Unlock Protected LUA with a Patch? (Without Injecting code?)

[Zeroi9]

Im in need of protected lua functions in use with my fly bot, But since im coding in autoit atm I cant find any UDF's on injecting ASM into anouther process with autoit, Maybe if I had the exact procedure for injecting asm (Dllcall's needed to do so) I could prob. attempt it. But anyway, Im wondering if anyone has found a way to patch a jmp or memory edit to unlock protected lua? If so, please can someone PM me or post, This is a private project and wont be sold or distributed, so no worries about going public. Although i will be sharing some new stuff ive made.


Also, can someone tell me the exact function that needs to be edited or ASM needs to be modded? Ive heard by someone on a post that you can set a function to always return 1 and it will unlock most of the lua, But I still cant find the exact funtion where to do so...
I.e...

Code:

mov eax, 1
retn

Thanks for anyones help, Im back here to chill and share what ive been workin on sinc eive been gone. Thanks to anyone willing to help

[SKU]

Code:

B8   01000000 MOV EAX,1
C3            RETN

byte[] bInject = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };
w.WriteBytes(0x4A4480, bInject);

Or if AutoIt doesn't support that:

uint restriction = 0x4A4480; // 3.0.9
WriteByte(restriction, 0xB;
WriteByte(restriction + 1, 0x01);
WriteByte(restriction + 2, 0x00);
...

[Zeroi9]

what function do i inject this to? like do you have the start address that i would modify? PM me if you dont want to say it please, I really need this, thanks for your help man! + REP

edit* oh i see its this address right 0x4A4480

[SKU]

The lua protection check function is located at 0x4A4480.

Code:

004A4480        /$  55               PUSH EBP
004A4481        |.  8BEC             MOV EBP,ESP
004A4483        |.  833D 40B42E01 00 CMP DWORD PTR DS:[12EB440],0
004A448A        |.  8B4D 08          MOV ECX,[ARG.1]                           ;  Wow.<ModuleEntryPoint>
004A448D        |.  A1 C0680A01      MOV EAX,DWORD PTR DS:[10A68C0]

To make this function always return true, you can just patch the very first opcodes to

mov eax,1
retn

[Zeroi9]

dude, ok i think i understand trhis now, im going to test this with CheatEngine with a AutoAssembler ans Script engine to inject that to the first part of the function,

But quick question , you say the very 'first" opcodes, so do you mean

Code:

004A4480        /$  55               PUSH EBP
004A4481        |.  8BEC             MOV EBP,ESP

Or the next after the start....

Code:

004A4481        |.  8BEC             MOV EBP,ESP
004A4483        |.  833D 40B42E01 00 CMP DWORD PTR DS:[12EB440],0

thanks again mate, gave you +2 rep for helping

[SKU]

..

But quick question , you say the very 'first" opcodes, so do you mean

Code:

004A4480        /$  55               PUSH EBP
004A4481        |.  8BEC             MOV EBP,ESP

...

byte[] bInject = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };
w.WriteBytes(0x4A4480, bInject);

Or if AutoIt doesn't support that:

uint restriction = 0x4A4480; // 3.0.9
WriteByte(restriction, 0xB;
WriteByte(restriction + 1, 0x01);
WriteByte(restriction + 2, 0x00);
...

The 1st quote.

[Zeroi9]

damn man i dont understand why it doesnt work, im patching the first bytes with the
mov, eax, 1
retn

Im using this ASM with CE's autoassembler to inject the code into the process at that address... is this wrong??

Code:

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

004A4480:
jmp newmem
nop
nop
nop
nop
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
mov eax, 1
retn
cmp dword ptr [012eb440],00

originalcode:
push ebp
mov ebp,esp
cmp dword ptr [012eb440],00

exit:
jmp returnhere

the message still shows when i type a command like /script ClearTarget() and its still blocked >< what am i doing wrong??

[SKU]

I've never done something with CE, but worked fine for me. :O

Code:

004A4480:
mov eax,1
ret

Edit: Indeed doesn't work for ClearTarget(). There's no call to the check in the ClearTarget() function

Code:

004AFA10        /.  55               PUSH EBP
004AFA11        |.  8BEC             MOV EBP,ESP
004AFA13        |.  A1 E0680A01      MOV EAX,DWORD PTR DS:[10A68E0]            ;  target guid high
004AFA18        |.  0B05 E4680A01    OR EAX,DWORD PTR DS:[10A68E4]             ;  target guid low
004AFA1E        |.  56               PUSH ESI
004AFA1F        |.  74 07            JE SHORT Wow.004AFA28
004AFA21        |.  BE 01000000      MOV ESI,1
004AFA26        |.  EB 02            JMP SHORT Wow.004AFA2A
004AFA28        |>  33F6             XOR ESI,ESI
004AFA2A        |>  6A 00            PUSH 0                                    ; /Arg2 = 00000000
004AFA2C        |.  6A 00            PUSH 0                                    ; |Arg1 = 00000000
004AFA2E        |.  E8 BDF1FFFF      CALL Wow.004AEBF0                         ; \Wow.004AEBF0
004AFA33        |.  83C4 08          ADD ESP,8
004AFA36        |.  85F6             TEST ESI,ESI
004AFA38        |.  5E               POP ESI                                   ;  kernel32.7C817067
004AFA39            74 1B            JE SHORT Wow.004AFA56
004AFA3B        |.  D9E8             FLD1
004AFA3D        |.  8B4D 08          MOV ECX,[ARG.1]                           ;  Wow.<ModuleEntryPoint>
004AFA40        |.  83EC 08          SUB ESP,8                                 ; /
004AFA43        |.  DD1C24           FSTP QWORD PTR SS:[ESP]                   ; |Arg2 (8-byte)
004AFA46        |.  51               PUSH ECX                                  ; |Arg1 = 0019FFB0
004AFA47        |.  E8 54E72F00      CALL Wow.007AE1A0                         ; \Wow.007AE1A0
004AFA4C        |.  83C4 0C          ADD ESP,0C
004AFA4F        |.  B8 01000000      MOV EAX,1
004AFA54        |.  5D               POP EBP                                   ;  kernel32.7C817067
004AFA55        |.  C3               RETN
004AFA56        |>  8B55 08          MOV EDX,[ARG.1]                           ;  Wow.<ModuleEntryPoint>
004AFA59        |.  52               PUSH EDX                                  ; /Arg1 = 7C91E4F4
004AFA5A        |.  E8 21E72F00      CALL Wow.007AE180                         ; \Wow.007AE180
004AFA5F        |.  83C4 04          ADD ESP,4
004AFA62        |.  B8 01000000      MOV EAX,1
004AFA67        |.  5D               POP EBP                                   ;  kernel32.7C817067
004AFA68        \.  C3               RETN

[shingetterrobo]

several lua functions do not use the function at 4a4480, you will need to set 12EB440 to 0 for them to work.

[Zeroi9]

Dude this is what this section is for to explore other methods, just save your self your fingers and dont post unless you wanna help man jesus. I like you bro but come on, when did I ever do anything to you?


and and about the 12EB440 address its already value of 0...? and I freeze it and ClearTarget() is still blocked... any other ideas?

[shingetterrobo]

Dude this is what this section is for to explore other methods, just save your self your fingers and dont post unless you wanna help man jesus. I like you bro but come on, when did I ever do anything to you?


and and about the 12EB440 address its already value of 0...? and I freeze it and ClearTarget() is still blocked... any other ideas?

it changes to something other then 0 whenever you attempt to call a lua function, if its not 0 the function will fail. CE's 'freeze' isn't likely to be fast enough.

[Sychotix]

Then whatever the op code is, you can modify it to always return 0 =P

Like if its "mov eax,edx"... change that to "mov eax,0" and it should work.

[Nesox]

U cant patch it without injecting/overwriting a few bytes if you do it with c# it would be np. And i guess u can do it with autoit too it's not hard.

[shingetterrobo]

you can set 0FC64EC to 0 to enable all protected lua functions you call through typing in game. also, in case you didn't know this, the third parameter on DoString is moved into the hardwareEventCheck so if you push 0 all lua functions will be enabled.

considering its in the .data section it should be considerably safer then other options.

edit: so much for apocs monitoring ^_^

[Zeroi9]

Love you too Cyhper ^_^