[WoW DF Patch 10.1] ExecuteBuffer not working using return address bypass

[antonburesh]

Hello everyone!

Please help me!

My problem since patch 10.1 is "ExecuteBuffer doesn't work using return address bypass"

Code:

ParenthesesAsm("sub rsp, 96", new object[0]); //0x60
RandomAsmPush("@retn");
ParenthesesAsm("sub rsp, 72", new object[0]); //0x48
ParenthesesAsm("mov r8, 0", new object[0]);
ParenthesesAsm("mov rdx, {0}", new object[] { luaFilePtr });
ParenthesesAsm("mov rcx, {0}", new object[] { commandPtr });
RandomAsmPushOrMov(GetAbsolute((IntPtr)Offsets.Globals.ReturnAddress + 0x6F));
ParenthesesAsm("jmp {0}", new object[] { callPtr }); //FrameScript__ExecuteBuffer
ParenthesesAsm("@retn:", new object[0]);
ParenthesesAsm("add rsp, 96", new object[0]); //0x60
ParenthesesAsm("ret", new object[0]);
Execute();

ReturnAddress is the address of the MoveTo function.

$$$I am ready to generously thank someone who can really help me solve this problem.$$$

[imzz]

The same question,
The FrameScript__ExecuteBuffer CALL has been confusing
I used HOOK DX11 ，It worked before

Code:

{
sub rsp, 0x60
lea rax, [   @Out]
push rax 
sub rsp, 0x48
mov r8, 0
mov rdx, LuafilePtr
mov rcx, lusCmdPtr
mov rax, MoveToAddress+75    //set Current stack pointer?
push rax                    
jmp FrameScript_ExecuteBuffer  
  @Out:
add rsp, 0x60
ret
}

This code, is a long time ago copy others successful code

I wonder if the stack imbalance is to blame
Or there's a detection code somewhere
Does anyone understand how it works?
小学文化，汇编确实没学好，之前都是抄别人现成的用。
这英文翻译的确实烂，没办法。




MoveTo = 0x1CC0AA0,FrameScript__ExecuteBuffer1 = 0x6AFCF0,//10.1.0.49474

Code:

