[Wildstar] 1.0.7.6658 x86 Info Dump Thread

[Apoc]

Format Description (incomplete!):

Code:

    // T = table,  b = bool, i = int, f = float, v = vector, s = string, S = wide string
    // O = item, U = unit, F = message, Z = guild, $ = challenge, # = holdout, d = commodity order, D = auction
    // G = galactic archive, g = archive entry, H = channel, p = path mission, N = public event, Q = quest

If someone figures out what the heck '>' stands for please tell me. Seems like it does nothing?!
And the stuff for 'T' (table) parsing seems complicated too... however 'U' (unit) for instance is just the units id.

The parsing function for this shit is extremely weird...

Well, for the most part it's actually pretty simple.

And yeah, I left out the formatting stuff, since I figured it was mostly self explanatory.

Missing is...

Z (GuildMessageOfTheDay) - Guild (GuildMain.lua [Guild addon])
M (ActionBarDescriptionSpell) - might be "Spell" ?
a (AchievementGranted) - Most likely "achievement"
m (PostCommodityOrderResult) - actual result? (nActualCost in MarketplaceCommodity.lua)
o (LootRoll) - "loot" item. (NeedVsGreed.lua)

I believe > stands for ref? I may be wrong. It's usually used like...

HandleLuaEvent(..., "S>b", someString, &someBool)

Check CharacterCreateFailed, LoginError

[Master674]

Ah yea, I should have noticed. You're right, the client just passes a pointer to the function instead of the actual value (output parameter, is this possible?).

[Apoc]

I think it's possible. But not entirely sure.

[Midi12]

Here is an idc script for dumping some lua function, not all function are dumped, all UI lua related function are skipped unfortunately :'( (I didnt find a proper way trough idc scripting)

Code:

#include <idc.idc>

static getRegisterFunction()
{
	auto dwAddress;
	dwAddress = FindBinary(dwAddress + 1, SEARCH_DOWN|SEARCH_NEXT, "55 8B EC 83 E4 F8 83 EC  1C 53 56 8B C2");

	if(IsAddrStartOfFunction(dwAddress) == 0)
		return -1;
	else
		return dwAddress;
}

static ExtractPath( sPath )
{
	auto dwIndex;
	for ( dwIndex = strlen( sPath ); strstr( substr( sPath, dwIndex, -1 ), "/" ) && dwIndex > 0; dwIndex-- );
	return substr( sPath, 0, dwIndex + 1 );
}

static IsAddrStartOfFunction(dwAddress)
{
	if(GetFunctionAttr(dwAddress, FUNCATTR_START) == dwAddress)
		return 1;
	return 0;
}

static GetLibnameFromAddr(dwAddress)
{
	auto dwLibnameptr = FindText(dwAddress - 0xC, SEARCH_DOWN|SEARCH_NEXT, 0, 0, "mov     edx");	

	if(dwLibnameptr >= dwAddress)
		return "";
	
	auto dwLibnameAddress = GetOperandValue(dwLibnameptr, 1);

	return GetString(dwLibnameAddress, -1, ASCSTR_C);
}

static GetLibtable1FromAddr(dwAddress)
{	
	auto dwTable1Ptr = FindText(dwAddress - 0xC, SEARCH_DOWN|SEARCH_NEXT, 0, 0, "push");
	
	//Message("t1ptr %x\n", dwTable1Ptr);
	
	if (dwTable1Ptr <= GetFunctionAttr(dwAddress, FUNCATTR_START) || dwTable1Ptr >= GetFunctionAttr(dwAddress, FUNCATTR_END))
		return BADADDR;

	auto dwTable1 = GetOperandValue(dwTable1Ptr, 0);

	//Message("t1addr %x\n", dwTable1);
	return dwTable1;
}

static GetLibtable2FromAddr(dwAddress)
{
	auto dwTable2Ptr = FindText(dwAddress - 0x1B, SEARCH_DOWN|SEARCH_NEXT, 0, 0, "push");
	
	//Message("t2ptr %x\n", dwTable2Ptr);
	
	if (dwTable2Ptr <= GetFunctionAttr(dwAddress, FUNCATTR_START) || dwTable2Ptr >= GetFunctionAttr(dwAddress, FUNCATTR_END))
		return BADADDR;

	auto dwTable2 = GetOperandValue(dwTable2Ptr, 0);

	//Message("t2addr %x\n", dwTable2);
	return dwTable2;
}

static DumpLua(hFile, name, table)
{
	auto dwCurrent = table;
	auto functionname, functionaddr;
	
	//fprintf(hFile, "\n\n# %s start #\n", name);

	while(Dword(dwCurrent) != 0x0)
	{
		functionname = GetString(Dword(dwCurrent), -1, ASCSTR_C);
		
		if (!IsString(functionname))
			continue;

		functionaddr = Dword(dwCurrent + 4);
		
		if (functionaddr == 0xFFFFFFFF)
			break;
		
		dwCurrent = dwCurrent + 8;
		
