[Retail] Reversing the current Wow lua_State

[GlittPrizes]

Just using CE to look through the lua_State, it seems wildly different than the only OC post I could find about Wow's L. I followed that posts suggested modifications, but I crash the game when trying to use the modded lua_State with my own 5.1 lib. Are there any clever tricks to go about making this struct properly alongside any other edits needed for Lua 5.1? I'm just painfully going through it one by one trying to match things.

Here is what it looked like in CE for retail. Hopefully I'm even looking at L. If it is I would assume that CE does a poor job of identifying the types or it's significantly different than 2010.. one of the two
L.png

update: I've been able to see the stack size grow as I push new elements, but some of my alignment is still off because I get crashes with getfield and some other calls. This is proving to be quite the challenge.

[thateuler]

I was doing the same with classic. More than a month ago. I got this far. But it isn't complete.

Code:

diff -uNr lua-5.1.4/src/lapi.c lua-5.1.4.mod/src/lapi.c
--- lua-5.1.4/src/lapi.c	2008-07-04 14:41:18.000000000 -0400
+++ lua-5.1.4.mod/src/lapi.c	2021-05-21 20:17:39.123775773 -0400
@@ -378,7 +378,7 @@
 
 LUA_API lua_CFunction lua_tocfunction (lua_State *L, int idx) {
   StkId o = index2adr(L, idx);
-  return (!iscfunction(o)) ? NULL : clvalue(o)->c.f;
+  return (!iscfunction(o)) ? NULL : clvalue(o)->c.f.cf;
 }
 
 
@@ -489,7 +489,7 @@
   luaC_checkGC(L);
   api_checknelems(L, n);
   cl = luaF_newCclosure(L, n, getcurrenv(L));
-  cl->c.f = fn;
+  cl->c.f.cf = fn;
   L->top -= n;
   while (n--)
     setobj2n(L, &cl->c.upvalue[n], L->top+n);
@@ -838,7 +838,7 @@
   struct CCallS *c = cast(struct CCallS *, ud);
   Closure *cl;
   cl = luaF_newCclosure(L, 0, getcurrenv(L));
-  cl->c.f = c->func;
+  cl->c.f.cf = c->func;
   setclvalue(L, L->top, cl);  /* push function */
   api_incr_top(L);
   setpvalue(L->top, c->ud);  /* push only argument */
diff -uNr lua-5.1.4/src/ldo.c lua-5.1.4.mod/src/ldo.c
--- lua-5.1.4/src/ldo.c 2008-01-18 17:31:22.000000000 -0500
+++ lua-5.1.4.mod/src/ldo.c     2021-05-21 20:17:39.224842281 -0400
@@ -316,7 +316,7 @@
     if (L->hookmask & LUA_MASKCALL)
       luaD_callhook(L, LUA_HOOKCALL, -1);
     lua_unlock(L);
-    n = (*curr_func(L)->c.f)(L);  /* do the actual call */
+    n = (*curr_func(L)->c.f.cf)(L);  /* do the actual call */
     lua_lock(L);
     if (n < 0)  /* yielding? */
       return PCRYIELD;
diff -uNr lua-5.1.4/src/lobject.h lua-5.1.4.mod/src/lobject.h
--- lua-5.1.4/src/lobject.h     2008-08-06 09:29:48.000000000 -0400
+++ lua-5.1.4.mod/src/lobject.h 2021-05-21 20:17:39.435288729 -0400
@@ -40,7 +40,11 @@
 ** Common Header for all collectable objects (in macro form, to be
 ** included in other objects)
 */
-#define  CommonHeader   GCObject *next; lu_byte tt; lu_byte marked
+#define  CommonHeader   \
+  GCObject *next; \
+  unsigned long long tainted; \
+  lu_byte tt; \
+  lu_byte marked
 
 
 /*
@@ -61,14 +65,18 @@
   void *p;
   lua_Number n;
   int b;
-} Value;
+} lua_Value;
 
