3.3.5a lua dostring crashing

[dencelle]

Can anyone give me a lil help here

using the lua_dostring function from here (Lua_DoString() in C++ w/ CreateRemoteThread/WriteProcessMemory + Security questions)

added a bit and updated the Framescript_ExecuteBuffer for 3.3.5a, i'm assuming its something really obvious, i'm just missing it

Code:

void Lua_DoString(string cmd) {
	unsigned int Framescript_ExecuteBuffer = Mem.GetProcessBaseAddress(Mem.dwProcessID) + 0x00819210;
	void* Handle = Mem.hProcess;
	DWORD func = Framescript_ExecuteBuffer;
	DWORD cbCodeSize = ((PBYTE)after_codeasm - (PBYTE)codeasm);
	//cbCodeSize = 200; //^isn't that the size of the function? why are hard setting it to 200 then?
	INJDATA mydata;
	convertToASCII(cmd, mydata.command);
	mydata.funcptr = func;
	LPVOID pData = VirtualAllocEx(Handle, NULL, sizeof(func), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	LPVOID pLibRemote = VirtualAllocEx(Handle, NULL, cbCodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(Handle, pData, &mydata, sizeof(mydata), NULL);
	WriteProcessMemory(Handle, pLibRemote, &codeasm, cbCodeSize, NULL);
	// writes jmp pLibRemote + 0x62EE
	// jmp pLibRemote + 0x62EE = add [eax],al
	HANDLE hThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)pLibRemote, pData, 0, NULL);
	if (hThread != 0) {
		WaitForSingleObject(hThread, INFINITE);
		CloseHandle(hThread);
		VirtualFreeEx(Handle, pLibRemote, cbCodeSize, MEM_RELEASE);
		VirtualFreeEx(Handle, pData, sizeof(func), MEM_RELEASE);
	}
}

the error i get when i try to run do lua_dostring("print()") is

Code:

The instruction at "0x17F35C6E" referenced memory at "0x17F35C6E".
The memory could not be "written".

i can see why it is breaking but no clue how to fix it.
pLibRemote has a instruction to jmp to pLibRemote + 0x62EE
but where its breaking it pLibRemote + 0x62EE points back at pLibRemote + 0x62EE so its basicly in a forever loop?

[WiNiFiX]

PHP Code:

public void DoString(string command)
{
    if (_wowHook.Installed)
    {
        // Allocate memory
        IntPtr doStringArgCodecave = _wowHook.Memory.AllocateMemory(Encoding.UTF8.GetBytes(command).Length + 1);
        
        // Write value:
        _wowHook.Memory.WriteBytes(doStringArgCodecave, Encoding.UTF8.GetBytes(command));

        // Write the asm stuff for Lua_DoString
        var asm = new[]
        {
            "mov eax, " + doStringArgCodecave,
            "push 0",
            "push eax",
            "push eax",
            "mov eax, " + ( (uint) Offsets.FrameScript__Execute ) , // Lua_DoString
            "call eax",
            "add esp, 0xC",
            "retn"
        };
        
        // Inject
        _wowHook.InjectAndExecute(asm);
        
        // Free memory allocated
        _wowHook.Memory.FreeMemory(doStringArgCodecave);
    }
} 


PHP Code:

public static class Offsets
{
    public static IntPtr g_clientConnection = new IntPtr(0xC79CE0);                 // 3.3.5a 
    public static IntPtr s_curMgrOffset = new IntPtr(0x2ED0);                       // 3.3.5a 
    public static IntPtr FirstObjectOffset = new IntPtr(0xAC);                      // 3.3.5a
    public static IntPtr NextObjectOffset = new IntPtr(0x3C);                       // 3.3.5a

    public static IntPtr PlayerName = new IntPtr(0xC79D18);                         // 3.3.5a

    public static IntPtr TargetGUID = new IntPtr(0xBD07B0);

    public static IntPtr ClntObjMgrGetActivePlayerObj = new IntPtr(0x004038F0);     // 3.3.5a 
    public static IntPtr FrameScript__Execute = new IntPtr(0x819210);               // 3.3.5a 
    public static IntPtr FrameScript__GetLocalizedText = new IntPtr(0x007225E0);    // 3.3.5a
} 


[dencelle]

thanks for the replay but that was all in c#, i'm using c++ and don't have a lib to just inject and execute my asm as easy.... seriously thinking that writing this in c++ was a bad idea... almost no librarys to make this process easier

[miceiken]

WotLK didn't have ASLR enabled

[Corthezz]

Let me google that for you