00007FF74DFA0AA0 | 40:57                                | push rdi                                                      |//move to
00007FF74DFA0AA2 | 48:83EC 40                           | sub rsp,40                                                    |
00007FF74DFA0AA6 | 48:83B9 E8180000 00                  | cmp qword ptr ds:[rcx+18E8],0                                 |
00007FF74DFA0AAE | 7E 70                                | jle wow.7FF74DFA0B20                                          |
00007FF74DFA0AB0 | 48:8B81 E8000000                     | mov rax,qword ptr ds:[rcx+E8]                                 |
00007FF74DFA0AB7 | 48:8B78 38                           | mov rdi,qword ptr ds:[rax+38]                                 |
00007FF74DFA0ABB | 48:8B07                              | mov rax,qword ptr ds:[rdi]                                    |
00007FF74DFA0ABE | 48:3905 0388D901                     | cmp qword ptr ds:[7FF74FD392C8],rax                           |
00007FF74DFA0AC5 | 75 59                                | jne wow.7FF74DFA0B20                                          |
00007FF74DFA0AC7 | 48:8B47 08                           | mov rax,qword ptr ds:[rdi+8]                                  |
00007FF74DFA0ACB | 48:3905 FE87D901                     | cmp qword ptr ds:[7FF74FD392D0],rax                           |
00007FF74DFA0AD2 | 75 4C                                | jne wow.7FF74DFA0B20                                          |
00007FF74DFA0AD4 | 48:8B05 6D89FD01                     | mov rax,qword ptr ds:[7FF74FF79448]                           |
00007FF74DFA0ADB | 8378 14 00                           | cmp dword ptr ds:[rax+14],0                                   |
00007FF74DFA0ADF | 74 3F                                | je wow.7FF74DFA0B20                                           |
00007FF74DFA0AE1 | F681 C6150000 20                     | test byte ptr ds:[rcx+15C6],20                                |
00007FF74DFA0AE8 | 75 36                                | jne wow.7FF74DFA0B20                                          |
00007FF74DFA0AEA | 33C0                                 | xor eax,eax                                                   |
00007FF74DFA0AEC | 4C:8D4C24 30                         | lea r9,qword ptr ss:[rsp+30]                                  |
00007FF74DFA0AF1 | 0F57C0                               | xorps xmm0,xmm0                                               |
00007FF74DFA0AF4 | 48:894424 30                         | mov qword ptr ss:[rsp+30],rax                                 |
00007FF74DFA0AF9 | F3:0F114424 28                       | movss dword ptr ss:[rsp+28],xmm0                              |
00007FF74DFA0AFF | 48:895424 20                         | mov qword ptr ss:[rsp+20],rdx                                 |
00007FF74DFA0B04 | 8D50 05                              | lea edx,qword ptr ds:[rax+5]                                  |
00007FF74DFA0B07 | 48:894424 38                         | mov qword ptr ss:[rsp+38],rax                                 |
00007FF74DFA0B0C | 44:8D40 09                           | lea r8d,qword ptr ds:[rax+9]                                  |
00007FF74DFA0B10 | E8 EB2EFEFF                          | call wow.7FF74DF83A00                                         |
00007FF74DFA0B15 | 666666:0F1F8400 00000000             | nop word ptr ds:[rax+rax],ax                                  |//push
00007FF74DFA0B20 | 90                                   | nop                                                           |
00007FF74DFA0B21 | F6C1 D1                              | test cl,D1                                                    |
00007FF74DFA0B24 | 73 5A                                | jae wow.7FF74DFA0B80                                          |
00007FF74DFA0B26 | 80E8 34                              | sub al,34                                                     |
00007FF74DFA0B29 | 81C5 136B92A9                        | add ebp,A9926B13                                              |
00007FF74DFA0B2F | 0F8B 9C200000                        | jnp wow.7FF74DFA2BD1                                          |
00007FF74DFA0B35 | 83C5 20                              | add ebp,20                                                    |
00007FF74DFA0B38 | C6C3 02                              | mov bl,2                                                      |
00007FF74DFA0B3B | E8 69910000                          | call wow.7FF74DFA9CA9                                         |
00007FF74DFA0B40 | C6C3 56                              | mov bl,56                                                     | 56:'V'
00007FF74DFA0B43 | 81EF 46BFD60B                        | sub edi,BD6BF46                                               |
00007FF74DFA0B49 | 0F31                                 | rdtsc                                                         |
00007FF74DFA0B4B | 81C6 B35BFADB                        | add esi,DBFA5BB3                                              |
00007FF74DFA0B51 | 83C0 FE                              | add eax,FFFFFFFE                                              |
00007FF74DFA0B54 | 81EB EC320B9E                        | sub ebx,9E0B32EC                                              |
00007FF74DFA0B5A | 51                                   | push rcx                                                      |

[scizzydo]

This recent release with 10.1 they started doing more heavily aggressive return address checks. My old simple return address spoofer stopped working. Part of their check is the difference between the calling instruction (to get the address of the function it's calling) from the base address and checking it's value in a table.

TLDR: They're more aggressive on the ret checks

[imzz]

I haven't done WOW for a long time. I have a question. At this stage, do you all have a better way to implement DoString or lua unlock?
For a beginner hobbyist, DoString solves a lot of problems.

[scizzydo]

I haven't done WOW for a long time. I have a question. At this stage, do you all have a better way to implement DoString or lua unlock?
For a beginner hobbyist, DoString solves a lot of problems.

Yes, just recreate the lua functions yourself (at least that's what I do). I went through and defined the lua_State structure to what wows is, along with other supporting ones and just use that for my own lua_ functions and create my own loadbuffer and pcall which do the same as DoString

[imzz]

Thank you for your suggestion. @scizzydo

[darheroc]

Yes, just recreate the lua functions yourself (at least that's what I do). I went through and defined the lua_State structure to what wows is, along with other supporting ones and just use that for my own lua_ functions and create my own loadbuffer and pcall which do the same as DoString

This sounds really interesting. Do you run this on a separate thread or by hooking something? Also suppose i would inject my own lua interpreter and load all c functions in a separate thread. How safe is that concerning bans without any further measures (asking for a friend)?