 
 /*
 ** Tagged Values
 */
 
-#define  TValuefields   Value value; int tt
+#define  TValuefields   \
+  lua_Value value; \
+  unsigned int tt; \
+  unsigned int fill; \
+  unsigned long long tainted
 
 typedef struct lua_TValue {
   TValuefields;
@@ -196,6 +205,9 @@
 /*
 ** String headers for string table
 */
+/*
+  TString + 1c is hash??
+*/
 typedef union TString {
   L_Umaxalign dummy;  /* ensures maximum alignment for strings */
   struct {
@@ -288,13 +300,35 @@
 ** Closures
 */
 
+/*
+closure + 18h is isC (luaF_newCClosure)
+closure + 28h is env (luaF_newCClosure)
+closure + 30h should be BlizFunc (??) (luaF_newCClosure)
+*/
+
+typedef struct {
+  unsigned long long a;
+  unsigned long long b;
+  unsigned long long c;
+  unsigned long long d;
+} BlizFunc;
+
+typedef union {
+  lua_CFunction cf;
+  BlizFunc *bf;
+} BCFunction;
+
 #define  ClosureHeader \
-       CommonHeader; lu_byte isC; lu_byte nupvalues; GCObject *gclist; \
+       CommonHeader; \
+  char clhfill[6]; \
+  lu_byte isC; \
+  lu_byte nupvalues; \
+  GCObject *gclist; \
        struct Table *env
 
 typedef struct CClosure {
   ClosureHeader;
-  lua_CFunction f;
+  BCFunction f;
   TValue upvalue[1];
 } CClosure;
 
@@ -335,10 +369,18 @@
 } Node;
 
 
+/*
+   Table + 48h is sizearray
+   Table + 18h is flags
+   Table + 19h is lsizenode
+*/
+
 typedef struct Table {
   CommonHeader;
+  char tfill1[6];
   lu_byte flags;  /* 1<<p means tagmethod(p) is not present */ 
   lu_byte lsizenode;  /* log2 of size of `node' array */
+  char tfill2[6];
   struct Table *metatable;
   TValue *array;  /* array part */
   Node *node;
diff -uNr lua-5.1.4/src/lstate.h lua-5.1.4.mod/src/lstate.h
--- lua-5.1.4/src/lstate.h      2008-01-03 10:20:39.000000000 -0500
+++ lua-5.1.4.mod/src/lstate.h  2021-05-21 20:17:39.547488994 -0400
@@ -65,10 +65,17 @@
 /*
 ** `global state', shared by all threads of this state
 */
+
+/*
+  global_State + 21h must be currentwhite (luaS_newlstr)
+  global_State + b0h must be l_registry (index2addr)
+*/
+
 typedef struct global_State {
   stringtable strt;  /* hash table for strings */
   lua_Alloc frealloc;  /* function to reallocate memory */
   void *ud;         /* auxiliary data to `frealloc' */
+  lu_byte isBlizFunc;
   lu_byte currentwhite;
   lu_byte gcstate;  /* state of garbage collector */
   int sweepstrgc;  /* position of sweep in `strt' */
@@ -86,6 +93,7 @@
   int gcpause;  /* size of pause between successive GCs */
   int gcstepmul;  /* GC `granularity' */
   lua_CFunction panic;  /* to be called in unprotected errors */
+  char gsfill[16];
   TValue l_registry;
   struct lua_State *mainthread;
   UpVal uvhead;  /* head of double-linked list of all open upvalues */
@@ -93,16 +101,29 @@
   TString *tmname[TM_N];  /* array with tag-method names */
 } global_State;
 
+/*
+luastate + 38h is l_G
+commonheader + 8h is tt, the type.
+new strings are assigned to L->top->value.gc
+luastate + 28h is L->top.
+luastate + 28h is L->top->value.gc
+L->top + 0h is where the new string is attached.
+L->top + 8h is the TValuefields.tt
+L->top + 10h is the taint.
+commonheader + 11h is marked.
+commonheader + 10h is tt
+*/
 
