On Wed Nov 29 01:27:17 2023 +0000, Paul Gofman wrote:
No, I wasn't looking at League of Legends. But maybe it is using similar way of hooking KiUserExceptionDispatcher. Without reverse engineering the AC it is possible to see if there is NtProtectVirtualMemory for around KiUserExceptionDispatcher address and whether the code of it actually changes during the game run.
Oops, I actually wanted to say it does patch `KiUserExceptionDispatcher` but got myself confused :D It patches 18 methods in ntdll.dll
Patch for `KiUserExceptionDispatcher` looks like this (with this MR applied) ```diff - 59750: 90 nop - 59751: 48 8b 05 38 03 04 00 mov rax,QWORD PTR [rip+0x40338] # 0x99a90 + 59750: 40 e9 95 eb cf f8 rex jmp 0xf8d582eb + 59756: 04 00 add al,0x0 59758: 48 8b 8c 24 98 00 00 mov rcx,QWORD PTR [rsp+0x98] 5975f: 00 59760: 48 8b 94 24 f8 00 00 mov rdx,QWORD PTR [rsp+0xf8] 59767: 00 59768: 48 89 51 f8 mov QWORD PTR [rcx-0x8],rdx 5976c: 48 89 69 f0 mov QWORD PTR [rcx-0x10],rbp 59770: 48 89 79 e8 mov QWORD PTR [rcx-0x18],rdi 59774: 48 89 71 e0 mov QWORD PTR [rcx-0x20],rsi 59778: 48 8d 69 e0 lea rbp,[rcx-0x20] 5977c: 48 85 c0 test rax,rax 5977f: 74 0d je 0x5978e ```
Also spoke too soon, stack overflow is not fixed it just seems to have become way more rarer.