Watch Dogs Lua Engine Hook

Today I finished my work on a hook for the Watch Dogs lua engine. It can now load lua script files into the game and execute them and also gives access to all lua scripting functions available ingame, so spawning vehicles, changing time of day etc. is now possible. A short scripting example:


local test = CDynamicEnvironmentManager_GetInstance();
test:SetScriptedTimeOfDay(09, 23);

This simple script changes the time to 9:23. It can be saved as anything.lua and put into /scripts/ folder and will then be loaded by my hook at startup. You can also reload it at any time during gameplay so testing new stuff is pretty easy. I might release the hook to the public soon, depending on how testing goes.

Hook internas

I created a proxy of dinput8.dll to get loaded into the process and then load up my custom C++ dll. The injection works by using the functions loadbuffer and pcall from lua which reside inside Disrupt_b64.dll. Once you found them, you can manually call them and load your own scripts into the game and have them processed like normal game scripts. Protoypes:

int luaL_loadbuffer (lua_State *L, const char *buff, size_t sz, const char *name);
int lua_pcall (lua_State *L, int nargs, int nresults, int errfunc);

All you gotta do is find the lua state in the game and that’s it! You can then call those two functions to load your own script data and execute it while playing.

Expect more soon.

An example screen:

Watch_Dogs2014-6-13-23-21-36

8 thoughts on “Watch Dogs Lua Engine Hook

  1. Mike

    Very interesting. I have never tried dll injection could you give some advice on what reading you used to learn this process?

    Reply
    1. LMS Post author

      All my knowledge is self-taught, but there are good articles on the internet. There are various techniques for dll injection, you can check out this article: http://nagareshwar.securityxploded.com/2014/03/20/code-injection-and-api-hooking-techniques/ Please note that the techniques showed there require an external injector/launcher. If you want to avoid that, you have to make the game load your DLL on startup by faking a DLL that is normally loaded by the game. Searching for C++ Dll proxy should yield good results. dinput8.dll is a good target to proxy, since it’s fairly simple.

      Reply
  2. Mike

    Ok i have exported the functions of tree dinput8 but i can not tell what kind of parameters they return to the exe .how did you get that info?

    Reply
    1. LMS Post author

      You can check the MSDN, e.g. for DirectInput8Create it will give this definition:

      HRESULT WINAPI DirectInput8Create(HINSTANCE hinst, DWORD dwVersion, REFIID riidltf, LPVOID *ppvOut, LPUNKNOWN punkOuter)

      Now you need to call the function from the original DLL in the system directory and pass all arguments to it.

      Reply
  3. Leigh

    Hey LMS I am looking into continuing the work you did on watchdogs but seem to be having issues with the proxy DLL not actually being able to work, is there a new guard to prevent the dinput8 from loading?

    Reply
    1. LMS Post author

      Hi Leigh, I am not sure, I haven’t played the game in ages. Can you manually inject your DLL via Cheat Engine for instance?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *