BFA retail -- WriteProcessMemory from injected dll fails menu

User Tag List

Results 1 to 6 of 6
  1. #1
    noctural's Avatar Active Member Captain Copypasta CoreCoins Purchaser Authenticator enabled
    Reputation
    25
    Join Date
    Apr 2009
    Posts
    73
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    BFA retail -- WriteProcessMemory from injected dll fails

    My wife is trying to get me back in this game -- but I can't imagine playing without my lua unlocker.. needing a little nudge in the right direction.

    Thus far I've been able to --

    Load WoW image in Ida pro.
    Find the relative addr of function I'd like to patch to return 1
    Inject dll via Manual Mapping
    Injected dll fails to patch relativeaddr+baseimage via writeprocessmemory inside DLLMain -- writing the bytes 0xb8,0x01,0x00,0x00,0x00,0xc3 (move eax 1; ret

    Any help is greatly appreciated!

    Code:
    const DWORD_PTR offset = 0x1332980;
    
    void patch()
    {
        auto id = GetCurrentProcessId();
    	auto baseAddr = GetProcessBaseAddress(id);
    	auto funcAddr = baseAddr + offset;
    
    
    	//log the addresses
    	std::stringstream sstream;
        sstream << std::hex << baseAddr;
        auto baseAddrStr = sstream.str();
    	
    	std::stringstream sstream2;
        sstream2 << std::hex << funcAddr;
        auto funcAddrStr = sstream2.str();
    	
    	std::ofstream log;
    	log.open("patchProc.log");
    	log << "Image Base: 0x" << baseAddrStr << endl;
    	log << "Function Addr: 0x" << funcAddrStr << endl;
    
        auto* processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
    	if(processHandle) {
    
    		BYTE patchBytes[] =  { 0xb8,0x01,0x00,0x00,0x00,0xc3 }; //mov eax 1; ret;
    		
    		if (WriteProcessMemory(processHandle, reinterpret_cast<void*>(funcAddr), &patchBytes, sizeof patchBytes, nullptr)) {
    			log << "Wrote process memory successfully!" << endl;
    		}
            else {
    			log << "Unable to write process memory. Returned false." << endl;
    		}
    		CloseHandle(processHandle);		
        }	
    
    	log.close();
    }
    
    BOOL APIENTRY DllMain( HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
    {
        switch (ul_reason_for_call)
        {
    	    case DLL_PROCESS_ATTACH: 
    			patch();
        		break;
    	    case DLL_THREAD_ATTACH:
    	    case DLL_THREAD_DETACH:
    	    case DLL_PROCESS_DETACH:
    		default:
        		break;
        }
        return TRUE;
    }

    These ads disappear when you log in.

  2. #2
    zys924's Avatar Active Member
    Reputation
    19
    Join Date
    Nov 2009
    Posts
    104
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    After 3 years, how dare someone still directly patch main WoW module lol! Check its protection and you will find an amazing RX

    Read the grave post about new protection and obfuscation from 7.3

  3. #3
    namreeb's Avatar Elite User

    Reputation
    588
    Join Date
    Sep 2008
    Posts
    987
    Thanks G/R
    5/172
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I assume this is because you're writing to the remapped part of memory which has SEC_NO_CHANGE enabled. WriteProcessMemory() calls VirtualProtect/Ex internally (only sometimes, though presently will do so in this case). That will fail with SEC_NO_CHANGE memory. You can verify that this is the problem by trying VirtualProtectEx() yourself on that memory to grant yourself write permissions and observe that it will fail. You can write to memory by searching for where it lives in the virtual address space in a writable fashion. Note however that there are periodic CRC checks such that if you adjust the contents of a monitored part of the .text section, you will be disconnected.

  4. #4
    Hazzbazzy's Avatar wannabe hackerlol Authenticator enabled
    Reputation
    1292
    Join Date
    Aug 2011
    Posts
    1,071
    Thanks G/R
    170/459
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by namreeb View Post
    I assume this is because you're writing to the remapped part of memory which has SEC_NO_CHANGE enabled. WriteProcessMemory() calls VirtualProtect/Ex internally (only sometimes, though presently will do so in this case). That will fail with SEC_NO_CHANGE memory. You can verify that this is the problem by trying VirtualProtectEx() yourself on that memory to grant yourself write permissions and observe that it will fail. You can write to memory by searching for where it lives in the virtual address space in a writable fashion. Note however that there are periodic CRC checks such that if you adjust the contents of a monitored part of the .text section, you will be disconnected.
    Correct. The initial rights on the .text section exclude WRITE, and CRCs will check for modification on these rights. Of course this can be cirumvented, but even this is detected through other means.
    "HOLY TIME MACHINE BATMAN! it's 1973!"
    https://youtube.com/Hazzbazzy

  5. #5
    noctural's Avatar Active Member Captain Copypasta CoreCoins Purchaser Authenticator enabled
    Reputation
    25
    Join Date
    Apr 2009
    Posts
    73
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well shit. So long story short -- is it not really feasible for a beginner to unlock lua?

    Does anyone know if the offset 0x1332980 is currently CRC monitored in virtual address space? I.e. I should continue down the path of patching bytes vs some other method?

    Thanks for your comments!

  6. #6
    aeo's Avatar Contributor Authenticator enabled
    Reputation
    104
    Join Date
    Apr 2007
    Posts
    216
    Thanks G/R
    43/49
    Trade Feedback
    5 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if it was ever used prior to these changes to unlock lua you can pretty much be 100% sure they are crc'ing it.

Similar Threads

  1. Cant access any wow function from injected dll
    By Kwapuzzi in forum WoW Memory Editing
    Replies: 8
    Last Post: 11-01-2012, 01:58 PM
  2. Replies: 4
    Last Post: 07-20-2011, 09:50 PM
  3. Inject DLLs into D2
    By Canbus in forum Diablo 2
    Replies: 1
    Last Post: 09-05-2010, 02:44 PM
  4. Injected DLL, C# function delegates
    By mexicaan in forum WoW Memory Editing
    Replies: 1
    Last Post: 10-04-2009, 07:10 PM
  5. [CODE] Dumping Python Modules (from an injected DLL)
    By GliderPro in forum Programming
    Replies: 0
    Last Post: 04-08-2009, 02:20 PM
All times are GMT -5. The time now is 04:20 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search