Basic Wow Lua Unlocker

[c0ntr4d1ct0r]

Does the same issue occur with darkrotations? it may be a conflict between NerdPack and Zygor, but without the actual error its impossible to assist.

Hey man, thanks for replying!
So, it has nothing to do with NerdPack. I've deactivated it, restarted the game, unlocked LUA with your solution and Zygor still doesn't work. I've restarted the game without unlocking LUA and Zygor works fine, with or without NerdPack.

I'm getting this error:

Message: ...dOns\ZygorGuidesViewer\Skins\Default\ViewerFrame.lua:740: attempt to index field 'AddButton' (a nil value)
Time: Sat Sep 29 17:41:13 2018
Count: 137
Stack: ...dOns\ZygorGuidesViewer\Skins\Default\ViewerFrame.lua:740: attempt to index field 'AddButton' (a nil value)
...dOns\ZygorGuidesViewer\Skins\Default\ViewerFrame.lua:740: in function <...dOns\ZygorGuidesViewer\Skins\Default\ViewerFrame.lua:638>

Locals: self = ZygorGuidesViewerFrame {
0 = <userdata>
oldyPos = 0
Border = ZygorGuidesViewerFrame_Border {
}
skin = <table> {
}
ResizerBottomRight = ZygorGuidesViewerFrame_ResizerBottomRight {
}
ThinFlash = ZygorGuidesViewerFrame_ThinFlash {
}
stepframes = <table> {
}
oldxPos = 0
ResizerLeft = ZygorGuidesViewerFrame_ResizerLeft {
}
leftCount = 0
mouseCount = 0
UpdateLocking = <function> defined @Interface\AddOns\ZygorGuidesViewer\Skins\Default\Skin.lua:165
UpdateSkin = <function> defined @Interface\AddOns\ZygorGuidesViewer\Skins\Default\Skin.lua:47
ResizerBottomLeft = ZygorGuidesViewerFrame_ResizerBottomLeft {
}
style = "default"
AlignFrame = <function> defined @Interface\AddOns\ZygorGuidesViewer\Skins\Default\Skin.lua:193
ResizerRight = ZygorGuidesViewerFrame_ResizerRight {
}
ResizerBottom = ZygorGuidesViewerFrame_ResizerBottom {
}
oldWidth = 320
bdflash = ZygorGuidesViewerFrame_bdflash {
}
}
elapsed = 0.035000002011657
locked = nil
(*temporary) = nil
(*temporary) = 30
(*temporary) = 1
(*temporary) = 30
(*temporary) = <table> {
1 = 0.01
2 = 0.01
3 = 0.01
4 = 0.01
5 = 0.01
6 = 0.01
7 = 0.01
8 = 0.01
9 = 0.01
10 = 0.01
11 = 0.01
12 = 0.01
13 = 0.01
14 = 0.01
15 = 0.01
16 = 0.01
17 = 0.01
18 = 0.01
19 = 0.01
20 = 0.01
21 = 0.01
22 = 0.01
23 = 0.01
24 = 0.01
25 = 0.01
26 = 0.01
27 = 0.01
28 = 0.01
29 = 0.01
30 = 0.01
}
(*temporary) = <table> {
1 = 0
2 = 0
3 = 0
4 = 0
5 = 0
6 = 0
7 = 0
8 = 0
9 = 0
10 = 0
11 = 0
12 = 0
13 = 0
14 = 0
15 = 0
16 = 0
17 = 0
18 = 0
19 = 0
20 = 0
21 = 0
22 = 0
23 = 0
24 = 0
25 = 0
26 = 0
27 = 0
28 = 0
29 = 0
30 = 0
}
(*temporary) = 0.01
(*temporary) = 0.01
(*temporary) = 0
(*temporary) = nil
(*temporary) = nil
(*temporary) = nil
(*temporary) = nil
(*temporary) = nil
(*temporary) = "attempt to index field 'AddButton' (a nil value)"
profile = <table> {
gold_farm_itemfilter = "all"
hidearrowwithguide = true
progress = true
autosell = false
cvanchor = true
dispmodepri = true
pathfinding = true
goalcompletionflash = true
debug = false
debug_centermap = false
audiocues = false
debug_newicons = false
autotaxi = false
tabs_icon = true
gmusecheck = true
poishow_questobjective = true
gmsuggestprofessions = true
arrowunit = 1
autoscan = false
progresscolor = <table> {
}
show_appraiser = false
poitype = 2
show_ui = true
share_masterslave = 0
gear_15 = false
goalicons = true
autoacceptturnin = true
goalbackprogress = false
showstepborders = true
poishow_treasure = true
pathfinding_speed = 15
goaltotals = true
traveluseitems = true
autogear = true
gear_16 = false
gmstarsuggested = false
autogear_protectheirlooms_all = true
gold_format_white = false
actionbar_scale = 1
share_partydisplaystyle = 4
fakereps = <table> {
}
talenticon = true
fontsize_s = 2
travelusedhs = true
poienabled = true
gmlasthomeversion = 1
debug_astrol_map = ""
aucmode = "unit"
n_nc_locked = false
gmsuggestevents = true
tweaks_domacros = true
colorantsother = <table> {
}
hide_dev_once = false
frame_anchor = <table> {
}
share_target = "SAY"
gmnumrecent = 30
preview_alpha = 0.7
showmapbutton = true
debug_astrol_floor = ""
debug_flags = <table> {
}
preview = true
gmfirstpage = "1_home"
tmp__was_sheened = true
debug_frame = "ChatFrame1"
questitemcache = <table> {
}
autoselectitem = false
petbattleframe = true
preview_scale = 1
targetonclick = true
goalbackcomplete = <table> {
}
fontsize = 11
hideprimary = <table> {
}
tabs_minwdth_s = 2
antspeed = 30
load_mail = true
poishow_

[ShasVa]

Two questions: how "safe" is it compared to EWT's "Safe Mode", and do you intend to keep this updated as WoW is patched? Patches are always notorious for breaking this type of thing.

[jburns7723]

Okay so this is gonna sound really bad but how exactly do i use the loa? the test works but i dont know what to do after that.

[WiNiFiX]

Two questions: how "safe" is it compared to EWT's "Safe Mode", and do you intend to keep this updated as WoW is patched? Patches are always notorious for breaking this type of thing.

Discussions of "safe" will be ignored, regarding patched - its updated for BFA and should continue working throughout BFA (unless they dramatically change the exe), Yes I will update it as needed should that occur.

[WiNiFiX]

Okay so this is gonna sound really bad but how exactly do i use the loa? the test works but i dont know what to do after that.

Then why you here, learn how lua unlockers work then return :P

[WiNiFiX]

Regarding the Zygor query - best will be to ask the dev of the addon, I dont touch how lua works, it is still most likely a conflict with other addons (yes even if they disabled) being in the addon folder is enough. Try another rotation addon than NerdPack and see (ensure everything NerdPack related is deleted), does your Zygor issue still occur then?

[WiNiFiX]

Work with PQR?

You joined OC in 2016 and you use this as your first question after 2 years of reading posts here?

[Vandra]

Your lua Unlocker???
l0l1dk's part of the lua unlocer is already leaked in another thread.
You just used my version /modification of the Lua unlocker and release it here under your name, thats pathetic.

Exactly my thoughts when i saw this post.

Anti-afk/Form1.cs at master . ferib/Anti-afk . GitHub
Similarities are hilarious. There is a pastebin link i won't link here because it was deleted by it's author but it's mostly copypasta.

Just by looking at function names, near zero line of code are made by Winifix.
To anyone using this tool, you're warned, Winifix has ZERO knowledge about "his" unlocker nor how to fix your issues.

All I can assume is you not running the English wow client, so "JumpOrAscendStart" may not be valid, you will need to use your languages equivalent.

From a guy who thinks that lua functions are translated from a locale to another.. I don't recommand this to anyone.

A good advice for you, Winifix, read this thread and make your own stuff.
https://www.ownedcore.com/forums/wor...ookthread.html (Bookthread)

[MrNoble]

Just by looking at function names, near zero line of code are made by Winifix.
To anyone using this tool, you're warned, Winifix has ZERO knowledge about "his" unlocker nor how to fix your issues.

This is indeed my code, but he just obfuscated it and changed it a little,
mirror: Nkdxkew.png



Source code of the project:

Code:

public partial class Form1 : Form
    {
        private static PatternScanner PatternScanner;
        private static ProcessSharp ProcessSharp;

        private static long LuaTaintedPtrOffset
        {
            get
            {
                var Lua_TaintedPtrOffset = GetAddressFromPattern("4C 8B 0D ?? ?? ?? ?? 45 33 C0 48 8B CE", 3, 4);
                return Lua_TaintedPtrOffset.ToInt64() - ProcessSharp.Native.MainModule.BaseAddress.ToInt64();             
            }
        }

        private static IntPtr GetAddressFromPattern(string pattern, int offset, int size)
        {
            var scanResult = PatternScanner.Find(new DwordPattern(pattern));
            return IntPtr.Add(scanResult.ReadAddress, ProcessSharp.Memory.Read<int>(scanResult.ReadAddress + offset)) + offset + size;
        }

        public Form1()
        {
            InitializeComponent();
        }

        private void InjectCode(int id, IntPtr wHandle)
        {
            byte[] asm =
            {
                0x90,                                                       //nop
                0x55,                                                       //push rbp
                0x48, 0x8B, 0xEC,                                           //mov rbp, rsp
                0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0xDE, 0xAD, 0xBE, 0xEF, //mov rcx, luaTaintedPtrOffset 
                0xC7, 0x01, 0x00, 0x00, 0x00, 0x00,                         //mov [rcx],00000000
                0xC7, 0x41, 0x04, 0x00, 0x00, 0x00, 0x00,                   //mov [rcx+04],00000000
                0xEB, 0xF1,                                                 //jmp (to mov)
                0x48, 0x8B, 0xE5,                                           //mov rsp, rbp
                0x5D,                                                       //pop rbp
                0xC3                                                        //ret
            };

            var hAlloc = (long)VirtualAllocEx(wHandle, 0, (uint)asm.Length, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);
            Console.WriteLine($"CodeCave[{id}] is @ 0x{hAlloc:X}");

            WriteProcessMemory(wHandle, hAlloc, asm, asm.Length, out int BytesWritten);
            WriteProcessMemory(wHandle, hAlloc + 0x07, BitConverter.GetBytes((long)System.Diagnostics.Process.GetProcessById(id).MainModule.BaseAddress + LuaTaintedPtrOffset), 0x08, out BytesWritten);

            BypasAntiCheat01(true, wHandle);

            var hThread = CreateRemoteThread(wHandle, IntPtr.Zero, 0, (IntPtr)hAlloc, IntPtr.Zero, 0, out uint iThreadId);
            Console.WriteLine("Thread Id[" + iThreadId + "] is @ 0x" + hThread.ToString("X"));

            Thread.Sleep(100);

            BypasAntiCheat01(false, wHandle);
        }

        private void BypasAntiCheat01(bool status, IntPtr wHandle)
        {
            byte[] Patch = {0xFF, 0xE0, 0xCC, 0xCC, 0xCC}; //JMP RAX
            byte[] Patch2 = {0x48, 0xFF, 0xC0, 0xFF, 0xE0}; //INC RAX, JMP RAX

            //Blizzard will add 0xC3 (ret) at the begin of our code cave, So what we do is start our code cave with 0x90 (NOP) and then add the code cave under it.
            //We will patch a DLL function (Cuz i don't like touching Wow.exe) so it start executing our code cave from the second byte.

            var CreateRemoteThreadPatchOffset = (long) GetProcAddress(GetModuleHandle("kernel32.dll"), "BaseDumpAppcompatCacheWorker") + 0x1E0;

            Console.WriteLine(CreateRemoteThreadPatchOffset);

            if (status)
                Patch = Patch2;

            WriteProcessMemory(wHandle, CreateRemoteThreadPatchOffset, Patch, Patch.Length, out int BytesWritten);
        }

        private void Form1_Load(object sender, EventArgs e)
        {
            var process = System.Diagnostics.Process.GetProcessesByName("Wow").FirstOrDefault();

            if (process == null)
            {
                MessageBox.Show("Failed to find wow running", Text, MessageBoxButtons.OK, MessageBoxIcon.Error);
                return;
            }

            ProcessSharp = new ProcessSharp(process, Process.NET.Memory.MemoryType.Remote);
            PatternScanner = new PatternScanner(ProcessSharp[ProcessSharp.Native.MainModule.ModuleName]);

            textBox1.Text = "0x" + LuaTaintedPtrOffset.ToString("X");
        }

        private void button1_Click(object sender, EventArgs e)
        {
            try
            {
                var wHandle = OpenProcess((int) MemoryProtection.Proc_All_Access, false, ProcessSharp.Native.Id);
                InjectCode(ProcessSharp.Native.Id, wHandle);

                MessageBox.Show("Injection success", Text, MessageBoxButtons.OK, MessageBoxIcon.Information);
            }
            catch (Exception ex)
            {
                MessageBox.Show($"Injection failed: {ex.Message}", Text, MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
        }

        [DllImport("Kernel32.dll")]
        public static extern bool ReadProcessMemory(IntPtr handle, long address, byte[] bytes, int nsize, ref int op);

        [DllImport("Kernel32.dll")]
        public static extern bool WriteProcessMemory(IntPtr hwind, long Address, byte[] bytes, int nsize, out int output);

        [DllImport("Kernel32.dll")]
        public static extern IntPtr OpenProcess(int Token, bool inheritH, int ProcID);

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        private static extern IntPtr VirtualAllocEx(IntPtr hProcess, long lpAddress,
            uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);

        [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

        [DllImport("kernel32")]
        public static extern IntPtr GetModuleHandle(string lpModuleName);

        [DllImport("kernel32.dll")]
        public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);

        private enum AllocationType
        {
            Commit = 0x1000,
            Reserve = 0x2000,
            Decommit = 0x4000,
            Release = 0x8000,
            Reset = 0x80000,
            Physical = 0x400000,
            TopDown = 0x100000,
            WriteWatch = 0x200000,
            LargePages = 0x20000000
        }

        private enum MemoryProtection
        {
            NoAccess = 0x0001,
            ReadOnly = 0x0002,
            ReadWrite = 0x0004,
            WriteCopy = 0x0008,
            Execute = 0x0010,
            ExecuteRead = 0x0020,
            ExecuteReadWrite = 0x0040,
            ExecuteWriteCopy = 0x0080,
            GuardModifierflag = 0x0100,
            NoCacheModifierflag = 0x0200,
            WriteCombineModifierflag = 0x0400,
            Proc_All_Access = 2035711
        }
    }

[ShasVa]

Getting the lua unlocker is easy. Getting DR's addon is the exact opposite. There's no instructions for getting it. Such a shame.

[Vandra]

This is indeed my code, but he just obfuscated it and changed it a little

Those questions indeed show the "skill" of the guy.
He promised updates if patched, for a guy who have no clue about pattern finding, i'm looking forward to it.

[MrNoble]

Those questions indeed show the "skill" of the guy.
He promised updates if patched, for a guy who have no clue about pattern finding, i'm looking forward to it.

He will change his name and then wait untill someone gives him a new private lua unlocker.
So i bet he will leake some more shit, after he knows how to get stuff compiled.

[WiNiFiX]

Deleted, explained in post below.

[WiNiFiX]

Ferib you right, and I did not leak the source as I said it was obfuscated, but you releasing the source kindof defeats the fact that you wanted it private.
I recall the discussion now that I see the image, not sure why prior one was invalid image.

Still not sure why you going wild after I had edited the first post and credited you.
I am not trying to steal credit, I am just trying to get a free unlocker out since EWT is now paid and no one else was jumping to assist.
Feel free to release your own version here, else mine will be maintained as need be.

[WiNiFiX]

Those questions indeed show the "skill" of the guy.
He promised updates if patched, for a guy who have no clue about pattern finding, i'm looking forward to it.

I am quite capable of finding patterns, again credit to ferib he taught me, they really not hard to find.