Replication Filtering Bypass

I have come with a bypass to replication filtering. I am able to do this by sending a malformed packet to the server that returns a pointer to the function readDataStream to the client. readDataStream reads an instance that is being received from an external socket and decides whether the instance will be filtered out or if it will be created. When I get the pointer to readDataStream, I use a DEP (Data Execution Prevention) vulnerability on the server to write memory to the function pointer of readDataStream and have it move 0x0000000 into the EAX register so that the function always returns with success. Unfortunately, I am only able to write one DWORD, but by xoring eax by itself and returning it is possible to take only three bytes on total. The exact value I write is ‘0x31 0xC0 0xC3 0x90' (practically 0x90C3C031). If the return value is nonzero, then the instance does not get created; otherwise, the instance was approved and is created.

To explain my DEP (Data Execution Prevention Exploit), the malformed packet I send to the server socket is received and then is passed to a function like this:

push Flags

push Length

push Buffer (ebx)

push Socket

call ws2_32.recv

push ebx

call Unknown_Function

When ebx gets passed as an argument to Unknown_Function, it causes a buffer overflow and then I get a pointer leak, I need this pointer leak because Roblox uses ASLR (Address Space Layout Randomization). After I get pointers to other parts in the virtual memory, I redirect a call to 0x0000000, which throws an access violation. I catch the exception with the Vectored Exception Handler, allowing me to manipulate EIP (32-bit instruction pointer) similar to how the cheating library Stealth Edit does it. I jump to a code-cave which has readDataStream rewritten to set EAX to 0x00000000.