Can the content of the .rdata field be modified after the DLL is injected? menu

User Tag List

Results 1 to 15 of 15
  1. #1
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    22
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can the content of the .rdata field be modified after the DLL is injected?

    Hello friends,
    After carefully reviewing the IDA compilation, I found the reason why the game crashed after calling ScriptExecuteBuffer. The game will detect whether the call is from 0x1000-0x1F5218C.
    This data is stored in the .rdata segment.
    My question is is there any way to modify the data inside?
    Or how this situation is usually handled.
    I read a lot of forum articles and it seems that I haven't found answers to related questions.
    I'm still a novice in this area, and I don't know much about it.
    Looking forward to any helpful hints or suggestions from everyone. thank.

    These ads disappear when you log in.

  2. #2
    ChrisIsMe's Avatar Active Member
    Reputation
    63
    Join Date
    Apr 2017
    Posts
    97
    Thanks G/R
    44/25
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.

  3. #3
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    22
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by ChrisIsMe View Post
    Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.
    Ah. So what kind of method is needed to solve this situation?

  4. #4
    king48488's Avatar ★ Elder ★


    Reputation
    1360
    Join Date
    Nov 2008
    Posts
    814
    Thanks G/R
    33/415
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by ChrisIsMe View Post
    Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.
    .rdata is not really covered by crc checks/crashes

    Originally Posted by sanyle View Post
    The game will detect whether the call is from 0x1000-0x1F5218C.
    It only checks .text range

  5. #5
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    22
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    .rdata is not really covered by crc checks/crashes
    It only checks .text range
    Thanks for the guidance, I will continue to try to solve

  6. #6
    scimmy's Avatar Active Member
    Reputation
    17
    Join Date
    Jul 2020
    Posts
    16
    Thanks G/R
    0/8
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The problem hes running into is probably trying to change the page permissions of the pages that contain .rdata. SEC_NO_CHANGE prevents you from doing so unfortunately. You can either go into the kernel to write to those pages instead of relying on usermode APIs or try an image remapping strategy.

  7. #7
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    22
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by scimmy View Post
    The problem hes running into is probably trying to change the page permissions of the pages that contain .rdata. SEC_NO_CHANGE prevents you from doing so unfortunately. You can either go into the kernel to write to those pages instead of relying on usermode APIs or try an image remapping strategy.
    Thank you very much for your guidance, I am indeed stuck on this issue.I am reading and trying GitHub - changeofpace/Self-Remapping-Code: This program remaps its image to prevent the page protection of pages contained in the image from being modified via NtProtectVirtualMemory.
    But the game will crash. I don't understand the reason yet.
    I am still reading the information and learning. Anyway, thank you for your guidance.

  8. #8
    aeo's Avatar Contributor Authenticator enabled
    Reputation
    106
    Join Date
    Apr 2007
    Posts
    227
    Thanks G/R
    45/51
    Trade Feedback
    5 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    remapping will result in a ban if you mess it up. They check.

  9. #9
    badusername1234's Avatar Active Member
    Reputation
    26
    Join Date
    Apr 2017
    Posts
    47
    Thanks G/R
    18/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by aeo View Post
    remapping will result in a ban if you mess it up. They check.
    any idea if they make any effort to ban your other/future accounts when they ban you for that? haven't received a ban before

  10. #10
    king48488's Avatar ★ Elder ★


    Reputation
    1360
    Join Date
    Nov 2008
    Posts
    814
    Thanks G/R
    33/415
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by aeo View Post
    remapping will result in a ban if you mess it up. They check.
    Any kind of remapping will result in a ban once more people are using it

  11. #11
    hjalplos's Avatar Site Donator
    Reputation
    4
    Join Date
    Dec 2019
    Posts
    20
    Thanks G/R
    2/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    Any kind of remapping will result in a ban once more people are using it
    Hi! You seem knowledgeable. To call FramscriptExecuteBuffer on the current Classic client. Is there something special needed more than setting up a fake return address? I've been trying to make sense of how they implemented the checks but I'm getting nowhere. A tip in the right direction would be nice. Pm works too.
    Finding a "gadget" in the rights memory region and spoofing a return address doesn't seem to cut it. I checked the instructions after existing calls to this function in IDA and I'm not that experienced but it seems they are aligning something right after the call? For example different uses of NOP [rax+00XX] or similar. Am I on to something?

    And what is db 66h, 66h all about? As I understand this instruction places a byte at that address?
    Last edited by hjalplos; 12-16-2020 at 08:29 PM.

  12. #12
    aeo's Avatar Contributor Authenticator enabled
    Reputation
    106
    Join Date
    Apr 2007
    Posts
    227
    Thanks G/R
    45/51
    Trade Feedback
    5 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    they check for exact bytes at a return address.

  13. #13
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    22
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hjalplos View Post
    Hi! You seem knowledgeable. To call FramscriptExecuteBuffer on the current Classic client. Is there something special needed more than setting up a fake return address? I've been trying to make sense of how they implemented the checks but I'm getting nowhere. A tip in the right direction would be nice. Pm works too.
    Finding a "gadget" in the rights memory region and spoofing a return address doesn't seem to cut it. I checked the instructions after existing calls to this function in IDA and I'm not that experienced but it seems they are aligning something right after the call? For example different uses of NOP [rax+00XX] or similar. Am I on to something?

    And what is db 66h, 66h all about? As I understand this instruction places a byte at that address?
    I haven't solved it yet, but after I tracked IDA, I found that it not only detects the CALL from the address. It will also check whether the CALL byte is E8 ?? ?? ?? ??. There is also byte detection for the previous commands.

  14. #14
    hjalplos's Avatar Site Donator
    Reputation
    4
    Join Date
    Dec 2019
    Posts
    20
    Thanks G/R
    2/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by sanyle View Post
    I haven't solved it yet, but after I tracked IDA, I found that it not only detects the CALL from the address. It will also check whether the CALL byte is E8 ?? ?? ?? ??. There is also byte detection for the previous commands.
    Yeah and I tried SpoofCalling with a E8 at SpoofedReturnAddr-5. Same crash.

  15. #15
    king48488's Avatar ★ Elder ★


    Reputation
    1360
    Join Date
    Nov 2008
    Posts
    814
    Thanks G/R
    33/415
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hjalplos View Post
    Yeah and I tried SpoofCalling with a E8 at SpoofedReturnAddr-5. Same crash.
    Depending on the function you call there is another check included.

Similar Threads

  1. What is the minimum length of time that would be considered a Necro?
    By IChangedMyUsername in forum Community Chat
    Replies: 1
    Last Post: 07-13-2015, 12:40 AM
  2. Replies: 81
    Last Post: 02-12-2011, 01:57 AM
  3. What does the contents of this thread mean?
    By #ClumsyWizard in forum Community Chat
    Replies: 2
    Last Post: 06-04-2010, 07:40 AM
  4. Can the CoD4 mod be used?
    By tcslasher20 in forum WoW ME Questions and Requests
    Replies: 6
    Last Post: 07-09-2008, 07:34 PM
  5. Gods of War Private Server, be one the first to join and get free stuff!
    By hyffi in forum WoW Emulator Server Listings
    Replies: 0
    Last Post: 01-30-2008, 07:41 AM
All times are GMT -5. The time now is 10:40 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2021 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search