 /*
 ** `per thread' state
 */
 struct lua_State {
   CommonHeader;
+  char fill0[16];
   lu_byte status;
   StkId top;  /* first free slot in the stack */
   StkId base;  /* base of current function */
-  global_State *l_G;
+  global_State *l_G;  /* this must be at offset 38h */
   CallInfo *ci;  /* call info for current function */
   const Instruction *savedpc;  /* `savedpc' of current function */
   StkId stack_last;  /* last free slot in the stack */
diff -uNr lua-5.1.4/src/ltable.c lua-5.1.4.mod/src/ltable.c
--- lua-5.1.4/src/ltable.c      2007-12-28 10:32:23.000000000 -0500
+++ lua-5.1.4.mod/src/ltable.c  2021-05-21 20:17:39.583157157 -0400
@@ -74,7 +75,7 @@
 
 static const Node dummynode_ = {
   {{NULL}, LUA_TNIL},  /* value */
-  {{{NULL}, LUA_TNIL, NULL}}  /* key */
+  {{{NULL}, LUA_TNIL, LUA_TNIL, LUA_TNIL, NULL}}  /* key */
 };
 
 
diff -uNr lua-5.1.4/src/lua.h lua-5.1.4.mod/src/lua.h
--- lua-5.1.4/src/lua.h 2008-08-06 09:30:12.000000000 -0400
+++ lua-5.1.4.mod/src/lua.h     2021-05-21 20:17:39.661528324 -0400
@@ -84,7 +84,8 @@
 
 
 /* minimum Lua stack available to a C function */
-#define  LUA_MINSTACK   20
+/* blz stack_init ups this from 20 to 100 */
+#define  LUA_MINSTACK   100
 
 
 /*

[GlittPrizes]

I was doing the same with classic. More than a month ago. I got this far. But it isn't complete.

Code:

diff -uNr lua-5.1.4/src/lapi.c lua-5.1.4.mod/src/lapi.c
--- lua-5.1.4/src/lapi.c	2008-07-04 14:41:18.000000000 -0400
+++ lua-5.1.4.mod/src/lapi.c	2021-05-21 20:17:39.123775773 -0400
@@ -378,7 +378,7 @@
 
 LUA_API lua_CFunction lua_tocfunction (lua_State *L, int idx) {
   StkId o = index2adr(L, idx);
-  return (!iscfunction(o)) ? NULL : clvalue(o)->c.f;
+  return (!iscfunction(o)) ? NULL : clvalue(o)->c.f.cf;
 }
 
 
@@ -489,7 +489,7 @@
   luaC_checkGC(L);
   api_checknelems(L, n);
   cl = luaF_newCclosure(L, n, getcurrenv(L));
-  cl->c.f = fn;
+  cl->c.f.cf = fn;
   L->top -= n;
   while (n--)
     setobj2n(L, &cl->c.upvalue[n], L->top+n);
@@ -838,7 +838,7 @@
   struct CCallS *c = cast(struct CCallS *, ud);
   Closure *cl;
   cl = luaF_newCclosure(L, 0, getcurrenv(L));
-  cl->c.f = c->func;
+  cl->c.f.cf = c->func;
   setclvalue(L, L->top, cl);  /* push function */
   api_incr_top(L);
   setpvalue(L->top, c->ud);  /* push only argument */
diff -uNr lua-5.1.4/src/ldo.c lua-5.1.4.mod/src/ldo.c
--- lua-5.1.4/src/ldo.c 2008-01-18 17:31:22.000000000 -0500
+++ lua-5.1.4.mod/src/ldo.c     2021-05-21 20:17:39.224842281 -0400
@@ -316,7 +316,7 @@
     if (L->hookmask & LUA_MASKCALL)
       luaD_callhook(L, LUA_HOOKCALL, -1);
     lua_unlock(L);
-    n = (*curr_func(L)->c.f)(L);  /* do the actual call */
+    n = (*curr_func(L)->c.f.cf)(L);  /* do the actual call */
     lua_lock(L);
     if (n < 0)  /* yielding? */
       return PCRYIELD;
diff -uNr lua-5.1.4/src/lobject.h lua-5.1.4.mod/src/lobject.h
--- lua-5.1.4/src/lobject.h     2008-08-06 09:29:48.000000000 -0400
+++ lua-5.1.4.mod/src/lobject.h 2021-05-21 20:17:39.435288729 -0400
@@ -40,7 +40,11 @@
 ** Common Header for all collectable objects (in macro form, to be
 ** included in other objects)
 */
-#define  CommonHeader   GCObject *next; lu_byte tt; lu_byte marked
+#define  CommonHeader   \
+  GCObject *next; \
+  unsigned long long tainted; \
+  lu_byte tt; \
+  lu_byte marked
 
