Invalid function pointer

[flo8464]

Ok guys, I really feel stupid right now.

I didn't do anything for WoW last months and just came back to that game.
My intention: To write some nice extensions for the WoW's lua language.

Pretty easy stuff, until ... "Invalid function pointer: 0xDEADBEEF"
I felt kinda stupid and attached my debugger, 0xDEADBEEF was indeed the address of my own function.

Thank god I immediately got a meaningfull result when I looked up IDA for that problem, seems like every address outside WoW's .code section is invalid for use in FrameScript::Register.

Before I start hacking by writing code to codecaves et cetera, is there a more 'clean' way to bypass this?
I am pretty sure Warden watches the function checking the pointer, am I right?

And what I care most at the moment: Is calling a function, which fails at the pointer check a reason for a (delayed) ban? I don't really want to get butt****ed on my main account, which I used for testing

Thanks.
Regards,
Flo

[Apoc]

Just write a jmp somewhere in the .text segment.

[Robske]

It's not a reason for a delayed ban, there are however certain things to take into account.

- Changing the value that defines the 'end of .text' section will result in a ban.
- Using the first set of INT3's will result in a ban, iirc *buddy software used this to flag process instances as 'injected'.

Both are watched by Maiev.

[eLaps]

Just patch and restore it each time you need it.

Code:

uint32_t backup = *(uint32_t*)0xa6c750;
*(uint32_t*)0xa6c750 = 0xFFFFFF;
//Make your lua calls
*(uint32_t*)0xa6c750 = backup;

[Xarg0]

I don't know if it's still valid but a simple workaround would be a hook on entercriticalsection and leavecritical section, because warden calls/called entercriticalsection before scanning and leave criticalsection afterwards.
There are also several other places where you could possibly intercept the warden scann, just make sure warden doesn't catch you doing so

[flo8464]

Thanks for your replies, just got back from holidays, couldn't answer earlier

This is the code I quickly wrote, I really can't figure out why it always results in Access Violations ( Instruction at 0x12345678 attempted to write at 0x12345678 (where 0x12345678 is the address of my lua function ) after being called ingame via the /script command:

Code:

	template < typename pfunction_t >
	pfunction_t WriteFunctionJump(LPVOID targetAddress, pfunction_t function)
	{
		#pragma pack(push)
		#pragma pack(1)

		struct Jmp
		{
			BYTE instruction;
			pfunction_t function;
		};

		#pragma pack(pop)

		Jmp jmp = { 0xE9, function };

		DWORD oldProtect;
		::VirtualProtect(	targetAddress,
								sizeof(Jmp),
								PAGE_EXECUTE_READWRITE,
								&oldProtect);

		::memcpy(targetAddress, static_cast<LPVOID>(&jmp), sizeof(Jmp));

		return static_cast<pfunction_t>(targetAddress); 
	}

Code:

FrameScript::RegisterFunction("DoSomething", Utilities::WriteFunctionJump<lua_Function>( /*Some Codecave I use*/, CustomLua::DoSomething));

It's probably something stupid I guess.

[zzgw]

For what it's worth, you only get banned if you change it to -1, anything else is fine (for the moment). Also the true horror here is that you're using your main account for testing, you're just asking for it.