Dll connection with Lua

[Gringas]

Hello everyone I recently installed WoW 3.5 12340 locally and want to figure out how to properly work with the game's memory. I used to have experience with pixel unblocker, everything turned out well there, but it's time to study the implementation dll and how to work inside the process.

I've spent a lot of time on the forum, but I still don't have a structured understanding.
At the current stage, I have created an empty dll library, which in DLL_PROCESS_ATTACH just executes MessageBox. I wrote an injector in c++ that just runs my dll through CreateRemoteThread. Next, for a simple understanding, I decided to create a function in lua that will link to a function in my dll. (In the future, I planned to make an HttpRequest function that I can use at the wow addon level).

And then the problems started. As I understand it, I need to find the offset for lua_State, studying the dump, I assumed that this is "00817DB0 GetLuaState" and there is a function that will return lua_State.

Code:

lua_State* GetContext() {
    typedef lua_State* __stdcall func();
    func* f = (func*)0x00817DB0;
    return f();
}

Code:

static int TestMethod(lua_State* L) {
    MessageBox(NULL, L"Hello World", L"Title", MB_OK);
    return 0;
}

Code:

lua_State* lvm_hnd = GetContext();
lua_register(lvm_hnd, "Test", TestMethod);

It didn't work for me. The dll has stopped executing, I think there is some kind of problem with lua_register. I downloaded "lua 5.1" and connected the header files via include. This was not enough for the build and I had to add "lua5.1.lib", which I think only made the situation worse. After all, WoW already has a lua interpreter

Tell me in which direction to work, where can I read and see some similar examples?

I also don't understand if I need to hook directx endscene? I did not plan to connect "imgui" and the like, but simply create methods for interacting lua with memory through a dll to detect units and send requests. And I'm going to write all the main logic in lua.

At the moment, I don't care about anti-detection tools, I'm very far from at least some kind of working version locally, I'd like to start somewhere and see the results

[darheroc]

This is a good reference for what you want to do: https://github.com/FrostAtom/awesome...eClient.h#L307

[Gringas]

Thank you for the link, it's really useful. I managed to create a function in lua, it is displayed in WoW, but when I try to call it via "/dump txt()" WoW gives an exception "invalid pointer". I check the correctness of the function pointer and pre-display it in the MessageBox to make sure there is no error. The pointer to the exception and the pointer to the WWII error converge, I don't understand what the problem might be.

Perhaps this is due to the fact that I work in a different thread, or I have a serious lack of c++ knowledge

dllmain.cpp

Code:

#include  "pch.h"
#include  <Windows.h>
#include  <string>
#include  <iostream>
#include  <sstream>

static int testMethodFromDll(lua_State* L)
{
    lua_pushnumber(L, 1.f);
    return 1;
}

static int reg_lua_function(lua_State* L)
{
    luaL_Reg funcs[] = {
        {"ttt", testMethodFromDll}
    };

    for (luaL_Reg func: funcs)
    {
        void* voidPointer = reinterpret_cast<void*>(testMethodFromDll);

        // pointer to LPCWSTR for log
        std::ostringstream addressStream;
        addressStream << voidPointer;
        std::string addressString = addressStream.str();
        std::wstring wideString(addressString.begin(), addressString.end());

        // pointer to LPCWSTR
        LPCWSTR lpcwstr = wideString.c_str();

        MessageBox(NULL, lpcwstr, L"Message from DLL", MB_ICONINFORMATION);

        lua_pushcfunction(L, func.func);
        lua_setglobal(L, func.name);
    }

    return 0;
}


DWORD WINAPI MainThread(LPVOID lpReserved) {
    Sleep(10000);


    lua_State* lvm_hnd = GetLuaState();
    reg_lua_function(lvm_hnd);
    return TRUE;
}

HMODULE ModuleInUse;

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        OutputDebugString(L"DLL loaded successfully 11111111111111111\n");
        CreateThread(nullptr, 0, MainThread, hModule, 0, nullptr);
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

pch.h

Code:

struct lua_State;

using lua_Number = double;

// Lua
#define  lua_pushcfunction(L, f) lua_pushcclosure(L, f, 0);
#define  lua_setglobal(L,s)	lua_setfield(L, LUA_GLOBALSINDEX, (s))

using lua_CFunction = int(*)(lua_State*);
typedef struct luaL_Reg {
    const char* name;
    lua_CFunction func;
} luaL_Reg;



#define  LUA_GLOBALSINDEX	(-10002)

inline void lua_pushcclosure(lua_State* L, lua_CFunction func, int c) { return ((decltype(&lua_pushcclosure))0x0084E400)(L, func, c); }
inline void lua_setfield(lua_State* L, int idx, const char* str) { return ((decltype(&lua_setfield))0x0084E900)(L, idx, str); }
inline void lua_pushnumber(lua_State* L, lua_Number v) { return ((decltype(&lua_pushnumber))0x0084E2A0)(L, v); }


inline lua_State* GetLuaState() { return ((decltype(&GetLuaState))0x00817DB0)(); }

Edited:
As far as I understand it, this is due to the fact that the callback is in the wrong memory section, it is checked and the game throws an exception. Can you tell me which best practices are currently being used? I read about the code cave, about textsection_start and textsection_end, maybe there are other practices to use that are potentially more secure?

[air999]

LuaState is a pointer, you don't need function to read it.

Use FrameScript::RegisterFunction to register new lua function.

Code:

int NewFunction(int LuaState)
{
    return 0;
}

#define  _FrameScript_RegisterFunction_          0x00817F90
typedef void (*PFrameScript__RegisterFunction)(INT_PTR name, INT_PTR func);
PFrameScript__RegisterFunction FrameScript__RegisterFunction;
FrameScript__RegisterFunction = (PFrameScript__RegisterFunction)(_FrameScript_RegisterFunction_);

FrameScript__RegisterFunction("NewFunction", (INT_PTR) NewFunction);

[Gringas]

I used your code, got the same error - "invalid pointer"
I replaced "INT_PTR name" with "const char* Name" so that the compiler doesn't swear. The function appears immediately in the global space _G, but still is not called

I also don't understand why your pointer 0x00817F90 works, because for 12340 it is 0x004181B0, judging by the dump
https://www.ownedcore.com/forums/wor...mp-thread.html ([WoW][3.3.5.12340] Info Dump Thread)

[Gringas]

I found such a solution

Code:

// Fix InvalidPtrCheck for callbacks outside of .text section
*(int*)0x00D415B8 = 1;
 *(int*)0x00D415BC = 0x7FFFFFFF;

It works, but what potential problems might arise? Isn't it easy to detect?

[air999]

You will answer your own question if you look inside 0x004181B0.

On your questions try to search forum first Here, Let Me Google That For You! Teach People How to Google (it's already answered many times)

For example https://www.ownedcore.com/forums/wor...ml#post2654026 ([3.3.5a 12340] Having all Lua events dispatched to my C# code & questions)