register new lua function, safety

**Teq2** · 04-16-2012

Is it safe to use lua_register (lua_pushcclosure, lua_setfield..) to extend base wow lua? Does warden monitors lua_state integrity atm (m.b. some crc checks)? I havent any idea how to find out for sure.

**_Mike** · 04-16-2012

They check if if the callback is within wow's .text section. I don't think they send this back to the server though. It seems to be just a local fatal error. (Unless you choose to submit the crash report)
They don't, as far as I know, check which callbacks or how many that are registered.
Find 5 free bytes and register that address as your callback and write a 'jmp your_real_function' there to get around the section check.

@ .text:008742B0

Code:

int __cdecl FrameScript::InvalidPtrCheck(unsigned int ptr)
{
  int result; // eax@1
  int v2; // ecx@1
  char v3; // [sp+0h] [bp-40h]@6

  result = textsection_start;
  v2 = textsection_end;
  if ( !textsection_start || !textsection_end )
  {
    FindTextSection();
    result = textsection_start;
    v2 = textsection_end;
  }
  if ( ptr < result || ptr >= v2 )
  {
    SStrVPrintf((int)&v3, "Invalid function pointer: %p", ptr);
    SErrDisplayAppFatal(&v3);
  }
  return result;
}

And you don't have to register your callback manually, you can use
.text:00839620 FrameScript_RegisterFunction(char const*, int (*)(lua_State *))

**namreeb** · 04-17-2012

Also, note that at one point the first occurrence of 5 free bytes was being monitored by Warden (presumably for this reason).

**Teq2** · 04-17-2012

Originally Posted by _Mike

Find 5 free bytes and register that address as your callback and write a 'jmp your_real_function' there to get around the section check.

I think it's better to hook "InvalidPtrCheck" and use any address what i want. Writing all patches into a list and hooking warden's-scan proc to allow it read only original bytes, this what i'm using. I'll post this "anti-scan" somewhen later.

p.s. sry, i cant give u rep, then thanks =)

**Bananenbrot** · 04-17-2012

Originally Posted by Cypher

Patching any of that crap is silly imo.

Register a Lua callback using the address of an int3 or similar instruction that will both cause an exception and pass the function pointer bounds check imposed when registering an ingame callback, then have your Lua callback execute the code (which will cause it to execute without protection), get the return values, etc.

Obviously still detectable, but a step up from hooking the client, and if your code is private it's much less likely to get detected if you're using a technique like that as opposed to client hooking (where there's a good chance you'll be 'caught in the crossfire').

0987654321

**Teq2** · 04-17-2012

Detectable patches isn't a problem, there is a way (working) to hide all patches from warden. I'm not looking for easy ways

**_Mike** · 04-17-2012

Originally Posted by Teq2

I think it's better to hook "InvalidPtrCheck" and use any address what i want. Writing all patches into a list and hooking warden's-scan proc to allow it read only original bytes, this what i'm using. I'll post this "anti-scan" somewhen later.

p.s. sry, i cant give u rep, then thanks =)

If you want to take that approach you actually don't have to hook anything. Just change the textsection_start and textsection_end globals to include your pages. They only ever get overwritten if either is null. Plus they're in .data which warden does not scan afaik.
I'm actually kinda surprised warden does so little as far as detection methods goes. Sometimes I wish I could be the "warden guy" just for a day, just to mess with people