Can the content of the .rdata field be modified after the DLL is injected?

[sanyle]

Hello friends,
After carefully reviewing the IDA compilation, I found the reason why the game crashed after calling ScriptExecuteBuffer. The game will detect whether the call is from 0x1000-0x1F5218C.
This data is stored in the .rdata segment.
My question is is there any way to modify the data inside?
Or how this situation is usually handled.
I read a lot of forum articles and it seems that I haven't found answers to related questions.
I'm still a novice in this area, and I don't know much about it.
Looking forward to any helpful hints or suggestions from everyone. thank.

[ChrisIsMe]

Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.

[sanyle]

Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.

Ah. So what kind of method is needed to solve this situation?

[doityourself]

Pretty sure basically everything you'd want to modify is CRC checked or scanned by warden.

.rdata is not really covered by crc checks/crashes

The game will detect whether the call is from 0x1000-0x1F5218C.

It only checks .text range

[sanyle]

.rdata is not really covered by crc checks/crashes
It only checks .text range

Thanks for the guidance, I will continue to try to solve

[scimmy]

The problem hes running into is probably trying to change the page permissions of the pages that contain .rdata. SEC_NO_CHANGE prevents you from doing so unfortunately. You can either go into the kernel to write to those pages instead of relying on usermode APIs or try an image remapping strategy.

[sanyle]

The problem hes running into is probably trying to change the page permissions of the pages that contain .rdata. SEC_NO_CHANGE prevents you from doing so unfortunately. You can either go into the kernel to write to those pages instead of relying on usermode APIs or try an image remapping strategy.

Thank you very much for your guidance, I am indeed stuck on this issue.I am reading and trying GitHub - changeofpace/Self-Remapping-Code: This program remaps its image to prevent the page protection of pages contained in the image from being modified via NtProtectVirtualMemory.
But the game will crash. I don't understand the reason yet.
I am still reading the information and learning. Anyway, thank you for your guidance.

[aeo]

remapping will result in a ban if you mess it up. They check.

[badusername1234]

remapping will result in a ban if you mess it up. They check.

any idea if they make any effort to ban your other/future accounts when they ban you for that? haven't received a ban before

[doityourself]

remapping will result in a ban if you mess it up. They check.

Any kind of remapping will result in a ban once more people are using it

[hjalplos]

Any kind of remapping will result in a ban once more people are using it

Hi! You seem knowledgeable. To call FramscriptExecuteBuffer on the current Classic client. Is there something special needed more than setting up a fake return address? I've been trying to make sense of how they implemented the checks but I'm getting nowhere. A tip in the right direction would be nice. Pm works too.
Finding a "gadget" in the rights memory region and spoofing a return address doesn't seem to cut it. I checked the instructions after existing calls to this function in IDA and I'm not that experienced but it seems they are aligning something right after the call? For example different uses of NOP [rax+00XX] or similar. Am I on to something?

And what is db 66h, 66h all about? As I understand this instruction places a byte at that address?

[aeo]

they check for exact bytes at a return address.

[sanyle]

Hi! You seem knowledgeable. To call FramscriptExecuteBuffer on the current Classic client. Is there something special needed more than setting up a fake return address? I've been trying to make sense of how they implemented the checks but I'm getting nowhere. A tip in the right direction would be nice. Pm works too.
Finding a "gadget" in the rights memory region and spoofing a return address doesn't seem to cut it. I checked the instructions after existing calls to this function in IDA and I'm not that experienced but it seems they are aligning something right after the call? For example different uses of NOP [rax+00XX] or similar. Am I on to something?

And what is db 66h, 66h all about? As I understand this instruction places a byte at that address?

I haven't solved it yet, but after I tracked IDA, I found that it not only detects the CALL from the address. It will also check whether the CALL byte is E8 ?? ?? ?? ??. There is also byte detection for the previous commands.

[hjalplos]

I haven't solved it yet, but after I tracked IDA, I found that it not only detects the CALL from the address. It will also check whether the CALL byte is E8 ?? ?? ?? ??. There is also byte detection for the previous commands.

Yeah and I tried SpoofCalling with a E8 at SpoofedReturnAddr-5. Same crash.

[doityourself]

Yeah and I tried SpoofCalling with a E8 at SpoofedReturnAddr-5. Same crash.

Depending on the function you call there is another check included.