Classic Wow - thread hijacking issue

[littlepadawan]

Hello!
I have been long time lurker of these forums and found really inspiring things and good sources from here.
When BC launched I got into botting and making of bots. But unfortunately my interest in wow decreased and thus have not done much with wow in many years.
As such I could not remember my old account so had to create a new one.

Now since classic launched I wanted to try again to make a little bot for myself and see how far I can go.
I got basic things going like moving and reading the object manager.
But now I think I have hit a wall with trying to call Framescript execute buffer using thread hijacking.

Below is my asm that gets injected into wow and then I suspend the main thread and switch the execution into the codecave.
First I store the registers and flags to stack and then set the parameters for execute buffer and call it. After this I restore the state of the registers and flags.
At the end I push the original RIP to the stack and return. The issue is that this works few times and then wow just closes without any error messages.
Sometimes it works 10 times and sometimes only a few times. Is this kind of injection even possible with classic client?
My reversing skills were never really high and now I'm really learning everything again. I can find simple stuff and most offsets but cannot understand what causes the crashes.

Code:

pushfq
push rax
push rcx
push rdx
push rbx
push rbp
push rsi
push rdi
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15
sub rsp, 0x28
mov rcx, 0x000001DDB37A0000 // Lua string  -> DoEmote('dance');
mov rdx, 0x000001DDB37A0000 // Lua string  -> DoEmote('dance');
xor r8d, r8d
mov rax, 0x00007FF65E825A70 // Address of Framescript execute buffer  (Not current version of classic, I use older version sandbox)
call rax
add rsp, 0x28
pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rdi
pop rsi
pop rbp
pop rbx
pop rdx
pop rcx
pop rax
popfq
push dword 4240557796		// Push "lower" part of orginal RIP  
mov dword [rsp+4], 32767 	// Push "upper" part of orginal RIP
retn

Any thoughts would be greatly appreciated!

[doityourself]

Works fine if done right.

[littlepadawan]

Thanks for the reply! I have not had much time to get back into this but at least I now know it is possible.

[littlepadawan]

Works fine if done right.

Thanks again, this was enough for me to find my issue. It was as simple as stack alignment... duh!
Now working like a charm, at least has been working for a while.