View previous topic :: View next topic |
Author |
Message |
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 6:47 am Post subject: |
|
|
//fixed
Last edited by Hatschi on Sat Oct 25, 2014 3:31 pm; edited 2 times in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Oct 05, 2014 7:47 am Post subject: |
|
|
oh yes, i forgot you also need to enumerate all the images first and try findclass on each of them till found
with bytebased i mean it doesn't require messages of specific size but just a stream of data
first sent byte is 0x15
followed by an 8 byte containing the image (which you got from the enumeration)
followed by a 2 byte containing the length of the classname string
followed by the bytes to the string (utf8 formatted) without 0 terminator
then it returns an 8 byte that contains either 0 or the class
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 7:53 am Post subject: |
|
|
Okay I've edited my text above. Anyway with enumerate you mean:
Using "MONOCMD_ENUMASSEMBLIES" which returns an array of QWORD for all assemblies?
Then using "mono_getImageFromAssembly" on each assembly returned
Then using "mono_findClass" on all images returned for each assembly.
Is that the work it works? Or do I have to use another function?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Oct 05, 2014 8:42 am Post subject: |
|
|
Yes, but first get all domains (usually just one) to get the assembles from
Also, if you know the imagename you can limit it to only that image (you still have to enumerate them till you find it)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 9:22 am Post subject: |
|
|
//fixed
Last edited by Hatschi on Sat Oct 25, 2014 3:32 pm; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Oct 05, 2014 10:23 am Post subject: |
|
|
jitinfo is only if you wish to know the details of a piece of assembler code
you want the opposite, you want to find or create the assembler code
which is why you need to find the method of the class, and then compile it with MONOCMD_COMPILEMETHOD (if it's already compiled it gives the address where it currently resides)
When you get the domains, get the assemblies from that
Then get the images from that
Then find the class you need in one of those images
Then find the method you need in the class you've just found.
Then compile that method
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 10:45 am Post subject: |
|
|
//fixed
Last edited by Hatschi on Sat Oct 25, 2014 3:32 pm; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Oct 05, 2014 11:07 am Post subject: |
|
|
this looks weird:
Code: |
Int16 StringLength = classname.Length - 1;
pipeClientStream.Write(BitConverter.GetBytes(StringLength), 0, BitConverter.GetBytes(StringLength).Length);
//we send the string length as WORD
byte[] StringBytes = System.Text.Encoding.UTF8.GetBytes(classname);
pipeClientStream.Write(StringBytes, 0, StringBytes.Length);
|
you tell the pipe that it should expect classname.Length-1 number of bytes, but you send it Stringbytes.Length number of bytes
that will cause a misalignment when the function exits, causing the extra bytes to become interpreted as a command and weird things can happen then
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 12:35 pm Post subject: |
|
|
Yeah it contained a few coding mistakes. Now it seems to work fine. At least it doesn't crash, it crashes later.
I've used the lua file to give me some output of CE:
Code: | Assembly 1 : D586E30
Assembly 2 : D586DD0
Assembly 3 : D586EF0
Assembly 4 : D586CB0
Assembly 5 : D586D10
Assembly 6 : D4546B8
Assembly 7 : D454658
Assembly 8 : 572B208
Assembly 9 : 573EEB0
Assembly a : 56B46F0
Assembly b : 5726660
Assembly c : 571DFD8
Assembly d : 56A3F80
classBase a =d9cb930
method =d9cbfa8
compile method =5da17f8 |
And my result is:
Code: | Assembly 1 : D586E30
Assembly 2 : D586DD0
Assembly 3 : D586EF0
Assembly 4 : D586CB0
Assembly 5 : D586D10
Assembly 6 : D4546B8
Assembly 7 : D454658
Assembly 8 : 572B208
Assembly 9 : 573EEB0
Assembly 10 : 56B46F0
Assembly 11 : 5726660
Assembly 12 : 571DFD8
Assembly 13 : 56A3F80
classBase 0 = 6C6D582E6D657473 |
It crashes on finding method, but by this classbase I'm NOT surprised.
First, the base address of the class looks weird to me and second, the class should be found @ class #10. So the problem should be still located at the "Mono_image_findClass" function.
Because of syntax highlighting I've uploaded it now on pastebin for better overview:
http://pastebin.com/4YrGzXkt
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Oct 05, 2014 1:14 pm Post subject: |
|
|
BitConverter.GetBytes(StringBytes.Length).Length might not be 2
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Oct 05, 2014 1:24 pm Post subject: |
|
|
Yep and "pipeClientStream.Write(BitConverter.GetBytes(image), 0, 7)" should be "pipeClientStream.Write(BitConverter.GetBytes(image), 0, " instead. I got confused because memory streams or arrays in general start at 0 that's why I tend to add a -1 or so behind it.
Anyway it looks like I were successful:
Code: | Assembly 1 : D346E30
Assembly 2 : D346DD0
Assembly 3 : D346EF0
Assembly 4 : D346CB0
Assembly 5 : D346D10
Assembly 6 : D2146B8
Assembly 7 : D214658
Assembly 8 : 574B1F0
Assembly 9 : 575EE98
Assembly 10 : 56D46F0
Assembly 11 : 5746648
Assembly 12 : 573DFC0
Assembly 13 : 56C3F80
classBase 9 = 102AB930
method = 102ABFA8 =
compile method = 5DD0398 =
Assembly 1 : d346e30
Assembly 2 : d346dd0
Assembly 3 : d346ef0
Assembly 4 : d346cb0
Assembly 5 : d346d10
Assembly 6 : d2146b8
Assembly 7 : d214658
Assembly 8 : 574b1f0
Assembly 9 : 575ee98
Assembly a : 56d46f0
Assembly b : 5746648
Assembly c : 573dfc0
Assembly d : 56c3f80
classBase a =102ab930
method =102abfa8
compile method =5dd0398
|
Thanks for your help. Although it's not your coding language you have helped me a lot. I don't think I would have get it without your help.
|
|
Back to top |
|
|
|