FrameScript_ExecuteBuffer(1.13.6.37497) menu

User Tag List

Results 1 to 11 of 11
  1. #1
    parisye's Avatar Member
    Reputation
    1
    Join Date
    May 2020
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    FrameScript_ExecuteBuffer(1.13.6.37497)

    FrameScript_ExecuteBuffer(1.13.6.37497)
    0x3A2DA0

    FrameScript_ExecuteBuffer(1.13.6.37497)
  2. #2
    singed420's Avatar Member
    Reputation
    2
    Join Date
    Jan 2018
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so how to use this? since they added protection game crashes everytime when i try to dostrring/loadstring

  3. #3
    Deigo1987's Avatar Member
    Reputation
    1
    Join Date
    Feb 2021
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    typedef UINT64(__fastcall *ptrFrameScriptExecute) (const char* , const char*, UINT64);
    ptrFrameScriptExecute pFrameScriptExecute = (ptrFrameScriptExecute)(baseaddress +0x3A2DA0 );
    try
    {
    hResult = pFrameScriptExecute(“DoEmote("dance")”, “Script”, 0);
    }
    catch (...)
    {
    }

  4. #4
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Deigo1987 View Post
    typedef UINT64(__fastcall *ptrFrameScriptExecute) (const char* , const char*, UINT64);
    ptrFrameScriptExecute pFrameScriptExecute = (ptrFrameScriptExecute)(baseaddress +0x3A2DA0 );
    try
    {
    hResult = pFrameScriptExecute(“DoEmote("dance")”, “Script”, 0);
    }
    catch (...)
    {
    }
    A try/catch get's around the protection? That's funny if true considering all the fancy stuff I tried to get around it xD

  5. #5
    _chase's Avatar Established Member
    Reputation
    95
    Join Date
    Dec 2019
    Posts
    57
    Thanks G/R
    16/49
    Trade Feedback
    0 (0%)
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by GlittPrizes View Post
    A try/catch get's around the protection? That's funny if true considering all the fancy stuff I tried to get around it xD
    Lol same here, did a quick copy and paste the try catch doesn't work for me

  6. #6
    GlittPrizes's Avatar Active Member CoreCoins Purchaser Authenticator enabled
    Reputation
    58
    Join Date
    Nov 2019
    Posts
    104
    Thanks G/R
    53/33
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by _chase View Post
    Lol same here, did a quick copy and paste the try catch doesn't work for me
    It's a little more involved than that to make it work. You need to emulate how the old RegisterFunction did its thing and any of the functions used that have the return checks need to be emulated as well or there are some other techniques to route the resulting error function elsewhere.

  7. #7
    thateuler's Avatar Member
    Reputation
    8
    Join Date
    May 2019
    Posts
    29
    Thanks G/R
    22/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow will do an integer div by zero to crash when the return address is wong. Script_RunScript() will do the FrameScript_Execute before checking the return address. (Framescript_Execute may also do this. I didn't check.)

    Catching the FPE and long jumping back to a safe place seems to work. I know that this is crazy ugly. For linux/wine, here's the code. (I know that I shouldn't be calling printf from within a signal handler.)

    I run "JumpOrAscendStart()" four times.


    Code:
    jmp_buf jmpbuf;
    void
    handle_fpe(int s, siginfo_t *info, void *param)
    {
        printf("sighandler called. fault addr %p\n", info->si_addr);
        longjmp(jmpbuf, 1);
    }
    
    void
    CRS2(const char *script)
    {
        static int once = 0;
        int rv;
        struct sigaction sa;
    
        if (! once) {
            once = 1;
            memset(&sa, 0, sizeof(sa));
            sa.sa_sigaction = handle_fpe;
            sa.sa_flags = SA_SIGINFO | SA_NODEFER | SA_NOMASK;
            sigaction(SIGFPE, &sa, NULL);
            printf("sighandler installed\n");
        }
    
        Wlua_pushstring(WLC, script);
        printf("try to run some lua...\n");
        if (setjmp(jmpbuf)) {
            // we're back from the jump.
            printf("run lua done.\n");
            return;
        } else {
            printf("calling runscript\n");
            WScript_RunScript(WLC);
            printf("this shouldn't happen!!\n");
        }
    }

    Here's the log output. (Base addr is the standard 64-bit base addr.)

