[JASS] A new way to use return bug in 1.23b !

thewisp · Jun 23, 2009

1.23b is still in beta. As most of you know, return bug has been fixed in the version, this is a sad news for those who like to research the code exploit

I've found a new way to typecast in 1.23b :

common.j

Code:

type version            extends     handle
constant native ConvertVersion              takes integer i returns version

"type a extends b" means, a variable of type a is also type b, but var of type b is not type a.

ConvertVersion - what does this function do ? actually its just a type conversion function, it has only 2 lines:

MOV EAX, [ESP+4]
RETN

ConvertVersion(1048576) is really H2Version(I2H(1048576)).

change the definition of type to:

Code:

type version            extends     unit

since type unit extends handle, everything about functions of type version will stay unaffected.

Now, you can write another function for easier use, like

Code:

function I2U takes integer i returns unit
    return ConvertVersion(i)
endfunction

see ? you have the typecasting without using return bug.

there are dozens of Convert functions, just modify the type definition, you can use them to convert from integer to any type

EDIT : i have tested under 1.23b, sadly it cant use "extends code" ...

however you can use it for I2U, I2Item, I2Timer and so on.

Eleandor · Jun 23, 2009

There's an other way that doesn't involve modifying common.j already. By the way: how do you convert C2I? It seems you can only convert I2C...

thewisp · Jun 23, 2009

blizzard added a new native function named GetHandleId which is actually H2I.

use GetHandleId instead.

whats the other way ? inserting call DoNothing() between 2 returns ? blizzard already knows about it and it will be fixed.

Eleandor · Jun 23, 2009

The point of this post is not to find alternatives to GetHandleId. We all know already that GetHandleId replaces H2I. Thewisp is saying that with these adaptions, the returnbug still works and still allows abuse such as executing bytecode...

By the way, could you attach a proof-of-concept map? I'm too lazy to do the importing myself...

thewisp · Jun 23, 2009

well, seems i made a serious mistake.. code doesnt count in handle, so this method really only converts common handle types, like I2U, I2Trigger, I2Timer. on the other hand this is also not bad news because thus blizzard probably won't fix it.

Eleandor · Jun 23, 2009

Don't tell them. You never know if this makes them prohibit custom common.j files... Cause if that happens, there's no way RTC will be able to work...

thewisp · Jun 23, 2009

Eleandor said:
The point of this post is not to find alternatives to GetHandleId. We all know already that GetHandleId replaces H2I. Thewisp is saying that with these adaptions, the returnbug still works and still allows abuse such as executing bytecode...

By the way, could you attach a proof-of-concept map? I'm too lazy to do the importing myself...

im not sure about bytecode.
I2U and I2Timer could still be useful - and maybe helps some author so they wont need to rewrite the map.

test map : one for 1.23, one for 1.23b since GetHandleId only exists in 1.23b

[JASS] A new way to use return bug in 1.23b !

thewisp

thewisp

Eleandor

Eleandor

Resources

thewisp

thewisp

Eleandor

Eleandor

Resources

thewisp

thewisp

Eleandor

Eleandor

Resources

thewisp

thewisp

Attachments

Similar threads