 
 /*
@@ -61,14 +65,18 @@
   void *p;
   lua_Number n;
   int b;
-} Value;
+} lua_Value;
 
 
 /*
 ** Tagged Values
 */
 
-#define  TValuefields   Value value; int tt
+#define  TValuefields   \
+  lua_Value value; \
+  unsigned int tt; \
+  unsigned int fill; \
+  unsigned long long tainted
 
 typedef struct lua_TValue {
   TValuefields;
@@ -196,6 +205,9 @@
 /*
 ** String headers for string table
 */
+/*
+  TString + 1c is hash??
+*/
 typedef union TString {
   L_Umaxalign dummy;  /* ensures maximum alignment for strings */
   struct {
@@ -288,13 +300,35 @@
 ** Closures
 */
 
+/*
+closure + 18h is isC (luaF_newCClosure)
+closure + 28h is env (luaF_newCClosure)
+closure + 30h should be BlizFunc (??) (luaF_newCClosure)
+*/
+
+typedef struct {
+  unsigned long long a;
+  unsigned long long b;
+  unsigned long long c;
+  unsigned long long d;
+} BlizFunc;
+
+typedef union {
+  lua_CFunction cf;
+  BlizFunc *bf;
+} BCFunction;
+
 #define  ClosureHeader \
-       CommonHeader; lu_byte isC; lu_byte nupvalues; GCObject *gclist; \
+       CommonHeader; \
+  char clhfill[6]; \
+  lu_byte isC; \
+  lu_byte nupvalues; \
+  GCObject *gclist; \
        struct Table *env
 
 typedef struct CClosure {
   ClosureHeader;
-  lua_CFunction f;
+  BCFunction f;
   TValue upvalue[1];
 } CClosure;
 
@@ -335,10 +369,18 @@
 } Node;
 
 
+/*
+   Table + 48h is sizearray
+   Table + 18h is flags
+   Table + 19h is lsizenode
+*/
+
 typedef struct Table {
   CommonHeader;
+  char tfill1[6];
   lu_byte flags;  /* 1<<p means tagmethod(p) is not present */ 
   lu_byte lsizenode;  /* log2 of size of `node' array */
+  char tfill2[6];
   struct Table *metatable;
   TValue *array;  /* array part */
   Node *node;
diff -uNr lua-5.1.4/src/lstate.h lua-5.1.4.mod/src/lstate.h
--- lua-5.1.4/src/lstate.h      2008-01-03 10:20:39.000000000 -0500
+++ lua-5.1.4.mod/src/lstate.h  2021-05-21 20:17:39.547488994 -0400
@@ -65,10 +65,17 @@
 /*
 ** `global state', shared by all threads of this state
 */
+
+/*
+  global_State + 21h must be currentwhite (luaS_newlstr)
+  global_State + b0h must be l_registry (index2addr)
+*/
+
 typedef struct global_State {
   stringtable strt;  /* hash table for strings */
   lua_Alloc frealloc;  /* function to reallocate memory */
   void *ud;         /* auxiliary data to `frealloc' */
+  lu_byte isBlizFunc;
   lu_byte currentwhite;
   lu_byte gcstate;  /* state of garbage collector */
   int sweepstrgc;  /* position of sweep in `strt' */
@@ -86,6 +93,7 @@
   int gcpause;  /* size of pause between successive GCs */
   int gcstepmul;  /* GC `granularity' */
   lua_CFunction panic;  /* to be called in unprotected errors */
+  char gsfill[16];
   TValue l_registry;
   struct lua_State *mainthread;
   UpVal uvhead;  /* head of double-linked list of all open upvalues */
@@ -93,16 +101,29 @@
   TString *tmname[TM_N];  /* array with tag-method names */
 } global_State;
 
