AutoIt Lua_DoString help - MMOwned - World of Warcraft Exploits, Hacks, Bots and Guides

telekenetix · #1 4 Weeks Ago

Basically, I am trying to get a simple Lua_DoString to work in AutoIt.

Just in case anyone is wondering, I would be more than happy to switch to C# and I will soon, but this has been bugging me and I want to figure it out.

Here's what I have:

Code:

#include <Asm.au3>
#include <Misc.au3>
#include <Array.au3>
#include <Memory.au3>
#include <_Distorm.au3>
#include <NomadMemory.au3>

;3.2.2 Addresses
Global Const $PLAYER_BASE  = 0x12D4EA8
Global Const $PLAYER_BPTR1 = 0x34
Global Const $PLAYER_BPTR2 = 0x24

Global Const $PLAYER_MAPID = 0x00A1E77C		;Not sure if the offset is right.
Global Const $Lua_Dostring = 0x7CF660
Global Const $GetLocalizedText = 0x0069A260

Global Const $pX = 0x798
Global Const $pY = 0x79C
Global Const $pZ = 0x7A0
Global Const $pR = 0x7A8

; Setting privilege 
SetPrivilege( "SeDebugPrivilege", 1 )
$wow = _MemoryOpen(WinGetProcess("World of Warcraft"))

; Open wow process to hook endscene
$wow = _MemoryOpen(WinGetProcess("World of Warcraft"))

; Gets player base address
$base = _MemoryRead("0x" & hex($PLAYER_BASE), $wow, "dword")
$base_2 = _MemoryRead("0x" & hex($base + $PLAYER_BPTR1), $wow, "dword")
$base_3 = _MemoryRead("0x" & hex($base_2 + $PLAYER_BPTR2), $wow, "dword")


; get address of EndScene
$pDevice = _MemoryRead("0x" & hex(0x1254928), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + 0x38A8), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + 0xA8), $wow, "dword")
  
; allocate memory to store injected code
Global $injected_code = _MemVirtualAllocEx( $wow[1], 0, 2048, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE )

; Generate the STUB to be injected
$Asm = AsmInit()
AsmReset($Asm)
; save regs
AsmAdd($Asm, "pushad")
AsmAdd($Asm, "pushfd")
; check if theres something to be run
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+73" ) ; label exit:
; UpdateCurMgr
AsmAdd($Asm, "mov edx, [" & hex(0x12705B0) & "h]")
AsmAdd($Asm, "mov edx, [ edx + " & hex( 0x2D94 ) & "h]")
AsmAdd($Asm, "mov eax, fs:[2Ch]")
AsmAdd($Asm, "mov eax, [eax]")
AsmAdd($Asm, "add eax, 0x8")
AsmAdd($Asm, "mov [eax], edx")
; DoString
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 1024 ) & "h")
AsmAdd($Asm, "push 0" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "mov eax, " & hex( $Lua_Dostring ) & "h" )
AsmAdd($Asm, "call eax" )
AsmAdd($Asm, "add esp, 0Ch" )
; check if theres something to be returned on
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+2D" ) ; label exit: 
; GetLocalizedText
AsmAdd($Asm, "mov ecx, " & hex( $base_3 ) & "h") ; must be made dynamic
AsmAdd($Asm, "push -1")
AsmAdd($Asm, "push esi")
AsmAdd($Asm, "mov eax, " & hex( $GetLocalizedText ) & "h" )
AsmAdd($Asm, "call eax")
AsmAdd($Asm, "cmp eax, 0" )
AsmAdd($Asm, "jz $+11" ) ; label exit:
; copy return string
AsmAdd($Asm, "mov esi, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 768 ) & "h")
AsmAdd($Asm, "copy:")
AsmAdd($Asm, "lodsb")
AsmAdd($Asm, "stosb")
AsmAdd($Asm, "cmp al, 0")
AsmAdd($Asm, "jnz @copy")
; clean state busy flag
AsmAdd($Asm, "exit:")
AsmAdd($Asm, "xor eax, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "stosd")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "stosd")
; restore regs
AsmAdd($Asm, "popfd")
AsmAdd($Asm, "popad")

; copy injected code
_MemoryWrite( "0x" & hex( $injected_code ), $wow, AsmGetBinary($Asm), "byte[" & $Asm[2] & "]" )

; create hook jump
$jmpto = AsmInit()
AsmReset( $jmpto )
AsmAdd( $jmpto, "push " & hex( $injected_code ) & "h" )
AsmAdd( $jmpto, "ret")
AsmAdd( $jmpto, "nop")

; save original instructions
$orig = _MemoryRead( "0x" & hex($pEndScene), $wow, "byte[64]" )
_MemoryWrite( "0x" & hex($injected_code + $Asm[2]), $wow, $orig, "byte[64]" )

; autoit is garbage
$orig_ptr = DllStructCreate("byte[64]")
DllStructSetData( $orig_ptr, 1, $orig )
  
; disasm original bytes
$DecodeArray = DllStructCreate("byte[" & $sizeofDecodedInst * 64 & "]")
$ret = distorm_decode(0,  DllStructGetPtr($orig_ptr), 64, $Decode32Bits, DllStructGetPtr($DecodeArray), 64)

; parse until we can jump back
$sumsize = 0
If $ret[0] == $DECRES_SUCCESS Then
  For $i = 0 To $ret[1] ; number of decoded instructions
    ; get size of 1 instruction
    $instr = DllStructCreate($tagDecodedInst, DllStructGetPtr($DecodeArray) + ($i * $sizeofDecodedInst))
    $sumsize += DllStructGetData($instr, "size")

