Author Topic: Enhanced Client Lua hooking  (Read 9589 times)

0 Members and 1 Guest are viewing this topic.

Offline luamageTopic starter

  • Newbie
  • *
  • Posts: 3
  • Activity:
    0%
  • Reputation Power: 1
  • luamage has no influence.
  • Respect: +1
  • Referrals: 0
    • View Profile
Enhanced Client Lua hooking
« on: February 10, 2015, 05:22:45 AM »
+1
Hello everybody,

I didnt find a better place to post this, so I hope suo forums will be the most appropriate place to have this at the moment.

As most of you might know, the Enhanced Client (EC) comes basically in two parts: a binary core client and a lua UI system (which is basically 95% open to modding). Pinco'sUI pretty much shows how much automating things is possible with plain legal mods (move items between containers, harvest plant gumps, etc.). So it's actually only a couple of minor issues left to providing a fully scriptable client right from within the native lua environment. What I personally like the most: you got to write scripts in the same environment as you do the UI elements, so it feels as natural as the EC gets writing custom UIs for each script. The lua environment also provides basic information as position, helath, mana, armor, mobs, etc.

Some things noted on the EC:
- The core client seems to be written in C++ (oh suprise)
- The UOSA.exe incorporates a full Lua 5.2 library (C source +binaries available on lua.org)
- They don't use native lua (as mentioned above), but use LuaPlus C++ wrapper (source + binary on http://luaplus.org/)

From there on it's a pretty easy target to identify the core lua functions in the UOSA.exe (though it is a hugh beast to me). Actually it's not as easy to comparing luaplus.lib with uosa.exe, as they compiled it on their own with heavy optimizations (register parameter passing, inline functions, etc). So it's not as easy as builing luaplus.lib flair signatures (for IDA Pro) and applying them onto uosa.exe :/ But it's still easy by referencing strings in the the source and the assembly. I found it interesting to look for lua_openlib() and lua_newstate().

Maybe a bit on lua now: Lua is a pretty lightweight scripting language. On of the things that make it easy to hook is the fact it encapsulates all data it operates on into a lua_State data structure and basically only passes refenreces to this global lua_State along it's APIs.

Inside this lua_State it's guaranteed to met binary compability among different lua builds of the same major version. So despite not knowing all the lua functions inside uosa.exe which would be needed to modifiy the lua_State properly, one might just link their own lua library (build from open source codes mentioned above) to a dll inserted, and work on the full spectrum of the lua API.

One example would be to load external lua libraries, which maybe this site gives a good overview what can be built with them: https://code.google.com/p/luaforwindows/
This LuaCOM thing looks also interesting (as I once saw some CC tool implenting a COM interface from within uo.exe to interact with it in whatever binding was preferred :D). However this is something I'm working on. I linked my own lua.lib and succesfully registred libraries. But it seems there is one more bit I'm missing as the functions are registred in lua (can verify) but don't trigger their callbacks. Anyway, not wanna to get lost in the details here!

But what about finding the lua_State? Well, I didn't found a better way yet as to spawn UOSA.exe as debugee of my tool. So i can set breakpoints on some internal lua APIs and record the lua_State memory address. It kinds of uses the same notation as IDA flair to identify a couple of core functions like lua_newstate() (see official Lua docs for more).

So atm i registered functions for things that can't be triggered through Lua: I added a function to emulate a ctrl-shift (which results in getting all object ids on screen in lua), and a couple of functions to emulate character moving (just by emulating keypress through win API atm). It is enough to run the trade quests automatically or run a automated IDOC scanner, reproting IDOCs just as you play and move along in game.

I'm pretty unfamiliar with C++ and windows so I'm learning all along the way :D I felt it was about to maybe share my findings in case someone else find it interesting or useful. Please don't hesitate to point me on anything i might be missing out big.

Other things I'm appreciating any input on:
 - UOSA uses Gamebryo (*eek*). I have a hard time getting into that, with identifiying vtables and stuff. No success at all tbh.
 - There seem to be relicts from some EASTL (EA Standard Template Libary). Couldn't find anything public available though.

I also found that UOSpy tool for loggin packet streams and tried it within my tool. Fun stuff but i really have no interest in tampering with the servers :D I'm also more into attended scripting, as in the end I don't intend to make a living out of UO or stuff ;P

Please let me know if you any interesting infos to add or want to know more! It's a shame no good scripting is available for EC  :P
« Last Edit: February 10, 2015, 05:27:48 AM by luamage »

Tags: