Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Calling CE lua function from inside target process

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
Dark Byte
Site Admin
Reputation: 341

Joined: 09 May 2003
Posts: 19983
Location: The netherlands

PostPosted: Wed Sep 06, 2017 8:21 pm    Post subject: Calling CE lua function from inside target process Reply with quote

this code will take the 32-bit tutorial first actual step as example.

when you click next in step 2 it will tell you the original health(after decrease), and then changes it to 1000

the easiest method is using the CELUA_ExecuteFunction function. It's a bit slow, but does the trick:
Code:

{$lua}
function myfunction(h)
  showMessage('Your health was '..h)
  return 1000
end
{$asm}

loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

alloc(str_myfunction,32)
alloc(functionid,4)

str_myfunction:
db 'return myfunction(parameter)',0


[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(myhook,e8 * * * * 8d 50 01 8b 83 80 04 00 00 29 d0 89 83 80 04 00 00)
registersymbol(myhook)

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push edx
push ecx

push eax
push str_myfunction  //(The lua function will have access to the variable passed by name "parameter")
call CELUA_ExecuteFunction

pop ecx
pop edx

originalcode:
mov [ebx+00000480],eax



exit:
jmp returnhere

myhook+10:
jmp newmem
nop
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
myhook+10:
mov [ebx+00000480],eax



an alternate, more complex but faster method, is using the call by reference method ( CELUA_ExecuteFunctionByReference ) it is faster and supports more than 1 parameter, and allows for async execution if wanted (remember, no gui updates in async code)

Code:

{$lua}
function myfunction(h)
  showMessage('Your health was '..h)
  return 1000
end
{$asm}

loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
//Alternate call by ref example:

alloc(functionid,4)
alloc(functionname,16)

functionid:
dd 0

functionname:
db 'myfunction',0


aobscan(myhook,e8 * * * * 8d 50 01 8b 83 80 04 00 00 29 d0 89 83 80 04 00 00)
registersymbol(myhook)

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push edx
push ecx


mov ecx,[functionid]
test ecx,ecx
jne short hasrefid

//no reference yet
push eax //save eax as the function result will change it
push functionname
call CELUA_GetFunctionReferenceFromName  //Basically calls createRef(functionname) and returns the value
mov [functionid],eax //store the functionid so it doesn't have to be generated again
mov ecx,eax //ecx has the functionid

pop eax //restore

hasrefid:

push ebp
mov ebp,esp
sub esp,4 //allocate space ofr 1 parameter
mov [ebp-4],eax //parameter 1 (health)

push 0 //0 because the gui is touched (use 1 if async)
lea edx,[ebp-4]
push edx //address of the parameter list
push 1 //number of parameters (1)
push ecx //functionid reference

call CELUA_ExecuteFunctionByReference

//afterwards EAX will contain the result value of the function


mov esp,ebp
pop ebp

pop ecx
pop edx

originalcode:
mov [ebx+00000480],eax



exit:
jmp returnhere

myhook+10:
jmp newmem
nop
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
myhook+10:
mov [ebx+00000480],eax

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 341

Joined: 09 May 2003
Posts: 19983
Location: The netherlands

PostPosted: Mon Sep 11, 2017 5:55 pm    Post subject: Reply with quote

This is the code for 64-bit tutorial

first the CELUA_ExecuteFunction method:
Code:

{$lua}
function myfunction(h)
  showMessage('Your health was '..h)
  return 1000
end
{$asm}


loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

alloc(str_myfunction,32)

str_myfunction:
db 'return myfunction(parameter)',0

[ENABLE]
alloc(newmem,2048,"Tutorial-x86_64.exe"+2B227)

aobscan(myhook,e8 * * * * 67 8d 50 01 29 93 90 07 00 00 8b 93 90 07 00 00)
registersymbol(myhook)

label(returnhere)
label(originalcode)
label(exit)

newmem:
sub rsp,60 //allocate space for the old registers and the function call (and keep 16 byte alignment)