[Hrap]

Hi guys, maybe I don’t understand something, but why do you need all these dostring and so on, you have the opportunity to read anything from memory and then you can manipulate the read data imitating the behavior of a real person, In my opinion, everything is simple, in fact it doesn’t even you need to write anything to memory and not interfere with a third-party process
Why do you risk, for the sake of cheats?

[darheroc]

Hi guys, maybe I don’t understand something, but why do you need all these dostring and so on, you have the opportunity to read anything from memory and then you can manipulate the read data imitating the behavior of a real person, In my opinion, everything is simple, in fact it doesn’t even you need to write anything to memory and not interfere with a third-party process
Why do you risk, for the sake of cheats?

Only reading from memory is like being blind on one eye. It's fine for a lot of cases and you can write in-game addons to support your bot actions, but it sucks if you want to do more advanced stuff. Take interacting with a unit as an example: You can read the location of the unit from memory and do a camera world to screen transformation. Afterwards you use the screen coordinates to click the unit. What if anyone stands in front of the unit and you can't interact by clicking? Another problem is that you rely on keybinds and clicking only works when the window is in foreground, so this makes your screen a mutual resource and is a problem if you run multiple bot instances at once or want to use your screen while botting. And yea there exist more issues like that.

[Tirthankara]

Only reading from memory is like being blind on one eye. It's fine for a lot of cases and you can write in-game addons to support your bot actions, but it sucks if you want to do more advanced stuff. Take interacting with a unit as an example: You can read the location of the unit from memory and do a camera world to screen transformation. Afterwards you use the screen coordinates to click the unit. What if anyone stands in front of the unit and you can't interact by clicking? Another problem is that you rely on keybinds and clicking only works when the window is in foreground, so this makes your screen a mutual resource and is a problem if you run multiple bot instances at once or want to use your screen while botting. And yea there exist more issues like that.

Totally made-up problems.
If you can't click on a minimized screen, it doesn't mean it's impossible. In this case, using DoString is extremely unsafe, and smart people have written about it.
Anything done via DoString can be done differently - it's just another level of knowledge and a bit more work.

[Hrap]

I agree with those that 1 bot = one computer - this is not convenient, but it seems to me that it looks more natural and probably safer, Though it's more of my excuse

[antonburesh]

Totally made-up problems.
If you can't click on a minimized screen, it doesn't mean it's impossible. In this case, using DoString is extremely unsafe, and smart people have written about it.
Anything done via DoString can be done differently - it's just another level of knowledge and a bit more work.

How else? Please example

[Tirthankara]

Once, I posted a free fishing bot on this forum, a good bot. The bot was downloaded many times, and everyone was satisfied. However, later on, due to the carelessness of the users, not only was the bot banned, but they also started banning it by the process name (another confirmation that the bot was good). After that, I faced a lot of unpleasant comments and strange accusations that I didn't adequately protect the bot. Even though no one remembered that they were using a FREE bot. After that incident and a conversation with the administration, I have decided never to post anything or share anything here again.
Sorry

[charles420]

just use process hollowing or bypass the id check / sig scan profit and for the using memory read to use minimized screen million ways to bypass this you already have a handle or if u wanna bea new og use a driver and hide it mind you both in process and out of process have there ups and downs makes one better then the other especially for wow unless you go full driver or other god mode i feel like a pleb writing this should be common knowledge by now

[Glitt]

With some help I'm getting close to circumventing the new ret check system. Before they just check a range, and now they compare bytes so the check is more specific. The key characteristic though seems to be a while loop that traps you into a divide by zero which can normally just be ripped, but if you're doing external L like scizzy talks about you have do more than just rip the routine's context. I'm hoping tomorrow I'll have this solved... I have a lib in use to check the mnemonics and planning to patch out the zero divider trap if feasible instead of having to write a bunch of hooks and functions.