[2.4.3] Lua do_string with CreateRemoteThread

[=manzarek=]

Hi,
Here is my code

public void InjectAndExecute(String[] asm)
{
//write asm
Memory.Asm.Clear();
foreach (string tempLineAsm in asm)
{
Memory.Asm.AddLine(tempLineAsm);
}
//allocate
uint injected_code = Memory.AllocateMemory(Memory.Asm.Assemble().Length, Magic.MemoryAllocType.MEM_COMMIT, Magic.MemoryProtectType.PAGE_EXECUTE_READWRITE);
///inject
Memory.Asm.Inject(injected_code);
//Execute
IntPtr th = Memory.CreateRemoteThread(injected_code, 0);
SThread.WaitForSingleObject(th);
//free memory
Memory.FreeMemory(injected_code);
SThread.TerminateThread(th, 0);
}

public void Lua_Dostring(String command)
{
//allocate for command
uint DoStringArg_Codecave = Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
//write command
Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));
String[] asm = new String[]
{
"mov eax, " + DoStringArg_Codecave,
"push 0",
"push eax",
"push eax",
"mov eax, " + (uint)Offsets.Fonctions.Lua_Dostring, // Lua_DoString
"call eax",
"add esp, 0xC",
"retn",
};
InjectAndExecute(asm);
Memory.FreeMemory(DoStringArg_Codecave);
}

I try to call Lua_Dostring creating a remoteThread but nothing happend when im executing it, i try to make my char dance (DoEmote(\"dance\")).

The injection seems to work:


But nothing happend on the execution

Can someone help me with this please?

Thank you

[Valediction]

Prototype is:

int Lua_dostring(lua_state *state, const char *command);

Also check the calling convention. I find it's fastcall in 1.12, although I think they (thankfully) dropped that in later releases of WoW, don't know about TBC, you seem to be using cdecl (check if that's correct).

If you're instead trying to call FrameScript__Execute, signature changes a bit. Don't have time for more now will check this later.

[=manzarek=]

Thank you for your reply
Im using 0x00706C80 -> Lua_Dostring posted from cypher in the dump thread
Prototype is:
int __cdecl sub_706C80(int a1, int a2, int a3) according to ida.
The calling convention is cdecl

Since i try to call the function in a new thread maybe i need to replace TLS address

somethink like:
push dword [fs:2Ch]
mov [fs:2Ch], dword TLSAddress
"mov eax, " + DoStringArg_Codecave,
"push 0",
"push eax",
"push eax",
"mov eax, " + (uint)Offsets.Fonctions.Lua_Dostring, // Lua_DoString
"call eax",
"add esp, 0xC",
pop dword [fs:2Ch]
"retn",

if so how do i find the TLSAddress
I find this here http://www.ownedcore.com/forums/worl...journal-2.html (WoW Modification Journal)

[xalcon]

you need to call FrameScript_Execute (aka Lua_DoString) from the MainThread, using your own thread will not work. (I've hooked DirectX EndScene for this)

[Valediction]

that shouldn't be needed. I have successfully called dostring from a non-main thread and worked (but of course you have to do it from Mt if you want any reliability).

[xalcon]

well, thats true for unprotected functions.
Anyway, have you added the process baseaddress to Offsets.Fonctions.Lua_Dostring? I don't know what OS you are using, but ASLR might be the "problem" here.

Code:

var baseAddress = wowProcess.MainModule.BaseAddress;
var funcpointer = baseAddress + FrameScript_Execute_Offset;
// call funcpointer

[culino2]

well, thats true for unprotected functions.
Anyway, have you added the process baseaddress to Offsets.Fonctions.Lua_Dostring? I don't know what OS you are using, but ASLR might be the "problem" here.

Code:

var baseAddress = wowProcess.MainModule.BaseAddress;
var funcpointer = baseAddress + FrameScript_Execute_Offset;
// call funcpointer

ASLR isn't enabled in Classic/BC/Wotlk.

[=manzarek=]

Yeah there is no ASLR

[xalcon]

Well, I'm out then :P
Maybe some offset problems or something related to CreateRemoteThread? Does your client crash when you set the function pointer to 0/Is you code even called?
I'm not using asm to call wow functions (I'm injected - I can use delegates :3), but your asm code looks okay to me. (even when you push eax twice xP but I guess you are just lazy)

[Valediction]

I suggest you give mmBBQ a try to check if you have the signature and addresses right. If it works that way then you're probably doing something wrong injecting or calling the function. mmBBQ makes it very easy to try these kinds of thinks, google it up, it uses LUA.

[=manzarek=]

Ok so i writted the string in memory (doemote...) and write the addresse down( it was 0xFAF0000).
Then i used asmcall.cdecl(0x00706C80, 0xFAF0000, 0xFAF0000, 0) in mmBBQ
And...
It worked, my char started dancing
So i dont know what is wrong with my injection but i know for sure that the lua_dostring addresse is correct and that my first write is also correct.
The problem is from the asm code then,
I checked with cheat engine debugger my injected code is executed.
I have no idea

[=manzarek=]

Well i used EndScene Hook and now it work
Credit to Apoc for http://www.ownedcore.com/forums/worl...1-offsets.html (C# code that automatically gets Endscene (DirectX9) and Present (DirectX 11) offsets)

But if someone have the answer for my problem i will be happy

Thank you for your replies

[Achilees]

I am trying to get this to work with 1.12.1 following is the code

Code:

  public static void InjectAndExecute(String[] asm)
        {
            //write asm
            Memory.Asm.Clear();
            foreach (string tempLineAsm in asm)
            {
                Memory.Asm.AddLine(tempLineAsm);
            }
            //allocate
            uint injected_code = Memory.AllocateMemory(Memory.Asm.Assemble().Length, Magic.MemoryAllocType.MEM_COMMIT, Magic.MemoryProtectType.PAGE_EXECUTE_READWRITE);
            ///inject
            Memory.Asm.Inject(injected_code);
            //Execute
            IntPtr th = Memory.CreateRemoteThread(injected_code, 0);
            SThread.WaitForSingleObject(th);
            //free memory
            Memory.FreeMemory(injected_code);
            SThread.TerminateThread(th, 0);
        }

 public static void Lua_Dostring(String command)
        {
            //allocate for command
            uint DoStringArg_Codecave = Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
            //write command
            Memory.WriteBytes(DoStringArg_Codecave, Encoding.UTF8.GetBytes(command));
            String[] asm = new String[] 
            {
            "mov eax, " + DoStringArg_Codecave,
            "push 0",
            "push eax",
            "push eax",
            "mov eax, " + (uint)0x006F57F0, // Lua_DoString
            "call eax",
            "add esp, 0xC",
            "retn", 
            };
            InjectAndExecute(asm);
            Memory.FreeMemory(DoStringArg_Codecave);
        }

Code:

   public static IntPtr CreateRemoteThread(uint lpStartAddress, uint dwCreationFlags)
        {
            uint outlp;

            return CreateRemoteThread(WoW.Handle, IntPtr.Zero, 0,(IntPtr)lpStartAddress, IntPtr.Zero, dwCreationFlags, out outlp);
        }

I am assuming my CreateRemoteThread has issues or i am not sure how you hooked EndScene

[Achilees]

I made that pretty apparent with my code paste, anyway thanks for the hint, trying to learn this shit i mean stuff..