Thanks!
So i'm trying to get this working (i'm not a "Lazy Programmer" Lazy-ass programmer incoming !! - that thread makes me lol irl)
IDA tells me the function looks like this:
Code:
.text:0077DEF0 sub_77DEF0 proc near
.text:0077DEF0
.text:0077DEF0
.text:0077DEF0 var_4 = dword ptr -4
.text:0077DEF0 arg_0 = dword ptr 8
.text:0077DEF0 arg_4 = dword ptr 0Ch
.text:0077DEF0 arg_8 = dword ptr 10h
So to work out what these paramaters are i looked at this function is calls it and is quite simple:
Code:
.text:0049C440 sub_49C440 proc near
.text:0049C440
.text:0049C440 arg_0 = dword ptr 8
.text:0049C440
.text:0049C440 push ebp
.text:0049C441 mov ebp, esp
.text:0049C443 push esi
.text:0049C444 mov esi, [ebp+arg_0]
.text:0049C447 push 1
.text:0049C449 push esi
.text:0049C44A call sub_7AD710
.text:0049C44F add esp, 8
.text:0049C452 test eax, eax
.text:0049C454 jz short loc_49C47D
.text:0049C456 push 0
.text:0049C458 push 1
.text:0049C45A push esi
.text:0049C45B call sub_7AD890
.text:0049C460 add esp, 0Ch
.text:0049C463 test eax, eax
.text:0049C465 jz short loc_49C47D
.text:0049C467 cmp byte ptr [eax], 0
.text:0049C46A jz short loc_49C47D
.text:0049C46C mov ecx, off_FC549C
.text:0049C472 push ecx
.text:0049C473 push eax
.text:0049C474 push eax
.text:0049C475 call sub_77DEF0
.text:0049C47A add esp, 0Ch
.text:0049C47D
.text:0049C47D loc_49C47D:
.text:0049C47D xor eax, eax
.text:0049C47F pop esi
.text:0049C480 pop ebp
.text:0049C481 retn
.text:0049C481 sub_49C440 endp
This only takes 1 argument (this function is called when using /script xxx).
so we push 3 pointers onto the stack before calling the dostring, and the correct the stack on return.
so this is the code I inject:
Code:
mov ecx, {0} ;0xFC549C in the other function
mov eax, {1} ; pointer to string
push ecx
push eax
push eax
call 0x0077DEF0
add esp, 0Ch ; fix stack
retn
But this doesnt seem to work right.
Nothing happens unless there is an error in my LUA, then an error frame is shown (DoEmote does nothing for example).
Any clues?