AllocHGlobal(8);
private static IntPtr patchCallback(IntPtr callbackPtr)
{
  var buf = new byte[4];
  var buf2 = new byte[1];
  //jump
  uint p = (uint)callbackPtr - (uint)codecave_ptr - 5;
  //bytes that make the codecave_ptr jump to our callback function
  //inspired by Ellesar1; http://www.mmowned.com/forums/wow-memory-editing/263874-lua_register.html
  buf2[0] = 0xE9;
  buf[3] = (byte)((p & 0xFF000000) >> 24);
  buf[2] = (byte)((p & 0xFF0000) >> 16);
  buf[1] = (byte)((p & 0xFF00) >> 8);
  buf[0] = (byte)((p & 0xFF));

  //write patch to our codecave_ptr using kernel32.dll's WriteProcessMemory
  IntPtr ProcessHandle = Shizzle.Memory.OpenProcess(Shizzle.Memory.ProcessAccessFlags.All, false, (UInt32)Process.GetCurrentProcess().Id);
  IntPtr bytesout;
  IntPtr bytesout2;
  bool ReturnVal = Shizzle.Memory.WriteProcessMemory(ProcessHandle, codecave_ptr, buf2, (UIntPtr)buf2.Length, out bytesout);
  bool ReturnVal2 = Shizzle.Memory.WriteProcessMemory(ProcessHandle, new IntPtr((uint)codecave_ptr + 1), buf, (UIntPtr)buf.Length, out bytesout2);
  Shizzle.Main.Log(string.Format("WriteLuaCallback() - bytesout:{0} result1:{1} || bytesout2:{2} result2:{3}", bytesout.ToInt32(), ReturnVal, bytesout2.ToInt32(), ReturnVal2));
  Shizzle.Memory.CloseHandle(ProcessHandle);

  return codecave_ptr;
}


public static void RegisterCallbackPointer()
{
  //RegisterCommandHandler is a delegate to FrameScript_RegisterFunction @ 0x007F1340
  //CommandParser is a delegate to my callback function
  RegisterCommandHandler("OnyxInput", patchCallback(Marshal.GetFunctionPointerForDelegate(CommandParser)));
  return;
}
public static void DoString(string lua)
{
  //DoStringHandler is a delegate to FrameScript_Execute @ 0x007F25C0
  DoStringHandler(lua, "plugin.lua", 0);
}
public static string[] GetReturnValues(string lua)
{
  DoString(string.Format("OnyxInput({0})", lua));
  return LuaValues.ToArray();
}

the result; I do get the "yarrr" whisper but not the latter "functiontest" whisper that I'm expecting as well. And consequently, my callback is never called.

So I'm thinking I went wrong with the patching of the callback pointer... am I?

[lanman92]

If your patching was wrong, you would crash WoW(invalid function pointer). Try making a simpler test first, before you go crazy. Register a function, try calling it. Make sure dostring is working. You will have to pop variables off of the lua stack to get return values in your callback function. The functions are in the 3.3.2 dump.

[skiiippp]

If your patching was wrong, you would crash WoW(invalid function pointer). Try making a simpler test first, before you go crazy. Register a function, try calling it. Make sure dostring is working.

The stuff in the opening post is quite a simple test. All I do is register the patch, test DoString(it does, as stated at the bottom of the post) and then test again with a call to the registered function (fails, as stated).

You will have to pop variables off of the lua stack to get return values in your callback function. The functions are in the 3.3.2 dump.

I didn't know I had to call anything extra after DoString(string.Format("OnyxInput({0})", lua)) to get the callback working. What function would that be? And does that explain why SendChatMessage doesn't do anything when it's wrapped in our registered function?

edit: the thing that puzzles me most is that nothing seems to happen when I use DoString with some lua code wrapped in "OnyxInput({0})"... it's as if the registration of the function fails. Can anyone verify that FrameScript_RegisterFunction is the right function for the job?

[Apoc]

If you weren't copy/pasting code, you'd understand what the issue is.

[lanman92]

Code:

int lua_callback(lua_state* L)
{
int myvar = lua_toint(L);
Logger << myvar << std::endl;
return 0;
}
...
PatchFunction();
RegisterFunction("test_call", lua_callback);
DoString("test_call(UnitReaction(\"player\", \"target\"));", "test_call(UnitReaction(\"player\", \"target\"));", 0);

This should be it. I haven't really screwed with this though, as it's easy to detect... That might be the wrong type of return value for UnitReaction, but I hope this clarifies things. Ensure that you are in the main thread as well.

[skiiippp]

Code:

int lua_callback(lua_state* L)
{
int myvar = lua_toint(L);
Logger << myvar << std::endl;
return 0;
}
...
PatchFunction();
RegisterFunction("test_call", lua_callback);
DoString("test_call(UnitReaction(\"player\", \"target\"));", "test_call(UnitReaction(\"player\", \"target\"));", 0);

This should be it. I haven't really screwed with this though, as it's easy to detect... That might be the wrong type of return value for UnitReaction, but I hope this clarifies things. Ensure that you are in the main thread as well.

I'm calling from EndScene, so I am in the main thread. The problem seems to be my call to the register function. Even if I don't patch the pointer I send to my register function, or I send a zero pointer, nothing happends; dostring still works for regular commands even though it should be broken after registering a function and not patching it. right?

edit: when I pop a macro in wow that calls the function we registered, I do get the invalidptr thing. So the registration seems to be ok... so apparently my patch is not working and my dosend is not picking up my registered command/function.

