Reversing wow lua

**Lithion** · 02-06-2010

I've spent some time reversing wow's lua implementation in order to inject my own lua static libs.

WHY?!?: I felt like it && didnt want to use FrameScript_Execute + want to write my bot logic in lua

Working so far:

Injection
Registering wow's lua functions.
Calling jump, strafe, target nearest, castspellbyname, getspellname

I've used Lua 5.1.4 with with the following patches

Code:

struct lua_State {
	CommonHeader;
	lu_byte status;
	StkId top;					/* first free slot in the stack */
	StkId base;					/* base of current function */
	global_State *l_G;
	CallInfo *ci;					/* call info for current function */
	const Instruction *savedpc;	/* `savedpc' of current function */
	StkId stack_last;				/* last free slot in the stack */
	StkId stack;					/* stack base */
	CallInfo *end_ci;				/* points after end of ci array*/
	CallInfo *base_ci;			/* array of CallInfo's */
	int stacksize;
	int size_ci;					/* size of array `base_ci' */
	unsigned short nCcalls;		/* number of nested C calls */
	//unsigned short baseCcalls;	/* nested C calls when resuming coroutine */
	lu_byte hookmask;
	lu_byte allowhook;
	int basehookcount;
	int hookcount;
	lua_Hook hook;
	TValue l_gt;					/* table of globals */
	TValue env;					/* temporary place for environments */
	GCObject *openupval;			/* list of open upvalues in this stack */
	GCObject *gclist;
	struct lua_longjmp *errorJmp; /* current error recover point */
	ptrdiff_t errfunc;			/* current error handling function (stack index) */
};

Yeah, base calls has been removed. you'll have to fix references to it - AFAIK its only used for yield/resume.

There is also a change to common header:

Code:

#define CommonHeader	GCObject *next; unsigned int magic; lu_byte tt; lu_byte marked

I'm not sure what they have put there, I haven't seen any references to it yet.

Finally, after changing the header you break the packing on TString, (sizeof(TString) is 4 bytes too long, so you miss the first 4 bytes of your string)

Code:

typedef union TString {
  //L_Umaxalign dummy;  /* ensures maximum alignment for strings */
  struct {
    CommonHeader;
    lu_byte reserved;
    unsigned int hash;
    size_t len;
  } tsv;
} TString;

Not sure if there is a better way to do that, the L_Umaxalign struct is used in a few other places...

This one alignment should take care of for you, but as wow makes a few direct references I've added it to be on the safe side.

Code:

#define TValuefields	Value value; int tt; unsigned int magic

Hope I havn't missed anything.

Update: Added Tvalue patch

**kynox** · 02-06-2010

The unknown values you are talking about there are part of their "secure" environment stuff.

**Lithion** · 02-06-2010

Yeah, that's what I figured. Though I've been able to call most of the protected functions fine so I haven't done any digging re what they get set to or where.