Why You Are Smarter Than WoW's Ret Check

**Glitt** · 06-26-2023

Ret is the key guardian to Azeroth's protection. She always bubble hearths, and places blessings upon Warden to ensure the keys of the kingdom will not fall to the wrong hands.

This *REDACTED* is not guaranteed to be correct, but it will provide insight into the shenanigans Blizzard started rolling out sometime during legion. Who knows maybe they were worried Illidan would be disturbed again.

Maybe something like this to mess with the stack to alter the return no need for complex asm

Code:

	if (e->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION)
	{
		MessageBoxA(nullptr, "ACCESS VIOLATION", "Error", MB_OK);

		auto return_address = reinterpret_cast<DWORD64*>(e->ContextRecord->Rsp + 0x48);

		*reinterpret_cast<DWORD64*>(return_address + 0x18) = lua_dofile;
		e->ContextRecord->Rip = lua_pcall_;
		return EXCEPTION_CONTINUE_EXECUTION;
	}

Code:

{
		registered = true;
		auto L = invoke<lua_State*>(lua_state);

		lua_register(L, "C", (lua_CFunction)int3);

		unsigned int errfuncIdx = 0;/* 0 if no handler otherwise lua stack location of the handler  */
		int64_t v8;
		int64_t v17;

		if (errfuncIdx)
		{
			StkId v9 = L->top;				// getStackTop((__int64)a1, a4);	/* Skipping the call here because it's full of nonsesnse and only returns L->top */
			int64_t v7 = L->marked;
			v8 = (__int64)v9 - v7;	// Likely v7 is zero because why would you locally store the last byte of a stack element?
		}

		uintptr_t base = (uintptr_t)GetModuleHandle(NULL);
		luaL_loadstring(L, "JumpOrAscendStart()");
		invoke<DWORD>(base + 0x2B9c70, (DWORD)L, (unsigned int)(base + 0x2B5C40), (unsigned int)&v17, v17 - v7, v8);	// Yes because truncating everything to x86 makes perfect sense - LOL
		MessageBoxA(nullptr, "LOL", "Info", MB_OK);

		int64_t v10 = L[5];		// Maybe WoW's L has high/low because this seems wrong
		int v18 = LUA_MULTRET;
		v17 = v10 - 24i64 * (errfuncIdx + 1);

		if (errfuncIdx == -1)    // If the handler is the last stack element, so I dunno maybe not even runk this chunk
		{
			int64_t v14 = L[8];				// Maybe tainted LL
			uint64_t v15 = L[5];			// Once again must be high/low
			if (v15 >= *(int64_t*)(v14 + 16))
				*(int64_t*)(v14 + 16) = v15;
		}
}

Notes: Investigate these findings (part 1 is the return spoof part 2 is the eumulated pcall. Then jump or ascend and see if you can evade the maths value / 0 wink wink. Best of luck adventurer.
Part 1 is not in tandem with Part 2 it's just to help us figure this out. Ideally you would leave their error handler at 0 and yours at 1 and call Part 2 wrapped nicely in a function with a bad address (-1).