Having trouble with the lua script for Cheat Engine

[CritixCS]

First of all your project here is heaven-sent.

I know it has been a long af time since you made this and have probably forgotten about it already but i would really appreciate it if you could help me out. I have set up my own Trinity Core Server for WoW 3.3.5a and am trying out a bunch of stuff with it.

I am trying to get your dissector to work, but i'm having a few issues:

• When i run your lua script for Cheat Engine 7.4 i don't actually get the 2 keys. I'm guessing that's because i didn't do what you said here:

The location to the file has to be specified by changing the value of the variable "session_keys_file" in the LUA script!

I don't know which file you mean.... what exactly should i put in there? Sorry for being dumb.

---

• It doesn't seem like your script is calling the debugger function at all for some reason. This is the normal output i get:

"--------" "--------"

I called the function at the end of the script like this:

debugger_onBreakpoint()

This seems more like the output i should get:

"--------" "--------" Error:[string "local session_keys_file = "PUT_PATH_TO_WRITAB..."]:9: bad argument #1 to 'for iterator' (table expected, got nil) Script Error

---

• In Wireshark under preferences -> protocols -> WOWW

As you can see my preferences tab is missing many things for some reason.

Thank you for reading and i really hope you can help me out.

[akaCoyote]

I didn't look into this very long, but as far as I can tell debugger_onBreakpoint() isn't getting called in his Lua script (Using CheatEngine 7.4). You can't call that function directly because it relies on data which is populated by CheatEngine when the breakpoint occurs.

However, if you look his Lua, you have all the necessary information to figure out these values manually;

1. Setup your Wireshark capture and filters, start the capture.
2. Launch Wow.exe and login to your server.
3. Start CheatEngine, open Wow.exe and click "Memory View".
4. Go to the address (right-click -> Go to address or CTRL+G) he set a breakpoint on in the Lua file (0x00466D64)

In the Lua file, you see he's reading 20 bytes at the destination address (EDI) and 20 bytes at the source address (ESI) from the breakpoint. So right click the breakpoint address and follow it with SPACE, right-click that address and select "Copy to clipboard" -> "Addresses only", this will give you a relative address (e.g. Wow.exe+375040) you can use to read the bytes. Save the address somewhere.

Now go back to the original breakpoint address by hitting BACKSPACE, then hit BACKSPACE again to go to the source address, right-click the address and "Copy to clipboard" -> "Addresses only". Save the address somewhere.

Now you can use CEs built in Lua engine (CTRL+ALT+L) to read those bytes for you. Something like this:

Replace dest_addr and src_addr with the respective relative addresses you gathered above.

dest_addr = ""
src_addr = ""

table = readBytes(dest_addr, 20, true)
serverKey=""
for i, v in ipairs(table) do serverKey = serverKey .. string.format("0x%x", v) .. " " end
print("Server Key: ", serverKey)

table = readBytes(src_addr, 20, true)
clientKey=""
for i, v in ipairs(table) do clientKey = clientKey .. string.format("0x%x", v) .. " " end
print("Client Key: ", clientKey)

Remember the keys and relative addresses will change with each session, if you'll need to do this a lot, I'd highly recommend automating it.

[CritixCS]

Wow @akaCoyote you are amazing! Thank you so much. I will try this today or tmrw and see if i can make it work :D

[chaodhib]

Hi hi,

Sorry for the late reply. Although what @akaCoyote explained might work, the script has been designed to avoid all of these. Here are more detailed instructions:

• Open the WoW client but do not login to the server yet
• Open CheatEngine
• Open Wireshark and start capturing
• In CheatEngine, go to File -> Open Process. Then select in the list the WoW process (3.3.5a client)
• Now, back on the main CheatEngine view, click on the "Memory View" button on the left
• In the memory view window, go to "Tools" -> "Lua Engine" (Ctrl + L shortcut)
• There, go to "File" -> "Open script", then select the LUA script provided in this repo.
• Before clicking on the "Execute" button on the right, change the value of the session_keys_file variable. In my case, I want to write session keys to a file at C:\Users\xxx\Documents\sessionkeys.txt. Because I'm on Windows, my path uses backslashes and those need to be escaped. Therefore, the beginning of my script must be as follow:

  local session_keys_file = "C:\\Users\\xxx\\Documents\\sessionkeys.txt"

• Now, click on the "Execute" button. The LUA script is now running and ready to acquire the session keys.
• Next step is to go to the WoW client and log-in to the WoW server.
• Now, open the session key file (for which you provided a path earlier), it should now contain the session keys.
• Now, you can go to the Wireshark's dissector settings and provide the session keys. The captured packets are now decrypted.

As you can see my preferences tab is missing many things for some reason.

That is odd. Which version of Wireshark are you using? I mention in the documentation the following:

The DLL has been tested with Wireshark 3.0.2 64bits on Windows 10. For a different version, you may need to compile the dissector yourself (see "How to compile" section below).

If your version is newer, you might need to compile the DLL yourself.

Hope it helps.

[CritixCS]

Thank you for the answer!

Before doing all the stuff with CheatEngine and your LUA script i wanted to make sure the Wireshark plugin worked so i started by getting Wireshark 3.0.2 64bit and saw that it doesn't have your plugin. Then i cloned the current github repo of Wireshark and copied your files in there. I followed the Wireshark Build guidelines and got this error message at the very end:

Do you know what might cause this?

Wireshark does still open, but when i go under Preferences -> Protocols -> WOWW i still only get this:

I would greatly appreciate it if you could help me further <3

[chaodhib]

You have 2 options:

• Either you use Wireshark 3.0.2 64bit. Then, you can use my DLL as is (you don't need to compile anything). It's explained in the documentation.
• Or you use a different version of Wireshark and in that case you need to compile it yourself (there is documentation available on how to do this online).

It looks like you wanted to go with the first option, so just copy the DLL in the appropriate location.