		//Message("%x %s_%s\n", functionaddr, name, functionname);
		fprintf(hFile, "%x %s_%s\n", functionaddr, name, functionname);
	}

	//fprintf(hFile, "# %s end #\n", name);
}

static main()
{
	auto hFile, sPath;
	auto prefix = "Script_";
	
	auto dwRegisterFunction = getRegisterFunction();
	auto dwAddress = 0;
	
	auto libname;
	auto libtable1, libtable2;
		

	sPath = ExtractPath(GetIdbPath()) + "Dump.txt";
	
	
	hFile = fopen(sPath, "w");
	if(hFile != -1)
	{
		fprintf(hFile, "[WildStar Lua Function Dumper]\n");
		fprintf(hFile, "\n");
	}

	while(dwAddress != BADADDR)
	{
		dwAddress = RnextB(dwRegisterFunction, dwAddress);
		
		libname = GetLibnameFromAddr(dwAddress);
		
		if (libname == "")
			continue;
		
		Message("dumping name %s : %x\n", libname, dwAddress);
		
		libtable1 = GetLibtable1FromAddr(dwAddress);
		libtable2 = GetLibtable2FromAddr(dwAddress);

		if (libtable1 == BADADDR|| libtable1 < 0x1000)
		{
			Message("'BADADDR' or 'libtable1 < 0x1000' result on function GetLibtable1FromAddr (skipping) (unexpected behavious)\n");
			continue;
		}
		
		DumpLua(hFile, prefix + libname, libtable1);

		if (libtable2 == BADADDR || libtable2 < 0x1000 || libtable2 == libtable1)
		{
			Message("'BADADDR' or 'libtable2 < 0x1000' or 'libtable2 == libtable1' result on function GetLibtable2FromAddr (skipping) (it can be an expected behaviour)\n");
			continue;
		}

		DumpLua(hFile, prefix + libname, libtable2);
	}
	
	fprintf(hFile, "Dump Complete.\n");
	fclose(hFile);
	Message("Dump complete.\n");
}

Credits : The guy who made the WoW lua dump idc script, his code was a huge base + copy/pasted some funcs from it.

Tip : Use the output file (located in the same folder as the .idb) with FunctionNaming.idc from here ([IDA] Updating function names/offsets in b/t versions?).

[Apoc]

Quick script to rename Lua funcs in the IDB.

Unfortunately, it's not "straight forward" to get things named correctly, due to how they register things. My next approach is simply going to be dumping _G and mapping it back from there.

Code:

import idaapiimport sys
import idc


# Ask the user for a name for the library. (GameLib::Something, etc)
# This just makes life easier due to how the libs are loaded.
# Lib names are pushed on the Lua stack, and then functions are inserted on the top of the stack TValue table
# Usually, there are 2 or 3 loadlib calls for each actual library.
func_prefix = "Script::%s::%s" % (AskStr("", "Lib Name"), "%s")


def rename_func(dwAddress, funcName, force_rename=False):
  orgFuncName = GetFunctionName(dwAddress)
  #print "Renaming %s to %s" % (orgFuncName, funcName)
  dwRet = MakeNameEx(dwAddress, funcName, SN_NOWARN)


  if dwRet == 0 and force_rename:
    bastard = get_func_address_by_name(funcName)
    if bastard != BADADDR:
      dwRet = MakeNameEx(bastard, "sub_", SN_NOWARN)
      rename_func(dwAddress, funcName)


  if dwRet == 0:
    for num in range(0, 32):
      sTemp = "%s_%i" % (funcName, num)
      dwRet = MakeNameEx(dwAddress, sTemp, SN_NOWARN)


      if dwRet != 0:
        print "Warning: Renamed %s to %s instead of %s" % (orgFuncName, sTemp, funcName)
        break


  return dwRet
    
# Renames all functions in a Lua metatable vtbl
def rename_metatable_functions(Lua_table):
    numTableFuncs = 0


    while Dword(Lua_table) != 0:
        funcName = GetString( Dword(Lua_table), -1, ASCSTR_C )
        if funcName == None:
            break


        renamedFunc = func_prefix % funcName
        tableFuncAddr = Dword(Lua_table+4)
        rename_func( tableFuncAddr, renamedFunc, True )
        # So, this doesn't actually carry over to HR pseudocode for whatever reason.
        # This is the function declaration of *ALL* Lua cfunctions. 
        idc.SetType( tableFuncAddr, "int (__cdecl*)(Lua_State *L);" )
        print "%s -> 0x%x" % (renamedFunc, tableFuncAddr)
        numTableFuncs += 1
        Lua_table += 8;


    return numTableFuncs


libAddr = ScreenEA()


