David Nishikaze davidxifeng

## Exploiting Lua 5.1 on 32-bit Windows.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                davidxifeng
                / Exploiting Lua 5.1 on 32-bit Windows.md
            
            
              Last active
              August 29, 2015 14:20
                — forked from corsix/Exploiting Lua 5.1 on 32-bit Windows.md
            
          
    Exploiting Lua 5.1 on 32-bit Windows

The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.
if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
  error("This generator requires a 32-bit version of Lua 5.1")
end

local function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed

  
## WaiWS.hs
{-# LANGUAGE DeriveDataTypeable #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
import Network.Wai
import Control.Exception (Exception, throwIO, assert)
import Control.Applicative ((<$>))
import Control.Monad (when, forever, unless)
import Data.Typeable (Typeable)
import Network.HTTP.Types (status200, status404)
import Network.Wai.Handler.Warp (run)
	{-# LANGUAGE DeriveDataTypeable #-}
	{-# LANGUAGE OverloadedStrings #-}
	{-# LANGUAGE RecordWildCards #-}
	import Network.Wai
	import Control.Exception (Exception, throwIO, assert)
	import Control.Applicative ((<$>))
	import Control.Monad (when, forever, unless)
	import Data.Typeable (Typeable)
	import Network.HTTP.Types (status200, status404)
	import Network.Wai.Handler.Warp (run)