    ; check if we copied enough instructions
    if $sumsize >= $jmpto[2] Then
    
      ; create jump back stub
      $jmpback = AsmInit()
      AsmReset( $jmpback )
      AsmAdd( $jmpback, "push " & hex($pEndScene + $sumsize) & "h" )
      AsmAdd( $jmpback, "ret")
      AsmAdd( $jmpback, "nop")

      ; write jump back 
      _MemoryWrite( "0x" & hex($injected_code + $Asm[2] + $sumsize), $wow, AsmGetBinary($jmpback), "byte[" & $jmpback[2] & "]" )
    ExitLoop
  Endif	
  Next
Endif
  
; write jump hook
_MemoryWrite( "0x" & hex($pEndScene), $wow, AsmGetBinary($jmpto), "byte[" & $jmpto[2] & "]" )

; close memory wow
_MemoryClose( $wow )

HotKeySet("{PAUSE}", "Dance")
While True
	Sleep(100)
WEnd
Func Dance()
	$msg = DoString( $wow, "", "DoEmote(""dance"")")
	MsgBox(0, "Msg", $msg)
EndFunc

Func DoString( $wow, $desc, $cmd )

  _MemoryWrite( "0x" & hex($injected_code + 512), $wow, $desc, "char[" & StringLen( $desc )+1 & "]" )
  _MemoryWrite( "0x" & hex($injected_code + 1024), $wow, $cmd, "char[" & StringLen( $cmd )+1 & "]" )

  ; change status
  $stat = 1
  _MemoryWrite( "0x" & hex($injected_code + 256), $wow, $stat, "dword" )
  
  ; wait execution
  do   
  Sleep( 5 )
    $stat = _MemoryRead( "0x" & hex($injected_code + 256), $wow, "dword" )
  Until $stat = 0
  
  ; read answer  
  $ret = _MemoryRead( "0x" & hex($injected_code + 768), $wow, "char[256]" )
  
  Return $ret
  
EndFunc

I will go ahead and admit that most of this is copy/pasta. I did change the offsets to 3.2.2.
Anyways, when Dance() gets called, nothing happens. Anyone see any glaring problems?

furang · #2 4 Weeks Ago

This is not correct

Code:

AsmAdd($Asm, "add eax, 0x10")

Should be 0x8 afaik.
PS. I have troubles with DoString too. Here's the thread
[Only registered and activated users can see links. ]

telekenetix · #3 4 Weeks Ago

Quote:

Originally Posted by furang

This is not correct

Code:

AsmAdd($Asm, "add eax, 0x10")

Should be 0x8 afaik.
PS. I have troubles with DoString too. Here's the thread
[Only registered and activated users can see links. ]

Thanks, I was looking for something along those lines, but I missed that somehow.

I will test later and post back with results

telekenetix · #4 4 Weeks Ago

OK, so changing the value to 0x8 did not fix whatever the larger problem is.

I updated the code in OP to match what I have now.

furang · #5 4 Weeks Ago

DoString's addr is 0x007CF6B0 afaik.
I wonder why it doesn't crash your wow (or it does?)

Jadd · #6 4 Weeks Ago

Step 1: Don't copy/paste.
Step 2: You win.

telekenetix · #7 4 Weeks Ago

It does not crash WoW. It just doesn't do anything. But, I got my Lua_DoString address out of the Info Dump Thread.

Quote:

Step 1: Don't copy/paste.
Step 2: You win.

Thanks for that advice.

Update:

0x007CF6B0 does not fix the problem.
Anyways, 3.2.2 Info Dump says Lua_DoString found at 0x7CF660. So, I tried 0x007CF660 as well, and it did not fix it either.

telekenetix · #8 4 Weeks Ago

I think maybe there is a problem in my finding Endscene.

I am looking at the pointer values, and I am getting 0 for Endscene.

I have tried it two ways (because I am not sure which is right):

Code:

$pDevice = _MemoryRead("0x" & hex(0x1254928), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + 0x38A8), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + 0xA8), $wow, "dword")

and

Code:

$pDevice = _MemoryRead("0x" & hex(0x1254928), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + 0x397C), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pEnd + 0xA8), $wow, "dword")

As you can see, I use $pDevice + 0x38A8 in one, but $pDevice + 0x397C in the other. When using 0x397C, $pEnd is a non-zero number, but $pEndScene is not. When using 0x38A8, $pEnd is 0 (as well as $pEndScene).

So, in either case, $pEndScene is 0, which is not right...

dnl · #9 4 Weeks Ago

Quote:

Originally Posted by Jadd

Step 1: Don't copy/paste.
Step 2: You win.

Funny that you would mention this, because your UltimateWoW hack had the exact same copypasta for lua dostring.

Robske · #10 4 Weeks Ago

Quote:

Originally Posted by Jadd

Step 1: Don't copy/paste.
Step 2: You win.

I accidently my drink

telekenetix · #11 4 Weeks Ago

Quote:

I accidentally my whole drink

There I fixed it for ya.

Anyways, back on topic...I know Jadd has a working Lua_DoString method in AutoIt, so it was a bit disappointing that he wasn't willing to offer any help at all. Anyone know why my endscene pointer would be 0? Clearly, I am doing something wrong, but I think the process is correct. Endscene = pDevice + 38A8 + A8 right?

bolototo · #12 2 Days Ago

please have you a link for _Distorm.au3

i don't found this file