How safe is ExecuteBuffer?

[lgwenOC]

Hi guys,

Long time lurker. Sorry to start with a question.

I wanted to get some opinions on how safe executing LUA using FrameScript_ExecuteBuffer is, at the moment? Particularly on 64bit. I've not had any troubles so far and none of my tools indicate that there is anything to be worried about. But iirc there was a bit of concern earlier in the year.

Any info would be appreciated

thanks

[lolp1]

I wanted to get some opinions on how safe executing LUA using FrameScript_ExecuteBuffer is, at the moment? Particularly on 64bit.

That depends on exactly how you're doing that. I'd say in a private setting that any reasonable use of it is likely pretty safe, but as always nothing is guaranteed.

I've not had any troubles so far and none of my tools indicate that there is anything to be worried about. But iirc there was a bit of concern earlier in the year.

The concern you're referring to is here, I believe:
http://www.ownedcore.com/forums/worl...hod-added.html (New 32-bit Detection Method Added)

Any info would be appreciated

I'm not sure if that check is active or not still, but if it is as the thread says most tools would likely still be safe due to the call stack check did not go back very far, likely due to limitations preventing them to dependably check further back than they did, I would say.

Regardless, here is some solid information in general for tips on avoiding detection via call stack checks by Darawk:
Blizzhackers ? View topic - warden thread

[Travelformed]

>>Not far back
is far enough to detect that endscene hook is not in .text

[DarkLinux]

Ya its a tricky one. Could just create a code cave inside the image and when calling create your own stack. Then if they try to read farther up the stack it should crash and if they check the return address its in the .text section of the game. But they could always check the return address and cmp it to a white list on the server. Or do direct calls to NtReadVirtualMemory... You cant really win.