A small patcher to bypass protected Lua functions in World of Warcraft 3.3.5a client `Wow.exe`

patch.py

import pefile
import binascii

with open('Wow.exe', 'rb') as f:
    name = f.name
    b = bytearray(f.read())

def apply_patch(name, offset, patch, expected):
    print("PATCHING", name)

    pe = pefile.PE(data=b)

    opt = pe.OPTIONAL_HEADER
    base = opt.ImageBase

    sect = pe.get_section_by_offset(offset)
    contents = sect.get_data()
    start = base + sect.VirtualAddress

    sect_offset = offset - start
    file_offset = pe.get_offset_from_rva(offset - base)

    end_offset = file_offset + len(expected)
    orig = b[file_offset:end_offset]


    assert(b[file_offset:end_offset] == contents[sect_offset:][:len(patch)])
    assert(b[file_offset:end_offset] == bytearray(expected))

    b[file_offset:end_offset] = patch

    print("ORIG:", bytes(orig).hex())
    print("NEW:", bytes(patch).hex())

    # patch = [e9 f7 00 00 00]

def lua_unlock():
    name = "lua unlock"

    OFFSET_CGGameUI__CheckPermissions = 0x5191C0
    SUBROUTINE_OFFSET_conditional_jump = 0x12

    #conditional jump
    expected = [0x74]

    # unconditional jump
    patch = [0xeb]

    offset = OFFSET_CGGameUI__CheckPermissions + SUBROUTINE_OFFSET_conditional_jump

    apply_patch(name, offset, patch, expected)

def hide_popup():
    name = "hide blocked action popup"

    OFFSET_CGGameUI__ShowBlockedActionFeedback = 0x513530
    SUBROUTINE_OFFSET_conditional_jump = 0x10

    #conditional jump
    expected = [0x0f, 0x85, 0xf6, 0x00, 0x00, 0x00]

    # unconditional jump
    patch = [0xe9, 0xf7, 0x00, 0x00, 0x00, 0x90]

    offset = OFFSET_CGGameUI__ShowBlockedActionFeedback + SUBROUTINE_OFFSET_conditional_jump

    apply_patch(name, offset, patch, expected)

# apply patches
lua_unlock()
hide_popup()

with open('Wow-unprotected.exe', 'wb') as f:
    f.write(b)

❤️