+/*
+luastate + 38h is l_G
+commonheader + 8h is tt, the type.
+new strings are assigned to L->top->value.gc
+luastate + 28h is L->top.
+luastate + 28h is L->top->value.gc
+L->top + 0h is where the new string is attached.
+L->top + 8h is the TValuefields.tt
+L->top + 10h is the taint.
+commonheader + 11h is marked.
+commonheader + 10h is tt
+*/
 
 /*
 ** `per thread' state
 */
 struct lua_State {
   CommonHeader;
+  char fill0[16];
   lu_byte status;
   StkId top;  /* first free slot in the stack */
   StkId base;  /* base of current function */
-  global_State *l_G;
+  global_State *l_G;  /* this must be at offset 38h */
   CallInfo *ci;  /* call info for current function */
   const Instruction *savedpc;  /* `savedpc' of current function */
   StkId stack_last;  /* last free slot in the stack */
diff -uNr lua-5.1.4/src/ltable.c lua-5.1.4.mod/src/ltable.c
--- lua-5.1.4/src/ltable.c      2007-12-28 10:32:23.000000000 -0500
+++ lua-5.1.4.mod/src/ltable.c  2021-05-21 20:17:39.583157157 -0400
@@ -74,7 +75,7 @@
 
 static const Node dummynode_ = {
   {{NULL}, LUA_TNIL},  /* value */
-  {{{NULL}, LUA_TNIL, NULL}}  /* key */
+  {{{NULL}, LUA_TNIL, LUA_TNIL, LUA_TNIL, NULL}}  /* key */
 };
 
 
diff -uNr lua-5.1.4/src/lua.h lua-5.1.4.mod/src/lua.h
--- lua-5.1.4/src/lua.h 2008-08-06 09:30:12.000000000 -0400
+++ lua-5.1.4.mod/src/lua.h     2021-05-21 20:17:39.661528324 -0400
@@ -84,7 +84,8 @@
 
 
 /* minimum Lua stack available to a C function */
-#define  LUA_MINSTACK   20
+/* blz stack_init ups this from 20 to 100 */
+#define  LUA_MINSTACK   100
 
 
 /*

What would suspect is incomplete about it? I've found a way to make protected calls, but it's a workaround and prone to crashing because my alignments are likely still off. I'll try integrating your revisions and see how it works out for retail.

[thateuler]

The changes were from reading the disassembly in IDA, and comparing it with stock lua 5.1.4 code. For example, by comparing index2addr I knew that l_registry must be at offset 0xb0 in struct global_State. I added some extra fill just above it "char gsfill[16]" so that the disassembly of index2addr was correct. But that fill could be anywhere above l_registry, not necessarily right above it.

Good luck!

[GlittPrizes]

The changes were from reading the disassembly in IDA, and comparing it with stock lua 5.1.4 code. For example, by comparing index2addr I knew that l_registry must be at offset 0xb0 in struct global_State. I added some extra fill just above it "char gsfill[16]" so that the disassembly of index2addr was correct. But that fill could be anywhere above l_registry, not necessarily right above it.

Good luck!

Maybe there is a slight difference with classic because most of my fills are different. I can call anything using a little trick, but it's still prone to a crash for some check that randomly comes afterwards, so it's not reliable enough to do some p_lua with

I hope I can figure this out because I'm super close. I've tried everything at this point for a lot of theories behind why it's failing but no luck. Good luck to you as well <3