[miceiken]

I am also stuck with this WriteCallback function from Apoc's LUA Wrapper

Code:

private static IntPtr WriteLuaCallback(IntPtr CallbackPtr)
{
    uint InvalidPtr = (uint)Luas.Lua_InvalidPtrCheck; // From Apoc's thread: 0x0046ED80
    int BytesWritten;
    Log.Output("WriteLuaCallback() - Starting ...");
    bool ReturnVal;
    uint p = (uint)CallbackPtr - InvalidPtr - 5;
    var buf = new byte[4];
    var buf2 = new byte[1];
    buf2[0] = 0xE9;
    buf[3] = (byte)((p & 0xFF000000) >> 24);
    buf[2] = (byte)((p & 0xFF0000) >> 16);
    buf[1] = (byte)((p & 0xFF00) >> 8);
    buf[0] = (byte)((p & 0xFF));

    IntPtr hProcess = Kernel32.OpenProcess(Kernel32.ProcessAccessFlags.All, false, (uint)Memory.ProcessId); // Memory is the instance of BlackMagic that I use
    Log.Output("WriteLuaCallback() - hProcess = {0:X}", (uint)hProcess);
    ReturnVal = Kernel32.WriteProcessMemory(hProcess, (IntPtr)InvalidPtr, buf2, 1, out BytesWritten);
    if (!ReturnVal) { Log.Output(LogType.Error, "WriteLuaCallback() - Error during first WriteProcessMemory"); }
    Log.Output("WriteLuaCallback() - Written {0:d} bytes", BytesWritten);

    ReturnVal = Kernel32.WriteProcessMemory(hProcess, (IntPtr)((uint)InvalidPtr + 1), buf, 4, out BytesWritten);
    if (!ReturnVal) { Log.Output(LogType.Error, "WriteLuaCallback() - Error during second WriteProcessMemory"); }
    Log.Output("WriteLuaCallback() - Written {0:d} bytes", BytesWritten);
    Log.Output("WriteLuaCallback() - Success");

    return CallbackPtr;
}

from my log I get

Code:

 22:00:05  WriteLuaCallback() - Starting ...
 22:00:05  WriteLuaCallback() - hProcess = 490
 22:00:05  WriteLuaCallback() - Written 1 bytes
 22:00:05  WriteLuaCallback() - Written 4 bytes
 22:00:05  WriteLuaCallback() - Success

Yet I crash with an AccessViolationException:
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
On this line:
RegisterCommandHandler(commandName, WriteLuaCallback(Marshal.GetFunctionPointerForDelegate(handler)));

EDIT: Just realized I am using old offsets, lol
I have updated everything except InvalidPtrCheck, does anyone have it?

Code:

internal enum Luas
{
    Lua_DoString = 0x007F25C0,
    Lua_Register = 0x007F1340,
    Lua_GetTop = 0x00826D80,
    Lua_ToString = 0x00827290,
    Lua_InvalidPtrCheck = 0x0046ED80, // not updated
}

[lanman92]

Hint: the part that makes it crash and burn is at 0x8448D4.

[skiiippp]

heh, thanks for the hint ^^
I was just looking in the "[Collection] WoW Binaries (Release & PTR) " topic and fired up IDA for an old version of which I found the invalidfunctionptr in an old topic.
I fetched the same function in the current release, and it's the same as you're hinting at.

There's still a bug in my patching code though, applying the code from my opening post to 0x008448A0 will get the callback working but also makes wow crash after;
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:008272A4
The instruction at "0x008272A4" referenced memory at "0x00000013".
The memory could not be "read".

I'm gonna take another good look at my patch code, it doesn't do what I think it does. Also, I'm gonna see if I can find some database file to make my Hex Rays look a bit less alien, or at least a script to import the function and var names from the dump topic.


edit; First of all, thanks again Ianman92! I looked at the code again and realised I had to patch it at the part where it's gonna throw me the invalidpointer misery, not the start of the function.
Also, my test call "test = GetRealZoneText();" was kinda flawed. Need to ditch the ";" and "test=" assignment, just calling GetReturnValues("GetRealZoneText()") works like a charm now. +Rep for pointing me in the right direction


edit2: The lua stuff is really versatile but I was just wondering, how safe is the usage of "protected" stuff?
For example, CastSpellByName. I can fire that lua function from my code but the blizz UI blocks it.
So are there lua calls I should avoid? I'm checking out if and how I can pass lua functions and macros to the FrameScript_Execute/DoSend atm.
If there are no security issues involved, I would prefer to make extensive usage of lua calls.

[lanman92]

You can call engine functions just as easily. They're faster, not that it really matters. And it removes the additional layer of crap that lua forces you to have.

[Apoc]

You can call engine functions just as easily. They're faster, not that it really matters. And it removes the additional layer of crap that lua forces you to have.

And using Lua allows you to remove the hundreds of layers of crap you'd need to re-implement if you were to not use it.

Plus, you'd have a ton more stuff to update each patch! (As opposed to roughly 4 addresses for full Lua support)

[lanman92]

Alright, you got me

[SinnerG]

One thing I don't get : LuaNinja got detected, what prevents Warden from detecting any of this?

[Cypher]

One thing I don't get : LuaNinja got detected, what prevents Warden from detecting any of this?

Short answer: Nothing.

[Apoc]

Short answer: Nothing.

Lies. I have cake. I'm fully protected.