Lua Do String

[qjlex]

This is my method for inject lua, but it is does not work for me.
Please me need your help.

Code:

public static object Lua_DoString(string Lua)
        {
            uint dwAddress = BotContro1l.mem.AllocateMemory(0x4096);
            BotContro1l.mem.WriteASCIIString(dwAddress + ((uint)0x200L), Lua);
            BotContro1l.mem.Asm.Clear();
            BotContro1l.mem.Asm.AddLine("mov EDX, [0x01132F60]");
            BotContro1l.mem.Asm.AddLine("mov EDX, [EDX+0x2C24]");
            BotContro1l.mem.Asm.AddLine("FS mov EAX, [0x2C]");
            BotContro1l.mem.Asm.AddLine("mov EAX, [EAX]");
            BotContro1l.mem.Asm.AddLine("add EAX, 0x10");
            BotContro1l.mem.Asm.AddLine("mov [EAX], EDX");
            BotContro1l.mem.Asm.AddLine("push {0}", new object[] { 0 });
            BotContro1l.mem.Asm.AddLine("mov eax, {0}", new object[] { dwAddress + 0x200L });
            BotContro1l.mem.Asm.AddLine("push eax");
            BotContro1l.mem.Asm.AddLine("push eax");
            BotContro1l.mem.Asm.AddLine("call {0}", new object[] { "0x7CE840" });
            BotContro1l.mem.Asm.AddLine("add esp, 0xC");
            BotContro1l.mem.Asm.AddLine("retn");
            BotContro1l.mem.SuspendThread(BotContro1l.wowmainthread);
            BotContro1l.mem.Asm.InjectAndExecute(dwAddress);
            BotContro1l.mem.FreeMemory(dwAddress);
            BotContro1l.mem.ResumeThread(BotContro1l.wowmainthread);
            return 0;
        }

[Nesox]

Quote:

Originally Posted by qjlex

This is my method for inject lua, but it is does not work for me.
Please me need your help.

Here you go mate

[Only registered and activated users can see links. ]

[MaiN]

How much C# do you know?
Just skimming over your code, I noticed a few major flaws.
First hint, try checking what ToString returns from an object array.

[maclone]

Quote:

Originally Posted by Nesox

Here you go mate

[Only registered and activated users can see links. ]

Nah, search doesn't work (atleast for me right now). It doesn't show any threads older than 2 weeks.

[qjlex]

This is my method for inject Lua in WoW, but
pops Lua error:

Code:

Message: [string "self:SetCamera(0);"]:1: attempt to index global 'self' (a nil value)
Time: 10/04/09 19:52:05
Count: 5
Stack: [string "Interface\FrameXML\BasicControls.xml:<Scrip..."]:18: in function <[string "Interface\FrameXML\BasicControls.xml:<Scrip..."]:4>
[C]: ?
[string "self:SetCamera(0);"]:1: in main chunk

Locals: (*temporary) = nil
(*temporary) = nil
(*temporary) = nil
(*temporary) = "attempt to index global 'self' (a nil value)"

Code:

public static void Lua_DoString(string Lua)
        {

            uint dwAddress = BotContro1l.mem.AllocateMemory(0x4096);
            BotContro1l.mem.WriteASCIIString(dwAddress + ((uint)0x200L), Lua);

            BotContro1l.mem.Asm.Clear();
            BotContro1l.mem.Asm.AddLine("mov EDX, [0x012705B0]");
            BotContro1l.mem.Asm.AddLine("mov EDX, [EDX+0x2D94]");
            BotContro1l.mem.Asm.AddLine("FS mov EAX, [0x2C]");
            BotContro1l.mem.Asm.AddLine("mov EAX, [EAX]");
            BotContro1l.mem.Asm.AddLine("add EAX, 0x10");
            BotContro1l.mem.Asm.AddLine("mov [EAX], EDX");
            BotContro1l.mem.Asm.AddLine("push {0}", new object[] { 0 });
            BotContro1l.mem.Asm.AddLine("mov eax, {0}", new object[] { dwAddress + 0x200L });
            BotContro1l.mem.Asm.AddLine("push eax");
            BotContro1l.mem.Asm.AddLine("push eax");
            BotContro1l.mem.Asm.AddLine("call {0}", new object[] { "0x007CF6B0" });
            BotContro1l.mem.Asm.AddLine("add esp, 0xC");
            BotContro1l.mem.Asm.AddLine("retn");
            BotContro1l.mem.SuspendThread(BotContro1l.wowmainthread);
            BotContro1l.mem.Asm.InjectAndExecute(dwAddress);
            BotContro1l.mem.FreeMemory(dwAddress);
            BotContro1l.mem.ResumeThread(BotContro1l.wowmainthread);
        }

I can not understand where the error in my code.

[Robske]

Quote:

Originally Posted by MaiN

How much C# do you know?
Just skimming over your code, I noticed a few major flaws.
First hint, try checking what ToString returns from an object array.

It's copypasta, the new object[] { 0 } gives it away. I've seen it pop up in multiple threads already...

[MaiN]

Yeah, but that was my bad. I think one of the overloads takes an object array as parameter.

[lanman92]

You really should deallocate that 4kb of memory after you're done with it. Also the TLS offset is 0x8 now. Change the "add eax, 0x10" to "add eax, 0x8". And don't use an array of objects for all you're parameters. Just putting the value in works fine, and I think it has better performance(not sure though). Your address that you're trying to call is a string? That probably won't work. It should be an IntPtr or uint.

[qjlex]

I changed my method. Here's a working version for me, but don't work Russian text.

