Auto-login, Finding Lua_Register Offset (Help)

[schifers]

I'm trying to build my own bot learning from what others have done, that's why I'm trying to analyse Babbot's code.

I have some lack on my knowledge in all these reversing and memory editing subjects, but I'm trying to fill those holes.

I saw in Babbot that they have a way to auto login using lua functions calls from bot's code.

Just like in Cypher's post:

http://www.mmowned.com/forums/wow-me...gin-stuff.html

And like in attn's post:

http://www.mmowned.com/forums/bots-p...ot-autoit.html

What I think they do is to inject a DLL so they can use the lua functions from the bot.

To make this work, they use lua_register callback offset.

I'm trying to do the same, but since I don't know yet how to find stuff by myself in wow's memory, I would like to learn it with your help, guys.

I can't find lua_register offset as I read in bobbysing post:

How to find stuff [Archive] - GameDeception - A Development Site for Reverse Engineering

These are the steps he says to use when you want to find lua_register offset:

"Open the game client in IDA and wait until the auto-analysis is finished
Search for the string "DefaultServerLogin" (It could be any lua function that's registered by the game.)
Copy the address of the string
Open the game client in OllyDbg, but don't run it
Put an On-Access breakpoint on the address of the string
When it breaks, execute until return until you end up in a function that looks like the following one..."

To see the function go to the bobbysing post:

How to find stuff [Archive] - GameDeception - A Development Site for Reverse Engineering

Ok...

I followed the steps without a problem. I loaded the game client in IDA and I found the address of the string "DefaultServerLogin".

0x0080265E

Then I opened the wow.exe inside OllyDbg and I went to that address:

I have something like this on this line:

PUSH Wow.00A2FEFC Arg2 = 00A2FEFC ASCII "Usage: DefaultServerLogin("accountName", "password")"

I put an On-Access breakpoint there, but the execution never stops on that line.

Am I doing something wrong? All the stuff I wrote in here are correct, I mean, Am I going in the right direction?

[caytchen]

It will only ever take the "Usage" branch if the number of arguments or their type is incorrect. Since this is at login time, only lua running is blizzards, and its unlikely to call that function with invalid arguments

Anyway, if you want lua_register, theres no point on placing a breakpoint on the actual lua function. You need to put one on the name, just as bobbysing said: "Put an On-Access breakpoint on the address of the string"

[schifers]

It will only ever take the "Usage" branch if the number of arguments or their type is incorrect. Since this is at login time, only lua running is blizzards, and its unlikely to call that function with invalid arguments

Anyway, if you want lua_register, theres no point on placing a breakpoint on the actual lua function. You need to put one on the name, just as bobbysing said: "Put an On-Access breakpoint on the address of the string"

So, I'm not putting the breakpoint in the right place. My problem is I don't know how to use OllyDbg and I don't know what "Put an On-Access breakpoint on the address of the string" means.

I'm googling it to see if I can find more clues. Anyway, thanks for your response. At least I know that I was not doing it right.

I'll keep trying it, if someone can give me more clues on how to find the address of that string I would be glad.

[SKU]

Edit: Nevermind, lol, didn't read that properly. You gotta find the actual function name, not the error string. Then place a breakpoint on the string's address.

[schifers]

Edit: Oops... Since, SKU removed his post, I'm correcting the answer too.

Let's try now to find the function name and place the breakpoint in the string's address.

[eLaps]

I saw in Babbot that they have a way to auto login using lua functions calls from bot's code.
[...]
To make this work, they use lua_register callback offset.

Where did you see lua_register in these topics?
To call lua functions (ie for your autorelog stuff), search FrameScript_Execute (aka DoString).

'Hello World' in the chat frame:

Code:

    void (*dostring)(const char*, int, int) = (void (*)(const char*, int, int))0x004B32B0;
    dostring("print('Hello World')", 0, 0);

[schifers]

Where did you see lua_register in these topics?
To call lua functions (ie for your autorelog stuff), search FrameScript_Execute (aka DoString).

'Hello World' in the chat frame:

Code:

    void (*dostring)(const char*, int, int) = (void (*)(const char*, int, int))0x004B32B0;
    dostring("print('Hello World')", 0, 0);

I followed attn's post.

On the beginning a bit theory. WoW has special "GlueXML" interface for all out-of-the-game stuff. It can be extracted out of patch.mpq with WinMPQ. All logic for login, character selection and other can be found there. Only 1 interface I don't have idea what it about is "SecurityMatrix".

Now go back to auto-login. You need lua module injected into wow to use GlueXML. All code below in C# but my skills in this language is not quite good so if you have more elegant solution post it here.

Looking for the code he posted in this topic inside Babbot's code, I found out that to use his method Lua_DoString, it uses lua injection through Dante.dll.

Isn't it right? Don't you need to inject a dll through EasyHook to make a lua call inside wow?

And about lua_register, don't you need to be able to use it to write a Lua_DoString method?

What is lua_register used for? Is it for you to write your own lua functions and run them inside wow?

Why Babbot asks for lua_register offset at the beginning of his execution, on the config form?

[XTZGZoReX]

If when you say Lua__Register you refer to the function I think you refer to, it registers a native function that can be called from Lua. Anyways, just find some of the Lua func arrays (it's quite hard to miss them) and xref them - you'll easily find where Lua__Register is.

[eLaps]

I found out that to use his method Lua_DoString, it uses lua injection through Dante.dll

What you call "lua injection" is a lua function registration and no, you don't need that to use dostring.
Dostring executes the string you write and put in it.

And about lua_register, don't you need to be able to use it to write a Lua_DoString method?
What is lua_register used for? Is it for you to write your own lua functions and run them inside wow?

Yes, lua_register is to have access to your functions through lua. But you want to call wow's lua functions right? Why do you want to write your own lua function?

Why Babbot asks for lua_register offset at the beginning of his execution, on the config form?

To get the returned values of wow's lua functions. And you don't seem to need that yet.
See http://www.mmowned.com/forums/wow-me...functions.html

[schifers]

Yes, lua_register is to have access to your functions through lua. But you want to call wow's lua functions right? Why do you want to write your own lua function?

In attn's post he says that auto login needs to use some GlueXml, and to use those stuff you need lua injected to get all those functionality.

Looking into Babbot's code, I found a file named WoWData.xml, and inside that file there are some lua functions that it seems to be the logic I need to execute my auto select account, realm, character...

Since after those battle.net stuff on wow's login procedure, I even have to select my account, because I have like 5 accounts binded to one battle.net account.

To make it automatic, I guess I have to do something like project Babbot did.

So, to get all these functionality, I should be injecting lua in wow proccess. Am I right on this?

[eLaps]

Ok sorry, I haven't looked at it and I don't know the benefits doing it like this but it seems a bit overcomplicated.

Simpler: Write your lua into dostring.

Code:

std::stringstream ss;
ss <<    "if (AccountLoginUI:IsShown()) then\n";
if (!user.empty() && !password.empty()) {
    ss <<    "AccountLoginUI:Hide();\n"
            "DefaultServerLogin('" + user + "', '" + password + "');\n";
}
ss <<    "end if (RealmList:IsShown()) then\n";
if (!server.empty()) {
    ss <<    "for i = 1, select('#', GetRealmCategories()) do local numRealms = GetNumRealms(i);\n"
                "for j = 1, numRealms do local name, numCharacters = GetRealmInfo(i, j);\n"
                    "if (name == '" + server + "') then\n"
                        "ChangeRealm(i,j);\n"
                        "RealmList:Hide();\n"
                    "end\n"
                "end\n"
            "end\n";
}
ss <<    "end if (CharacterSelectUI:IsShown()) then\n";
if (!character.empty()) {
    ss <<    "for i=0,GetNumCharacters() do local name = GetCharacterInfo(i);\n"
                "if (name ~= nil and name == '" + character + "') then\n"
                    "CharacterSelect_SelectCharacter(i);\n"
                "end\n"
            "end\n";
}
ss <<        "EnterWorld();\n"
        "end";
dostring(ss.str().c_str(), 0, 0);

[mnbvc]

1. hook endscene

2. use DoString and ClntObjMgrGetActivePlayer
typedef void (__cdecl * tDoString)(const char* sCommand1, const char* sCommand2, void* pState);
tDoString oDoString = (tDoString)DoString;

typedef UINT64 (__cdecl *tClntObjMgrGetActivePlayer)();
tClntObjMgrGetActivePlayer oClntObjMgrGetActivePlayer = (tClntObjMgrGetActivePlayer)ClntObjMgrGetActivePlayer;


3.

one line auto login, no need to get any return values
simply call it in endscene if (ClntObjMgrGetActivePlayer() == 0)

Code:

"if (AccountLoginUI and AccountLoginUI:IsShown()) then AccountLoginUI:Hide(); DefaultServerLogin('" + username + "', '" + password + "'); elseif (RealmList and RealmList:IsShown()) then for i = 1, select('#',GetRealmCategories()) do  for j = 1, GetNumRealms(i) do if (GetRealmInfo(i, j) == '" + realm + "') then RealmList:Hide(); ChangeRealm(i,j); end end end elseif (CharacterSelectUI and CharacterSelectUI:IsShown()) then for i=0,GetNumCharacters() do local name = GetCharacterInfo(i); if (name and name == '" + charname + "') then CharacterSelect_SelectCharacter(i); end end EnterWorld(); end";

[flo8464]

Before messing around with lua, read this: Programming in Lua : contents

[Pimpace]

So hook endscene needs injection, or not? (sorry if it was a very noob question I don't wanna offend anyone)
Is this safe? I mean if I want only an auto-login program warden can catch me? Is this method ban-safe?

[Cypher]

So hook endscene needs injection, or not? (sorry if it was a very noob question I don't wanna offend anyone)
Is this safe? I mean if I want only an auto-login program warden can catch me? Is this method ban-safe?

Use some ****ing common sense. Of course if you're going to be API hooking and running code in the context of the game you'll need to inject code in some form or another.