Unlock all Potected Lua API menu

User Tag List

Results 1 to 9 of 9
  1. #1
    berserk85's Avatar Member
    Reputation
    8
    Join Date
    Apr 2008
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unlock all Potected Lua API


    Hi to all .... It's time form me to pass from leecher to something else ^^
    I was searching a way to unlock all Lua Api and i start to revers ...
    Afeter 3/4 Hou I have found a way that works always for macro and for addon ...
    I don't release any source code but i show you how to do ^^
    Every protected Lua_C_Function has a scope check. With scope check wow can find which addon called Lua Function ...
    You can find lua scope check to addr

    3.0.9

    Code:
    data:012EB440 ; int dword_12EB440
    .data:012EB440 dword_12EB440   dd ?                    ; DATA XREF: sub_42E250:loc_42E25Fr
    .data:012EB440                                         ; sub_4338A0+2Dr ...

    and function caller at


    3.0.9
    Code:
    ; =============== S U B R O U T I N E =======================================
    .text:007B65F0
    .text:007B65F0 ; Attributes: bp-based frame
    .text:007B65F0
    .text:007B65F0 ; int __cdecl LuaFuncCaller(int, int, int)
    .text:007B65F0 LuaFuncCaller   proc near               ; CODE XREF: sub_7B69E0+73p
    .text:007B65F0                                         ; sub_7B6A90+4Dp ...
    .text:007B65F0
    .text:007B65F0 arg_0           = dword ptr  8
    .text:007B65F0 arg_4           = dword ptr  0Ch
    .text:007B65F0 arg_8           = dword ptr  10h
    .text:007B65F0
    .text:007B65F0                 push    ebp
    .text:007B65F1                 mov     ebp, esp
    .text:007B65F3                 mov     eax, [ebp+arg_4]
    .text:007B65F6                 cmp     dword ptr [eax+8], 6
    .text:007B65FA                 push    ebx
    .text:007B65FB                 push    esi
    .text:007B65FC                 mov     esi, [ebp+arg_0]
    .text:007B65FF                 push    edi
    .text:007B6600                 jz      short loc_7B6609
    .text:007B6602                 mov     ebx, eax
    .text:007B6604                 call    sub_7B6120
    .text:007B6609
    
    ...

    This function call all Lua C Function API ... you can see the call at



    Code:
    .text:007B6794                 call    sub_7CB790
    .text:007B6799                 push    esi
    .text:007B679A                 call    edi   << this one
    .text:007B679C                 add     esp, 8
    .text:007B679F                 test    eax, eax
    .text:007B67A1                 jge     short loc_7B67AD
    Now you only need to hook this function, backup old Lua Scope check value and fill it with 00, call the trapoline and on return restore old value and return the trapoline return value ^^

    THNX to :
    bobbysing
    kynox
    cypher

    PS: Sorry for English but is not my natural language ^^

    Last edited by berserk85; 02-14-2009 at 01:41 PM.

    Unlock all Potected Lua API
  2. #2
    Nesox's Avatar ★ Elder ★
    Reputation
    1280
    Join Date
    Mar 2007
    Posts
    1,238
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Or you can change the protection check so it allways return's 1
    Code:
    mov eax, 1
    retn

  3. #3
    berserk85's Avatar Member
    Reputation
    8
    Join Date
    Apr 2008
    Posts
    35
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you mean this function