Code:

 public static void Lua_DoString(string luaString)
        {
            uint cave = 0;
            try
            {
                while (BotContro1l.mem.ReadInt((uint)0x0133D5B0) != 0)
                {
                    Thread.Sleep(0);
                }
                BotContro1l.mem.SuspendThread(BotContro1l.wowmainthread);

                cave = BotContro1l.mem.AllocateMemory(0x2048);
                BotContro1l.mem.WriteASCIIString(cave + 0x1024, luaString);

                BotContro1l.mem.Asm.Clear();

                BotContro1l.mem.Asm.AddLine("mov EDX, [0x012705B0]");
                BotContro1l.mem.Asm.AddLine("mov EDX, [EDX+0x00002D94]");

                BotContro1l.mem.Asm.AddLine("FS mov EAX, [0x2C]");
                BotContro1l.mem.Asm.AddLine("mov EAX, [EAX]");
                BotContro1l.mem.Asm.AddLine("add EAX, 8");
                BotContro1l.mem.Asm.AddLine("mov [EAX], edx");

                BotContro1l.mem.Asm.AddLine("push 0");
                BotContro1l.mem.Asm.AddLine("mov eax, " + (cave + 0x1024));
                BotContro1l.mem.Asm.AddLine("push eax");
                BotContro1l.mem.Asm.AddLine("push eax");
                BotContro1l.mem.Asm.AddLine("call 0x007CF6B0");
                BotContro1l.mem.Asm.AddLine("add esp, 0xC");
                BotContro1l.mem.Asm.AddLine("retn");

                BotContro1l.mem.Asm.InjectAndExecute(cave);
                BotContro1l.mem.ResumeThread(BotContro1l.wowmainthread);

                BotContro1l.mem.FreeMemory(cave);
                BotContro1l.mem.Asm.Clear();
            }
            catch
            {
                BotContro1l.mem.ResumeThread(BotContro1l.wowmainthread);
                BotContro1l.mem.FreeMemory(cave);
                BotContro1l.mem.Asm.Clear();
            }
        }

[MaiN]

Holy crap that's ugly.
Why the hell do you use a codecave that's 0x2048 big and then use only from 0x1024 of it?
Also, learn to use
try {} finally {}
Also for russian text I think you need to write it in unicode.

[flo8464]

Quote:

Originally Posted by MaiN

Also for russian text I think you need to write it in unicode.

Afaik lua functions have ASCII-Support only? I am using Lua in some of my apps and I failed to add Unicode-support.

Can anyone enlighten me how to make lua work with unicode files?

[qjlex]

How I can get Reply resulting LuaDoString?

[furang]

And here's my Lua_DoString function based on the above code

Code:

int Lua_DoString(char *luastr)
{
		int res;
		do
		{
			ReadProcessMemory( hProc, (LPVOID)(0x0133D5B0), (LPVOID)&res, sizeof(res), NULL );
		}
		while (res!=0);
		DWORD strmem;
		DWORD codemem;
		char shellcode[]=
		"\x8B\x15\xB0\x05\x27\x01\x8B\x92\x94\x2D\x00\x00"//MOV EDX,DWORD PTR DS:[12705B0], MOV EDX,DWORD PTR DS:[EDX+2D94]
		"\xA1\x2C\x00\x00\x00\x8B\x00\x83\xC0\x08"//MOV EAX,DWORD PTR DS:[2C],MOV EAX,DWORD PTR DS:[EAX],ADD EAX,8
		"\x89\x10\x6A\x00\xB8\x78\x56\x34\x12"//MOV DWORD PTR DS:[EAX],EDX,PUSH 0,MOV EAX,12345678 - luastr addr
		"\x50\x50\xFF\x15\xB0\xF6\x7C\x00\x83\xC4\x0C"//PUSH EAX,PUSH EAX,CALL 007CF6B0,ADD ESP,0C
		"\xC3";//retn
		SuspendThread(mThread);
		strmem=(DWORD)VirtualAllocEx(hProc,NULL,1024,MEM_COMMIT,PAGE_READWRITE);
		if (strmem==NULL)
		ShowMessage("Can't allocate memory");
		WriteProcessMemory(hProc, (LPVOID)(strmem),(LPVOID)&luastr[0],100,NULL);
				
		codemem=(DWORD)VirtualAllocEx(hProc,NULL,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
		if (codemem==NULL)
		ShowMessage("Can't allocate memory");

		WriteProcessMemory(hProc, (LPVOID)(codemem),&shellcode[0],sizeof(shellcode),NULL);
		WriteProcessMemory(hProc, (LPVOID)(codemem+27),&strmem,4,NULL);
		
		CreateRemoteThread(hProc,NULL,0,(PTHREAD_START_ROUTINE)codemem,NULL,0,NULL);
		
		ResumeThread(mThread);
		if(!VirtualFreeEx(hProc,(LPVOID)strmem,NULL,MEM_RELEASE)) ShowMessage ("Can't free memory");
		if(!VirtualFreeEx(hProc,(LPVOID)codemem,NULL,MEM_RELEASE)) ShowMessage ("Can't free memory");
		
		return 0;
}

Does anyone have any idea why it crashes wow (Err 132)?
I tried it so and so, but the result is the same.
Am i doing anything wrong? Or maybe made a mess of shellcode?
PS. I know it's ugly and disgusting, but it can work.... i believe)

[lanman92]

If you're using C++, is there ANY reason to be out of process? Anyway, I would say make an inline function and put an asm block in it. Much nicer. Then you can just copy the bytes out of that function into the process and execute it. I don't really see any problem with that asm, but you never know when it's in shellcode...

[furang]

I want as less intrusion, as it's possible. Maybe some day i inject dll...
You mean make an inline asm part? it'd be better, but how should i write it to other process? And shellcode is more suitable ait. I checked memstr addr is written at codestr+27 rewriting 12345678 ( MOV EAX,12345678). So it seems to be alright. But it's not(
Gonna try SEH.