-
Member
FrameScript_ExecuteBuffer(1.13.6.37497)
FrameScript_ExecuteBuffer(1.13.6.37497)
0x3A2DA0
-
Member
so how to use this? since they added protection game crashes everytime when i try to dostrring/loadstring
-
Member
typedef UINT64(__fastcall *ptrFrameScriptExecute) (const char* , const char*, UINT64);
ptrFrameScriptExecute pFrameScriptExecute = (ptrFrameScriptExecute)(baseaddress +0x3A2DA0 );
try
{
hResult = pFrameScriptExecute(“DoEmote("dance")”, “Script”, 0);
}
catch (...)
{
}
-
Originally Posted by
Deigo1987
typedef UINT64(__fastcall *ptrFrameScriptExecute) (const char* , const char*, UINT64);
ptrFrameScriptExecute pFrameScriptExecute = (ptrFrameScriptExecute)(baseaddress +0x3A2DA0 );
try
{
hResult = pFrameScriptExecute(“DoEmote("dance")”, “Script”, 0);
}
catch (...)
{
}
A try/catch get's around the protection? That's funny if true considering all the fancy stuff I tried to get around it xD
-
Established Member
Originally Posted by
GlittPrizes
A try/catch get's around the protection? That's funny if true considering all the fancy stuff I tried to get around it xD
Lol same here, did a quick copy and paste the try catch doesn't work for me
-
Originally Posted by
_chase
Lol same here, did a quick copy and paste the try catch doesn't work for me
It's a little more involved than that to make it work. You need to emulate how the old RegisterFunction did its thing and any of the functions used that have the return checks need to be emulated as well or there are some other techniques to route the resulting error function elsewhere.
-
Member
Wow will do an integer div by zero to crash when the return address is wong. Script_RunScript() will do the FrameScript_Execute before checking the return address. (Framescript_Execute may also do this. I didn't check.)
Catching the FPE and long jumping back to a safe place seems to work. I know that this is crazy ugly. For linux/wine, here's the code. (I know that I shouldn't be calling printf from within a signal handler.)
I run "JumpOrAscendStart()" four times.
Code:
jmp_buf jmpbuf;
void
handle_fpe(int s, siginfo_t *info, void *param)
{
printf("sighandler called. fault addr %p\n", info->si_addr);
longjmp(jmpbuf, 1);
}
void
CRS2(const char *script)
{
static int once = 0;
int rv;
struct sigaction sa;
if (! once) {
once = 1;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = handle_fpe;
sa.sa_flags = SA_SIGINFO | SA_NODEFER | SA_NOMASK;
sigaction(SIGFPE, &sa, NULL);
printf("sighandler installed\n");
}
Wlua_pushstring(WLC, script);
printf("try to run some lua...\n");
if (setjmp(jmpbuf)) {
// we're back from the jump.
printf("run lua done.\n");
return;
} else {
printf("calling runscript\n");
WScript_RunScript(WLC);
printf("this shouldn't happen!!\n");
}
}
Here's the log output. (Base addr is the standard 64-bit base addr.)
Code:
sighandler installed
try to run some lua...
calling runscript
sighandler called. fault addr 0x140426200
run lua done.
try to run some lua...
calling runscript
sighandler called. fault addr 0x140426200
run lua done.
try to run some lua...
calling runscript
sighandler called. fault addr 0x140426200
run lua done.
try to run some lua...
calling runscript
sighandler called. fault addr 0x140426200
run lua done.
Last edited by thateuler; 04-05-2021 at 03:04 PM.
-
Member
Can be executed with ASM injection
Code:
push rbx
sub rsp, 0xC0
mov rdx, lua
mov rcx, lua
jmp baseAddr+0x3BA108
-
Active Member
Originally Posted by
sanyle
Can be executed with ASM injection
Code:
push rbx
sub rsp, 0xC0
mov rdx, lua
mov rcx, lua
jmp baseAddr+0x3BA108
Sorry, I'm not meant to dig graves, but I'm scratching my head around it, and have searched around using Lua as a keyword. tried both c++ and c# methods still not able to make it work.
Only knows it is a protected function that requires packing the return address and fixing CRC. but not sure how.
so far I only managed to find the FrameScriptExecute offset for 46368 which is 0x5978B0, it appears to be the correct one
by looking at the ASM code appears much easier, does this really work? what is the function at 0x3BA108( not seem to be frame script execute)? I tried this method using the FrameExecute offset, the client disappeared without a crash.
if anyone has a detailed solution on wlkc kindly please tell
Last edited by tommingc; 11-18-2022 at 11:06 AM.
-
Contributor
They patched this method in recent 10.0 updates. What it was doing was jumping to a call in the game module to execute buffer, this passed the ret check, returned and then simply returned again because it was right at the end of a function, they added an additional ret check to this function so it no longer just returns.
-
Post Thanks / Like - 1 Thanks
tommingc (1 members gave Thanks to aeo for this useful post)
-
Active Member
Originally Posted by
aeo
They patched this method in recent 10.0 updates. What it was doing was jumping to a call in the game module to execute buffer, this passed the ret check, returned and then simply returned again because it was right at the end of a function, they added an additional ret check to this function so it no longer just returns.
oh no.. but thanks for letting me know.
It looks like I will need to dig back into IDA and dbg for further study...