    Code:
    .text:004A4480 sub_4A4480      proc near               ; CODE XREF: sub_498EC0+Bp
    .text:004A4480                                         ; sub_4C5BA0+11p ...
    .text:004A4480
    .text:004A4480 arg_0           = dword ptr  8
    .text:004A4480
    .text:004A4480                 push    ebp
    .text:004A4481                 mov     ebp, esp
    .text:004A4483                 cmp     dword_12EB440, 0
    .text:004A448A                 mov     ecx, [ebp+arg_0]
    .text:004A448D                 mov     eax, dword_10A68C0
    .text:004A4492                 jz      short loc_4A44F9 ; default
    .text:004A4492                                         ; jumptable 004A44A0 case 10
    .text:004A4494                 cmp     ecx, 13h        ; switch 20 cases
    .text:004A4497                 ja      short loc_4A44F9 ; default
    .text:004A4497                                         ; jumptable 004A44A0 case 10
    .text:004A4499                 movzx   edx, ds:byte_4A4520[ecx]
    .text:004A44A0                 jmp     ds:off_4A4510[edx*4] ; switch jump
    .text:004A44A7
    .text:004A44A7 loc_4A44A7:                             ; DATA XREF: .text:off_4A4510o
    .text:004A44A7                 xor     eax, eax        ; jumptable 004A44A0 cases 0-5,16,17
    .text:004A44A9                 push    eax
    .text:004A44AA                 push    eax
    .text:004A44AB                 call    sub_49F6E0
    .text:004A44B0                 add     esp, 8
    .text:004A44B3                 xor     eax, eax
    .text:004A44B5                 pop     ebp
    .text:004A44B6                 retn
    .text:004A44B7 ; ---------------------------------------------------------------------------
    .text:004A44B7
    .text:004A44B7 loc_4A44B7:                             ; CODE XREF: sub_4A4480+20j
    .text:004A44B7                                         ; DATA XREF: .text:off_4A4510o
    .text:004A44B7                 test    eax, eax        ; jumptable 004A44A0 cases 11-14
    .text:004A44B9                 jz      short loc_4A4507
    .text:004A44BB                 cmp     dword ptr [eax+1154h], 0
    .text:004A44C2                 jnz     short loc_4A44F9 ; default
    .text:004A44C2                                         ; jumptable 004A44A0 case 10
    .text:004A44C4                 mov     eax, 2
    .text:004A44C9                 push    eax
    .text:004A44CA                 push    0
    .text:004A44CC                 call    sub_49F6E0
    .text:004A44D1                 add     esp, 8
    .text:004A44D4                 xor     eax, eax
    .text:004A44D6                 pop     ebp
    .text:004A44D7                 retn
    .text:004A44D8 ; ---------------------------------------------------------------------------
    .text:004A44D8
    .text:004A44D8 loc_4A44D8:                             ; CODE XREF: sub_4A4480+20j
    .text:004A44D8                                         ; DATA XREF: .text:off_4A4510o
    .text:004A44D8                 test    eax, eax        ; jumptable 004A44A0 cases 6-9,15,18,19
    .text:004A44DA                 jz      short loc_4A4507
    .text:004A44DC                 cmp     dword ptr [eax+1158h], 0
    .text:004A44E3                 jnz     short loc_4A44F9 ; default
    .text:004A44E3                                         ; jumptable 004A44A0 case 10
    .text:004A44E5                 mov     eax, 1
    .text:004A44EA                 push    eax
    .text:004A44EB                 push    0
    .text:004A44ED                 call    sub_49F6E0
    .text:004A44F2                 add     esp, 8
    .text:004A44F5                 xor     eax, eax
    .text:004A44F7                 pop     ebp
    .text:004A44F8                 retn
    .text:004A44F9 ; ---------------------------------------------------------------------------
    .text:004A44F9
    .text:004A44F9 loc_4A44F9:                             ; CODE XREF: sub_4A4480+12j
    .text:004A44F9                                         ; sub_4A4480+17j ...
    .text:004A44F9                 test    eax, eax        ; default
    .text:004A44F9                                         ; jumptable 004A44A0 case 10
    .text:004A44FB                 jz      short loc_4A4507
    .text:004A44FD                 test    ecx, ecx
    .text:004A44FF                 jnz     short loc_4A4507
    .text:004A4501                 mov     [eax+1158h], ecx
    .text:004A4507
    .text:004A4507 loc_4A4507:                             ; CODE XREF: sub_4A4480+39j
    .text:004A4507                                         ; sub_4A4480+5Aj ...
    .text:004A4507                 mov     eax, 1
    .text:004A450C                 pop     ebp
    .text:004A450D                 retn
    .text:004A450D sub_4A4480      endp
    This dosen't work for Select Target lua function ^^ ...
    that function has hardcoded scope check ^^

  4. #4
    Nesox's Avatar ★ Elder ★
    Reputation
    1280
    Join Date
    Mar 2007
    Posts
    1,238
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does any of u cheerful lads know how to remove the 255 char limit on macros?

  5. #5
    jbrauman's Avatar Member
    Reputation
    65
    Join Date
    Dec 2007
    Posts
    72
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Nesox View Post
    Does any of u cheerful lads know how to remove the 255 char limit on macros?
    Cant you just make a macro that calls other macros?

  6. #6
    Nesox's Avatar ★ Elder ★
    Reputation
    1280
    Join Date
    Mar 2007
    Posts
    1,238
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by jbrauman View Post
    Cant you just make a macro that calls other macros?
    yea i guess

  7. #7
    jbrauman's Avatar Member
    Reputation
    65
    Join Date
    Dec 2007
    Posts
    72
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To the OP, +rep for doing shit yourself. I don't understand any of ASM ^_^

  8. #8
    Vladinator2's Avatar Banned
    Reputation
    2
    Join Date
    Feb 2008
    Posts
    8
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wish I knew how to change this myself. I've used Cheat Engine and seen this code but not sure how to re-write myself lol. I guess it's too hard to keep a program up-to-date with the latest addresses and such for each build of warden.

  9. #9
    Nesox's Avatar ★ Elder ★
    Reputation
    1280
    Join Date
    Mar 2007
    Posts
    1,238
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Vladinator2 View Post
    I wish I knew how to change this myself. I've used Cheat Engine and seen this code but not sure how to re-write myself lol. I guess it's too hard to keep a program up-to-date with the latest addresses and such for each build of warden.
    U can do it with the cheatengine debugger or any deubgger like olly ida etc.. And finding the call for the protection check isnt really hard just compare a protected lua function with a non protected and you will see the protected one has an additinal call and that's the protection check.

Similar Threads

  1. [Misc] How can i unlock all flyghts paths
    By gigicarnat in forum WoW EMU Questions & Requests
    Replies: 10
    Last Post: 07-10-2020, 11:05 AM
  2. [Release] [Mac][Win64] WoWSX Premium Unlocker / Lua API / Morpher / Hacks
    By JuJuBoSc in forum World of Warcraft Bots and Programs
    Replies: 22
    Last Post: 05-01-2015, 12:50 AM
  3. Unlock all achievements!
    By Serpious in forum Team Fortress 2
    Replies: 5
    Last Post: 08-13-2011, 05:49 PM
  4. Learn All spells LUA Script??
    By KaMakaZe in forum WoW EMU Questions & Requests
    Replies: 8
    Last Post: 10-18-2008, 10:53 AM
  5. How to unlock all flight nodes in the DB (with SQL)
    By latruwski in forum WoW EMU Guides & Tutorials
    Replies: 17
    Last Post: 09-16-2008, 03:40 AM
All times are GMT -5. The time now is 05:02 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search