# If we're trying to rename from an HR pseudocode window.
if GetMnem(libAddr) == "push":
    libAddr = GetOperandValue(libAddr, 0)


num_Luafuncs_renamed = rename_metatable_functions(libAddr)
print "\nRenamed %s Lua functions." % num_Luafuncs_renamed

And just something to dump C# style enums for the Lua enums (most of them)

Code:

import idaapi
import idautils
import idc


lua_registerEnum = FindBinary(0, SEARCH_DOWN, "55 8B EC 8B 45 08 53 56 57 8B F9 85 C0 75 0C")


if lua_registerEnum == BADADDR:
    print "label lua funcs: Failed to locate lua_registerEnum"
else:    
    print "lua_registerEnum: %x" % lua_registerEnum    
    ea = lua_registerEnum
    
    xRef = idc.RfirstB( lua_registerEnum )
    
    f = open_write_file("Enums.txt")
    
    numEnums = 0
    
    while xRef != BADADDR:
        f.write( "\n//Xref 0x%x" % xRef )    
        
        head = idc.PrevHead(xRef, 8)
        
        # mov ecx, edi
        if idc.GetMnem(head) == "mov":
            head = idc.PrevHead(head, 8)
        
        # push offset <enum name> 
        # head = idc.PrevHead(head, 8)
        
        name = idc.GetString(idc.GetOperandValue(head, 0), -1, ASCSTR_C)
        f.write("\n\t\t///<remarks>")
        f.write("\n\t\t/// Name Addr: %x" % idc.GetOperandValue(head,0))
        
        # push offset <enum value table>
        head = idc.PrevHead(head, 8)
        valuesTable = idc.GetOperandValue(head, 0)
        f.write("\n\t\t/// Value Table Addr: %x" % idc.GetOperandValue(head,0))
        
        # And finally... push <count>
        head = idc.PrevHead(head, 8)
        count = idc.GetOperandValue(head, 0)        
        f.write("\n\t\t///Value Table Count: %x" % idc.GetOperandValue(head,0))
        f.write("\n\t\t///</remarks>")
        
        f.write( "\n\t\tpublic enum %s {" % name )
        offset = 0
        for i in range(count):
            valName = idc.GetString(idc.Dword(valuesTable + offset), -1, ASCSTR_UNICODE)
            # move to the value
            offset+=4
            valValue = idc.Dword(valuesTable + offset)
            f.write( "\n\t\t\t%s = %d," % (valName, valValue) )
            # move to the next string
            offset+=4
        
        f.write( "\n\t\t}" )
        
        numEnums += 1
        
        # Yeah... just set the next xref
        xRef = idc.RnextB( lua_registerEnum, xRef )
        
    print "Wrote %d enums" % numEnums
    
    f.close()

And since I'm here... a quick dump of _G

http://privatepaste.com/d692760924

[JuceMMOCrawler]

Someone figured out how to force 32Bit Client instead of 64Bit? (Compatibility Mode doesn't work anymore.)

[Midi12]

Make your own custom launcher or run under WM

[JuceMMOCrawler]

Make your own custom launcher or run under WM

'make your own custom launcher' - simple but awesome - thx

[-Ryuk-]

'make your own custom launcher' - simple but awesome - thx

Check your inbox please

[JuceMMOCrawler]

Check your inbox please

Thank your for your information that you have shared. I am not finished but I make some progress. x)

Code:

[00:17:26]: [Launcher] Verify your Wildstar installation...
[00:17:26]: [Launcher] Checking for Client64...
[00:17:26]: [Launcher] Client64 exists...
[00:17:26]: [Launcher] Client32 does not exist...
[00:17:27]: [Launcher] Online Game Version: 6670
[00:17:27]: [Launcher] SHA1: e8274cd0034c4b3f26b81e65e851064744db4dc9
[00:17:27]: [Launcher] Downloading patch file. This may take some while.
[00:17:27]: [Launcher] Download finished.
[00:17:27]: [Launcher] SHA1 (Patch): e8274cd0034c4b3f26b81e65e851064744db4dc9
[00:17:27]: [Launcher] Found Client.index with SHA1: 5a3907aeb2ad2c822aac549a8f59be773ccfdb9c
[00:17:27]: [Launcher] Found Client64.index with SHA1: cbb8c822acd37b7abda06fb4f525094c79f6b6ca
[00:17:27]: [Launcher] Found ClientData.index with SHA1: 0f93b8e841d0c806431d6b3030b4ea933e9f3edb
[00:17:27]: [Launcher] Found ClientDataDE.index with SHA1: f668d471e6b4a81972c0310d70a23f18e87b01ed
[00:17:27]: [Launcher] Found ClientDataEN.index with SHA1: 622c6713b1e486cf503f22d18e480993a7756cd9
[00:17:27]: [Launcher] Found ClientDataFR.index with SHA1: 338b3d392986ab75610ab027f9fce7782f1df408