Hey.
I'm trying to call a function FrameScript::ExecuteBuffer in Wow-64 process.
But it does not work, the client down.
What could be the problem?
Address of FrameScript::ExecuteBuffer 0x847D0.
Caller func:
Code:
public void LuaRun_x64(IntPtr address, string source)
{
var code = WriteCString(source);
var path = WriteCString("lua.lua");
var bytes = new List<byte>();
// sub rsp, 20h
bytes.AddRange(new byte[] { 0x48, 0x83, 0xEC, 0x20 });
// xor r8d, r8d ; state 0
bytes.AddRange(new byte[] { 0x45, 0x33, 0xC0 });
// mov rdx, path
bytes.AddRange(new byte[] { 0x48, 0xBA });
bytes.AddRange(BitConverter.GetBytes(path.ToInt64()));
// mov rcx, src
bytes.AddRange(new byte[] { 0x48, 0xB9 });
bytes.AddRange(BitConverter.GetBytes(code.ToInt64()));
// mov rax, FrameScript__ExecuteBuffer
bytes.AddRange(new byte[] { 0x48, 0xB8 });
var pcall = Process.MainModule.BaseAddress.ToInt64() + address.ToInt64();
bytes.AddRange(BitConverter.GetBytes(pcall));
// call rax
bytes.AddRange(new byte[] { 0xFF, 0xD0 });
// add rsp, 20h
bytes.AddRange(new byte[] { 0x48, 0x83, 0xC4, 0x20 });
// retn
bytes.Add(0xC3);
var func = this.Write(bytes.ToArray());
var thread = CreateRemoteThread(this.Process.Handle, IntPtr.Zero, 0, func, IntPtr.Zero, 0, IntPtr.Zero);
if (thread == IntPtr.Zero)
throw new Win32Exception();
WaitForSingleObject(thread, 0xFFFFFFFF);
CloseHandle(thread);
Free(func);
Free(code);
Free(path);
}
To test the code, I wrote a test application.
It works fine.
Code:
// .text:0000000140001000
// .text:0000000140001000 arg_0 = qword ptr 8
// .text:0000000140001000 arg_8 = qword ptr 10h
// .text:0000000140001000 arg_10 = dword ptr 18h
// .text:0000000140001000
// .text:0000000140001000 44 89 44 24 18 mov [rsp+arg_10], r8d
// .text:0000000140001005 48 89 54 24 10 mov [rsp+arg_8], rdx
// .text:000000014000100A 48 89 4C 24 08 mov [rsp+arg_0], rcx
// .text:000000014000100F 48 83 EC 28 sub rsp, 28h
// .text:0000000140001013 4C 8B 44 24 38 mov r8, [rsp+28h+arg_8]
// .text:0000000140001018 48 8B 54 24 30 mov rdx, [rsp+28h+arg_0]
// .text:000000014000101D 48 8D 0D 94 11 00 00 lea rcx, aSSI ; "%s - %s - %i"
// .text:0000000140001024 FF 15 F6 10 00 00 call cs:__imp_printf
// .text:000000014000102A 33 C0 xor eax, eax
// .text:000000014000102C 48 83 C4 28 add rsp, 28h
// .text:0000000140001030 C3 retn
int FrameScript__ExecuteBuffer(char* src, char* path, int state)
{
printf("%s - %s - %i", src, path, state);
return 0;
}
// .text:0000000140001040 48 83 EC 28 sub rsp, 20h
// .text:0000000140001044 45 33 C0 xor r8d, r8d ; state
// .text:0000000140001047 48 8D 15 72 11 00 00 lea rdx, path ; "lua.lua"
// .text:000000014000104E 48 8D 0D 73 11 00 00 lea rcx, src ; "print(0);"
// .text:0000000140001055 E8 A6 FF FF FF call ?FrameScript__ExecuteBuffer@@YAHPEAD0H@Z
// .text:000000014000105A 48 83 C4 28 add rsp, 20h
// .text:000000014000105E C3 retn
void Call()
{
FrameScript__ExecuteBuffer("print(0);", "lua.lua", 0);
}
Here is an example call FrameScript__ExecuteBuffer in the Wow-64
Apparently everything is almost identical to my code.
Code:
.text:00000001403B96F0 sub_1403B96F0 proc near ; DATA XREF: .data:00000001411E7588o
.text:00000001403B96F0 ; .pdata:00000001416A68B0o
.text:00000001403B96F0 40 53 push rbx
.text:00000001403B96F2 48 83 EC 20 sub rsp, 20h
.text:00000001403B96F6 BA 01 00 00 00 mov edx, 1
.text:00000001403B96FB 48 8B D9 mov rbx, rcx
.text:00000001403B96FE E8 DD BB D9 FF call sub_1401552E0
.text:00000001403B9703 85 C0 test eax, eax
.text:00000001403B9705 74 27 jz short loc_1403B972E
.text:00000001403B9707 45 33 C0 xor r8d, r8d
.text:00000001403B970A 48 8B CB mov rcx, rbx
.text:00000001403B970D 41 8D 50 01 lea edx, [r8+1]
.text:00000001403B9711 E8 9A BD D9 FF call sub_1401554B0
.text:00000001403B9716 48 85 C0 test rax, rax
.text:00000001403B9719 74 13 jz short loc_1403B972E
.text:00000001403B971B 80 38 00 cmp byte ptr [rax], 0
.text:00000001403B971E 74 0E jz short loc_1403B972E
.text:00000001403B9720 45 33 C0 xor r8d, r8d ; state
.text:00000001403B9723 48 8B D0 mov rdx, rax ; path
.text:00000001403B9726 48 8B C8 mov rcx, rax ; src
.text:00000001403B9729 E8 A2 B0 CC FF call FrameScript__ExecuteBuffer
.text:00000001403B972E
.text:00000001403B972E loc_1403B972E: ; CODE XREF: sub_1403B96F0+15j
.text:00000001403B972E ; sub_1403B96F0+29j ...
.text:00000001403B972E 33 C0 xor eax, eax
.text:00000001403B9730 48 83 C4 20 add rsp, 20h
.text:00000001403B9734 5B pop rbx
.text:00000001403B9735 C3 retn
.text:00000001403B9735 sub_1403B96F0 endp
Please help solve this problem.