HomeUser Control Panel (unavailable in archive)ForumsTutorialsArt GalleryResourcesMaps
Wc3C.net » Warcraft III Modding » Developer's Corner » Triggers & Scripts » Arbitrary bytecode execution

Arbitrary bytecode execution

04-26-2009, 07:42 PM#1
Vexorian
As I've been reading: http://www.thehelper.net/forums/showthread.php?t=125339

It is possible to "run" bytecode dynamically, almost sounds like a dream come true, however it is limited and apparently not working everywhere.

Basic idea is that as we all know, you can use a cast from integer to code to skip to arbitrary places in the bytecode, however, what's new to me is that you can apparently use this trick to move to the pseudo memory address of a jass array and whatever bytecode is hidden there will be executed:

Collapse JASS:

set bj_meleeTwinkedHeroes[1024] = 0x90909090
set bj_meleeTwinkedHeroes[1025] = 0x90909090 //and other bytecode giberish.
...

local code C = I2Code( code2I(function GetRandomDirectionDeg) + 0xC92D8 )

call TriggerAddAction(t, C)
call TriggerExecute(t)

//It will run whatever bytecode 90 90 90 90 means

So, does anyone know enough about jass byte code to answer this question:
What's on average the size a map's compiled bytecode takes? - This is very important to know for me...
04-26-2009, 07:56 PM#2
akolyt0r
sounds like:
crash crash crash
04-26-2009, 08:02 PM#3
Vexorian
Quote:
So, does anyone know enough about jass byte code to answer this question:
What's on average the size a map's compiled bytecode takes? - This is very important to know for me...
Maybe not that important, maybe it is possible to use more arrays if I plan my jumps correctly.

Well, could use an array for each group of functions, hmnn.

akolyt0r: Imagine a world in which the optimizer compiled a map's script into something like:

Collapse JASS:
function main takes nothing returns nothing
set t = CreateTrigger()
call TriggerAddAction(t, i2code(0x00929217) )
a[0]=0x45623512
a[1]=0x34562323
a[2]=0x62329301
...
//other thousand lines of this
...
b[0]=0x12312333
endfunction
04-26-2009, 09:00 PM#4
Anitarf
Would that make the code faster? I mean, if JASS compiles to this bytecode anyway then wouldn't it be the same?
04-26-2009, 09:04 PM#5
Vexorian
It hopefully is the same. Most likely it is slower during map init because of the assignments and the trigger execute.

But the thing is that the bytecode will be all the code available to the public. And also bytecode is more flexible, it is possible to run function variables without TriggerEvaluate if you control the bytecode...
04-26-2009, 09:12 PM#6
Anitarf
Quote:
Originally Posted by Vexorian
But the thing is that the bytecode will be all the code available to the public.
Didn't you always say the optimizer wasn't about map "protection", but about map optimization? :) This seems like mostly an obfuscation tool.

Not that I'd mind having better map protection available...
04-26-2009, 10:24 PM#7
Toadcop
©Crock - all credits go to him.

well... this guy is a full idiot (TheDamien) cause he didn't know what he have done...
every time human fails... //anura > all

what i am talking about ? well watch this... and remember this

well now w8 for a new patch ^_^ and don't play public games...
Attached Files
File type: w3mitest.w3m (87.9 KB)
04-26-2009, 10:32 PM#8
Vexorian
Quote:
Originally Posted by Anitarf
Didn't you always say the optimizer wasn't about map "protection", but about map optimization? :) This seems like mostly an obfuscation tool.

Not that I'd mind having better map protection available...
Something I can't predict is whether the new code would be shorter or longer than the original one.

Err, TC, but how would you manage to inject the code to run these things from a single player? you cannot modify an array or the jass code that runs it... I have never seen people attach a code address to gamecache, so this sounds very unlikely at best...
04-26-2009, 10:34 PM#9
Vexorian
Ouch just saw the map

Blizz sucks horribly.

What's the point of having a VM if you are going to allow all those sorts of things to be run from it?
What's worse is that this dumb vulnerability in the Jass VM is going to force blizz to fix this hack to run bytecode stuff, that sucks :(

I don't get why you linked to the gc exploit thread, this is a much different and terribly strong exploit...
04-26-2009, 10:48 PM#10
Toadcop
you would fall dead if you would know about jass interpreter what i know... try to read this carefuly...
04-26-2009, 10:54 PM#11
Vexorian
Yes well, but that line wasn't really too impressive. It isn't now either. Saying I KNOW THINGS without revealing them and then "I TOLD YOU SO" makes you look like you are improvising...

This is going to be very fun, I'd like to see blizz try to fix this lame VM exploit. Though most likely they would just do some retarded patch solution like forbidding the return bug...
04-26-2009, 11:00 PM#12
Toadcop
Quote:
Saying I KNOW THINGS without revealing
thats the point... THIS SHOULDNT BE REVEALED ATT ALL ! the swear don't to tell anyone about this... so it was just a knowledge. after publick post (from this TheDamien) it's a threat.
04-26-2009, 11:05 PM#13
Vexorian
That's pizda, all of this will be found out eventually, with or without hiding them...
04-26-2009, 11:07 PM#14
Anitarf
I looked at the code in Toadcop's map and I have no idea what it does. Can someone explain?

And Vex is right, you can't hide this stuff, if you found it out chances are someone else will too, if you speak up about it at least chances are it'll get fixed.
04-26-2009, 11:10 PM#15
Vexorian
Anitarf, try testing the map...
Wc3C.net archive — static reconstruction. No accounts, no posting.
Hosted by www.hiveworkshop.com