Call FrameScript::ExecuteBuffer in Wow-64

[Konctantin]

Hey.
I'm trying to call a function FrameScript::ExecuteBuffer in Wow-64 process.
But it does not work, the client down.
What could be the problem?

Address of FrameScript::ExecuteBuffer 0x847D0.

Caller func:

Code:

public void LuaRun_x64(IntPtr address, string source)
{
	var code = WriteCString(source);
	var path = WriteCString("lua.lua");

	var bytes = new List<byte>();
	
	// sub     rsp, 20h
	bytes.AddRange(new byte[] { 0x48, 0x83, 0xEC, 0x20 });
	
	// xor     r8d, r8d        ; state 0
	bytes.AddRange(new byte[] { 0x45, 0x33, 0xC0 });
	
	// mov     rdx, path
	bytes.AddRange(new byte[] { 0x48, 0xBA });
	bytes.AddRange(BitConverter.GetBytes(path.ToInt64()));
	
	// mov     rcx, src
	bytes.AddRange(new byte[] { 0x48, 0xB9 });
	bytes.AddRange(BitConverter.GetBytes(code.ToInt64()));
	
	// mov     rax, FrameScript__ExecuteBuffer
	bytes.AddRange(new byte[] { 0x48, 0xB8 });
	var pcall = Process.MainModule.BaseAddress.ToInt64() + address.ToInt64();
	bytes.AddRange(BitConverter.GetBytes(pcall));
	// call    rax
	bytes.AddRange(new byte[] { 0xFF, 0xD0 });
	
	// add     rsp, 20h
	bytes.AddRange(new byte[] { 0x48, 0x83, 0xC4, 0x20 });
	
	// retn
	bytes.Add(0xC3);

	var func = this.Write(bytes.ToArray());

	var thread = CreateRemoteThread(this.Process.Handle, IntPtr.Zero, 0, func, IntPtr.Zero, 0, IntPtr.Zero);
	if (thread == IntPtr.Zero)
		throw new Win32Exception();

	WaitForSingleObject(thread, 0xFFFFFFFF);
	CloseHandle(thread);

	Free(func);
	Free(code);
	Free(path);
}

To test the code, I wrote a test application.
It works fine.

Code:

// .text:0000000140001000
// .text:0000000140001000                         arg_0           = qword ptr  8
// .text:0000000140001000                         arg_8           = qword ptr  10h
// .text:0000000140001000                         arg_10          = dword ptr  18h
// .text:0000000140001000
// .text:0000000140001000 44 89 44 24 18                          mov     [rsp+arg_10], r8d
// .text:0000000140001005 48 89 54 24 10                          mov     [rsp+arg_8], rdx
// .text:000000014000100A 48 89 4C 24 08                          mov     [rsp+arg_0], rcx
// .text:000000014000100F 48 83 EC 28                             sub     rsp, 28h
// .text:0000000140001013 4C 8B 44 24 38                          mov     r8, [rsp+28h+arg_8]
// .text:0000000140001018 48 8B 54 24 30                          mov     rdx, [rsp+28h+arg_0]
// .text:000000014000101D 48 8D 0D 94 11 00 00                    lea     rcx, aSSI        ; "%s - %s - %i"
// .text:0000000140001024 FF 15 F6 10 00 00                       call    cs:__imp_printf
// .text:000000014000102A 33 C0                                   xor     eax, eax
// .text:000000014000102C 48 83 C4 28                             add     rsp, 28h
// .text:0000000140001030 C3                                      retn
int FrameScript__ExecuteBuffer(char* src, char* path, int state)
{
    printf("%s - %s - %i", src, path, state);
    return 0;
}

// .text:0000000140001040 48 83 EC 28                             sub     rsp, 20h
// .text:0000000140001044 45 33 C0                                xor     r8d, r8d        ; state
// .text:0000000140001047 48 8D 15 72 11 00 00                    lea     rdx, path       ; "lua.lua"
// .text:000000014000104E 48 8D 0D 73 11 00 00                    lea     rcx, src        ; "print(0);"
// .text:0000000140001055 E8 A6 FF FF FF                          call    ?FrameScript__ExecuteBuffer@@YAHPEAD0H@Z 
// .text:000000014000105A 48 83 C4 28                             add     rsp, 20h
// .text:000000014000105E C3                                      retn
void Call()
{
    FrameScript__ExecuteBuffer("print(0);", "lua.lua", 0);
}

Here is an example call FrameScript__ExecuteBuffer in the Wow-64
Apparently everything is almost identical to my code.