    Code:
    sighandler installed
    try to run some lua...
    calling runscript
    sighandler called. fault addr 0x140426200
    run lua done.
    try to run some lua...
    calling runscript
    sighandler called. fault addr 0x140426200
    run lua done.
    try to run some lua...
    calling runscript
    sighandler called. fault addr 0x140426200
    run lua done.
    try to run some lua...
    calling runscript
    sighandler called. fault addr 0x140426200
    run lua done.
    Last edited by thateuler; 04-05-2021 at 03:04 PM.

  8. #8
    sanyle's Avatar Member
    Reputation
    1
    Join Date
    Dec 2019
    Posts
    27
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can be executed with ASM injection
    Code:
    push rbx
    sub rsp, 0xC0
    mov rdx, lua
    mov rcx, lua
    jmp baseAddr+0x3BA108

  9. #9
    tommingc's Avatar Active Member
    Reputation
    18
    Join Date
    Nov 2022
    Posts
    19
    Thanks G/R
    8/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by sanyle View Post
    Can be executed with ASM injection
    Code:
    push rbx
    sub rsp, 0xC0
    mov rdx, lua
    mov rcx, lua
    jmp baseAddr+0x3BA108
    Sorry, I'm not meant to dig graves, but I'm scratching my head around it, and have searched around using Lua as a keyword. tried both c++ and c# methods still not able to make it work.
    Only knows it is a protected function that requires packing the return address and fixing CRC. but not sure how.
    so far I only managed to find the FrameScriptExecute offset for 46368 which is 0x5978B0, it appears to be the correct one

    by looking at the ASM code appears much easier, does this really work? what is the function at 0x3BA108( not seem to be frame script execute)? I tried this method using the FrameExecute offset, the client disappeared without a crash.
    if anyone has a detailed solution on wlkc kindly please tell
    Last edited by tommingc; 11-18-2022 at 11:06 AM.

  10. #10
    aeo's Avatar Contributor
    Reputation
    126
    Join Date
    Apr 2007
    Posts
    270
    Thanks G/R
    84/62
    Trade Feedback
    7 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    They patched this method in recent 10.0 updates. What it was doing was jumping to a call in the game module to execute buffer, this passed the ret check, returned and then simply returned again because it was right at the end of a function, they added an additional ret check to this function so it no longer just returns.

  11. Thanks tommingc (1 members gave Thanks to aeo for this useful post)
  12. #11
    tommingc's Avatar Active Member
    Reputation
    18
    Join Date
    Nov 2022
    Posts
    19
    Thanks G/R
    8/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by aeo View Post
    They patched this method in recent 10.0 updates. What it was doing was jumping to a call in the game module to execute buffer, this passed the ret check, returned and then simply returned again because it was right at the end of a function, they added an additional ret check to this function so it no longer just returns.
    oh no.. but thanks for letting me know.
    It looks like I will need to dig back into IDA and dbg for further study...

Similar Threads

  1. 13 year flips out on parents when he can't do Kara
    By Chsz in forum Community Chat
    Replies: 46
    Last Post: 06-16-2007, 02:31 AM
  2. alliance lvl 13-20 in 3hours tops...
    By RiPPeD in forum World of Warcraft Guides
    Replies: 20
    Last Post: 06-02-2007, 01:27 AM
  3. Worth 11-13 Rep: Help a Mod find a addon.
    By Alkhara Majere in forum World of Warcraft General
    Replies: 3
    Last Post: 05-27-2007, 11:09 AM
  4. Hearthstone 13 times in 1 hour *TESTED*
    By djmazi in forum World of Warcraft Exploits
    Replies: 28
    Last Post: 04-16-2007, 11:22 AM
  5. Hearthstone 13 times in 1 hour *TESTED*
    By djmazi in forum World of Warcraft Exploits
    Replies: 11
    Last Post: 01-09-2007, 03:47 AM
All times are GMT -5. The time now is 06:57 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search