[Linux] simple injection with LD_PRELOAD

[Cypher]

One question that pops up to my mind.

Why is blizz checking wether we are running wow under linux? API_IsLinuxClient

Probably because of the accidental Cedega bans that happened a while back.

[audible83]

Yes, I have deducted it that far
Question is, whats the different behaviour?
Could it be a blacklist of modules that warden should or should not load?

[RoKFenris]

One question that pops up to my mind.

Why is blizz checking wether we are running wow under linux? API_IsLinuxClient

I believe they where toying with the idea of releasing a Linux client before but never did go ahead with the idea. That function is present for quite a long time, but if you look at the address of this function, it's the same as the "IsMacClient" and "GetTimeToWellRested" functions, which seem to be a generic return nothing function.

[Cypher]

Yes, I have deducted it that far
Question is, whats the different behaviour?
Could it be a blacklist of modules that warden should or should not load?

Warden behaves differently depending on whether or not it detects it's running under Wine. What exactly the difference is however, is something you'll need to investigate for yourself.

To get you started, the API it uses to detect Wine is "wine_get_unix_file_name".

[Sednogmah]

One question that pops up to my mind.

Why is blizz checking wether we are running wow under linux? API_IsLinuxClient

WoW occasionally transmits system information to Blizzard during the login. I'm sure Blizzard wants to know the size of their Linux user base.

[audible83]

Im looking for a way to find the linux pid inside wow process.
Im writing a bash script that keeps wow logged in at all times.
Anyone that could kick me in the right direction ?

[eLaps]

Im looking for a way to find the linux pid inside wow process.

Code:

#include <sys/types.h> 
#include <unistd.h>
pid_t getpid(void);

[audible83]

Thanks and +rep for helpful behaviour

[loopforever]

Hi guys,

I've been fiddling around with this myself, but I haven't had much luck. I was hoping someone might be able to point me in the right direction.

In its most diluted form, all I'm trying to do is print to STDOUT when my glClear() is called. Although I see the library loaded, the function itself is never called.

Here's the code in its most diluted form:

Code:

/*
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib32
gcc -Wall -m32 -fPIC -shared -ldl wow-playername.c -o wow-playername.so
*/

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <GL/gl.h>

void glClear(GLbitfield mask) {
  printf("in glclear\n");
  static void (*lib_glClear)(GLbitfield mask) = NULL;
  char* errorstr;

  if(!lib_glClear) {
    lib_glClear = dlsym(RTLD_NEXT, "glClear");
    if((errorstr = dlerror()) != NULL) {
      fprintf(stderr, "dlsym fail: %s\n", errorstr);
      exit(1);
    }
  }

  lib_glClear(mask);
}

And here's what I see when it's loaded via LD_PRELOAD with LD_DEBUG=all:

Code:

     30222:     file=/home/xxxxx/x/wow-playername.so [0];  needed by wine [0]
     30222:     file=/home/xxxxx/x/wow-playername.so [0];  generating link map
     30222:       dynamic: 0xf77a6f14  base: 0xf77a5000   size: 0x00002054
     30222:         entry: 0xf77a56b0  phdr: 0xf77a5034  phnum:          6

Code:

     30222:     symbol=glClear;  lookup in file=/usr/bin/../lib32/wine/opengl32.dll.so [0]
     30222:     symbol=glClear;  lookup in file=/media/disk/Users/Public/Games/World of Warcraft/Wow.exe [0]
     30222:     symbol=glClear;  lookup in file=/home/xxxxx/x/wow-playername.so [0]
     30222:     binding file /usr/bin/../lib32/wine/opengl32.dll.so [0] to /home/xxxxx/x/wow-playername.so [0]: normal symbol `glClear'

Wow.exe loads via Wine as expected, but "in glclear" is never printed.

If anyone has any thoughts, I'd really appreciate it. Thanks in advance!

[eLaps]

If anyone has any thoughts, I'd really appreciate it. Thanks in advance!

Hi
Your code works fine for me. Your stdout might be redirected?

[loopforever]

Hi
Your code works fine for me. Your stdout might be redirected?

eLaps, thanks for trying it out. I had thought of that previously, so I tried various FD redirection in the shell, appending to a file inside glClear(), even making my glClear() never invoke the one provided by opengl32.dll.so (I expected things to break - they continued to work fine). No beans.

Would you mind running the following and pasting the output?

Code:

uname -a; file /usr/bin/wine; file /usr/lib32/wine/opengl32.dll.so; ldd /usr/bin/wine; echo '---'; ldd wow-playername.so

For comparison, here's mine:

Code:

Linux xxxxx-ubuntu64 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 08:03:28 UTC 2010 x86_64 GNU/Linux
/usr/bin/wine: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
/usr/lib32/wine/opengl32.dll.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
        linux-gate.so.1 =>  (0xf7752000)
        libwine.so.1 => /usr/bin/../lib32/libwine.so.1 (0xf7615000)
        libpthread.so.0 => /lib32/libpthread.so.0 (0xf75d9000)
        libc.so.6 => /lib32/libc.so.6 (0xf747e000)
        libdl.so.2 => /lib32/libdl.so.2 (0xf747a000)
        /lib/ld-linux.so.2 (0xf7753000)
---
        linux-gate.so.1 =>  (0xf76fc000)
        libdl.so.2 => /lib32/libdl.so.2 (0xf76d0000)
        libc.so.6 => /lib32/libc.so.6 (0xf7576000)
        /lib/ld-linux.so.2 (0xf76fd000)

Also, did you compile with the same command I provided?

---------- Post added at 08:25 PM ---------- Previous post was at 06:35 PM ----------

Figured it out. I added the -opengl argument and all is well now:

LD_PRELOAD=~/x/wow-playername.so wine /media/disk/Users/Public/Games/World\ of\ Warcraft/Wow.exe -opengl 2>&1

[HardcorEViruS]

If someone is still reading this thread it would be great to get some hellp with some problems I have with LD_PRELOAD.

I managed to get my librarie loaded and everything works well like reading the players position and name but I cannot call any function.
When I try to call the ClntObjMgrGetActivePlayer() function wow crashes with an unhandeld exception "Unable to read data at...".
The offset of the function seems to be right as I checked it with IDA Pro.

Here's how I call the function:

Code:

	static int (*ClntObjMgrGetActivePlayer)() = (void*) 0x004D3F40;

	int tmp = ClntObjMgrGetActivePlayer();

Thanks in advance!

[caytchen]

Not really Linux related, and the information you provided is rather sparse, but ClntObjMgrGetActivePlayer() acesses TLS data and you're probably not calling this from EndScene, aka the game thread which has the correct data in the TLS. Some engine functions silently fail in this case, this one obviously doesn't
Two approaches:
1) Write the CurMgr stuff to TLS. Not recommended because the WoW API is not explicitly thread safe: it usually is, but you don't want to bet on it.
2) Hook EndScene and call engine functions from there. Safe and clean.

Edit: Since we're on Linux, replace every instance of "EndScene" in the above text with "random OpenGL function". Best suited are those called once a frame, since it allows you to enforce FPS limits and you don't really need to pulse a bot or radar or whatever else it is that you're building more often than every frame.

[eLaps]

Code:

	static int (*ClntObjMgrGetActivePlayer)() = (void*) 0x004D3F40;

	int tmp = ClntObjMgrGetActivePlayer();

It's not linux-related. Signature + address are wrong.

Code:

uint64_t myguid = ((uint64_t (*)())0x004D3790)();

or maybe you're still playing on the 3.3.5.12213?

[Sednogmah]

Update: added glXSwapBuffers() hook, which is more reliable and versatile than glClear().