Code:

.text:00000001403B96F0                         sub_1403B96F0   proc near               ; DATA XREF: .data:00000001411E7588o
.text:00000001403B96F0                                                                 ; .pdata:00000001416A68B0o
.text:00000001403B96F0 40 53                                   push    rbx
.text:00000001403B96F2 48 83 EC 20                             sub     rsp, 20h
.text:00000001403B96F6 BA 01 00 00 00                          mov     edx, 1
.text:00000001403B96FB 48 8B D9                                mov     rbx, rcx
.text:00000001403B96FE E8 DD BB D9 FF                          call    sub_1401552E0
.text:00000001403B9703 85 C0                                   test    eax, eax
.text:00000001403B9705 74 27                                   jz      short loc_1403B972E
.text:00000001403B9707 45 33 C0                                xor     r8d, r8d
.text:00000001403B970A 48 8B CB                                mov     rcx, rbx
.text:00000001403B970D 41 8D 50 01                             lea     edx, [r8+1]
.text:00000001403B9711 E8 9A BD D9 FF                          call    sub_1401554B0
.text:00000001403B9716 48 85 C0                                test    rax, rax
.text:00000001403B9719 74 13                                   jz      short loc_1403B972E
.text:00000001403B971B 80 38 00                                cmp     byte ptr [rax], 0
.text:00000001403B971E 74 0E                                   jz      short loc_1403B972E
.text:00000001403B9720 45 33 C0                                xor     r8d, r8d        ; state
.text:00000001403B9723 48 8B D0                                mov     rdx, rax        ; path
.text:00000001403B9726 48 8B C8                                mov     rcx, rax        ; src
.text:00000001403B9729 E8 A2 B0 CC FF                          call    FrameScript__ExecuteBuffer
.text:00000001403B972E
.text:00000001403B972E                         loc_1403B972E:                          ; CODE XREF: sub_1403B96F0+15j
.text:00000001403B972E                                                                 ; sub_1403B96F0+29j ...
.text:00000001403B972E 33 C0                                   xor     eax, eax
.text:00000001403B9730 48 83 C4 20                             add     rsp, 20h
.text:00000001403B9734 5B                                      pop     rbx
.text:00000001403B9735 C3                                      retn
.text:00000001403B9735                         sub_1403B96F0   endp

Please help solve this problem.

[danwins]

Doesn't it need it be called via the main WoW thread? looks to me like your just creating a new thread to call it?

[xalcon]

Doesn't it need it be called via the main WoW thread? looks to me like your just creating a new thread to call it?

yes, just creating a new thread wont work. you need to hook a function which is called by the wow mainthread quite frequently. You could hook DirectX Endscene or Present (depending on the renderer you have set in the wow config), but there are orher functions you can hook too

[Konctantin]

32bit version works fine.

Code:

var asm = string.Format(@"
push 0
push {0}
push {1}
mov eax, {2}
call eax
add esp, 0xC
retn", path, code, func);

var bytecode = Asm.Assemble(asm);
var addr = WriteBytes(bytecode);
var thread = CreateRemoteThread(this.Process.Handle, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
if (thread == IntPtr.Zero)
	throw new Win32Exception();
WaitForSingleObject(thread, 0xFFFFFFFF);
CloseHandle(thread);

[Sacred]

http://www.ownedcore.com/forums/worl...te-thread.html (64 bit WoW and remote thread)