//save registers (though not needed in this example as they are not used afterwards, but just showing how)
mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax


mov rcx, str_myfunction //(The lua function will have access to the variable passed by name "parameter")
mov edx,[rbx+00000790] //parameter (in this case old health)
call CELUA_ExecuteFunction // or CELUA_ExecuteFunctionAsync if you don't need GUI access or want to handle it yourself

mov [rbx+790],eax //set health to the return value of the function


//restoring the possibly changed registers
mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,60 //free stackspace


originalcode:
//sub [rbx+00000790],edx

exit:
jmp returnhere

myhook+9:
jmp newmem
nop
returnhere:
 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
myhook+9:
sub [rbx+00000790],edx
//Alt: db 29 93 90 07 00 00


and here the CELUA_ExecuteFunctionByReference version:
Code:

{$lua}
function myfunction(h)
  showMessage('Your health was '..h)
  return 1000
end
{$asm}


loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

alloc(functionid,4)
alloc(functionname,16)

functionid:
dd 0

functionname:
db 'myfunction',0

{
//luacall call example:
//Make sure rsp is aligned on a 16-byte boundary when calling this function
mov rcx, addresstostringwithfunction //(The lua function will have access to the variable passed by name "parameter")
mov rdx, integervariableyouwishtopasstolua
sub rsp,20
call CELUA_ExecuteFunction // or CELUA_ExecuteFunctionAsync if you don't need GUI access or want to handle it yourself
add rsp,20

//------
//Alternate call by ref example:

mov ecx,[addresswithluafunctionidstored]
test ecx,ecx
jne short hasrefid

mov rcx,addresswithluafunctionname
call CELUA_GetFunctionReferenceFromName  //Basically calls createRef(functionname) and returns the value
mov [addresswithluafunctionidstored],eax
mov ecx,eax

hasrefid:
mov edx,numberofparameterstopass
mov r8,addresswithparameterlist  //could be the stack.  e.g lea r8,[rsp+8]
mov [r8],param1
mov [r8+8],param2
mov [r8+c],param3
//...
mov r9,0 //0=no async, 1=async.  Use async if you do not wish to update the GUI. Faster
call CELUA_ExecuteFunctionByReference

When done RAX will contain the result of the lua function
And as per 64-bit calling convention, RCX, RDX, R8, R9, R10, R11 may have been altered. So save/restore them beforehand
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"Tutorial-x86_64.exe"+2B227)

aobscan(myhook,e8 * * * * 67 8d 50 01 29 93 90 07 00 00 8b 93 90 07 00 00)
registersymbol(myhook)

label(returnhere)
label(originalcode)
label(exit)

newmem:
sub rsp,60 //allocate space for the old registers and the function call, and the paramlist (and keep 16 byte alignment)

//save registers (though not needed in this example as they are not used afterwards, but just showing how)
mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax

//[rsp+58]=paramlist

mov ecx,[functionid]
test ecx,ecx
jne short hasrefid

//no reference yet
mov rcx,functionname
call CELUA_GetFunctionReferenceFromName  //Basically calls createRef(functionname) and returns the value
mov [functionid],eax
mov ecx,eax

hasrefid:
//here ecx contains the referenceid
mov edx,1
lea r8,[rsp+58]
mov eax,[rbx+790]
mov [r8],rax //in 64-biut the parameters are 64-bit as well

mov r9,0 //0=no async, 1=async. In our case 0 because of showMessage
call CELUA_ExecuteFunctionByReference

mov [rbx+790],eax //set health to the return value of the function

//restoring the possibly changed registers
mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,60 //free stackspace

originalcode:
//sub [rbx+00000790],edx

exit:
jmp returnhere

myhook+9:
jmp newmem
nop
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
myhook+9:
sub [rbx+00000790],edx
//Alt: db 29 93 90 07 00 00

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites