[WoW][7.2.5.24415][macos][Question] How to find Lua unlock memory address?

[Doriev]

I play WoW on macOS Sierra (x64). I'm trying to work out how to find the memory addresses to patch to remove the Lua lock. Is there an easier way than attaching a debugger and stepping through? (It seems like Blizzard stripped symbols, so can't find any shortcuts there.)

Any help is appreciated. Really, I'm looking to put together a set of heuristics (or even a script/tool) that will help me find the lock check function and patch address for not just the current WoW build, but futue updates as well.

[Frosttall]

A pretty basic approach (which is virtually usable for everything what gives you a feedback) is to walk back the stack trace. In this case you can look for the method which displays the error message which states that you're not allowed to execute this method.

As soon as you've got your breakpoint on that error-method, call your locked lua method and wait until your breakpoint gets hit. Starting from that point just walk back the stack trace and watch out what the code is doing over there. At some point you will find a condition which results in that error message being thrown instead of continuing the regular execution. Try to override that check and observe whether your method is now successfully callable; otherwise just go up the stack trace even further until you get the expected result.

One word of advice: Do not do this on your main account - these type of checks are usually monitored by warden and could result in an automated ban of your account. Just create a new account, do your debugging, monitor whether your changes result in any bad impacts and last but not least, check the memory threads on OwnedCore for a list of warden scanned adresses and make sure that your adress is not being scanned.

[athre0z]

• Throw Wow into IDA, give it some time to finish analysis
• CMD+F the string window for "StrafeRightStart" (or any other protected function, this one just happens to be especially short)
• Doule-click the string, copy the address where you end up
• ALT+B, type "0x", then paste the address you just copied, [x] Find all, Go, double-click the only hit
• Leave cursor where you ended up, hit d until the line begins with "dq" (should now be recognized as ptr to the string)
• Select line below, repeat the d pressing until you end up with dq as well
• Line should now be recognized as offset (sub_xxxx), double-click the sub_xxxx
• You are now in the LUA handler for the func, the target of the first call is the "MayExecuteProtectedFunc"-func

Edit: In 24461 it's at 0000000100BF6E00.