|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3108
|
Posted: Thu Nov 23, 2017 7:40 am Post subject: Differentiating identical generated code |
|
|
Hiya!
So, I am working on an AOB script.
The game is Unity-based, so you know what that means: code is generated on the go.
I reversed everything real nice, but there is a problem: the identical code occurs at three+ different places - and unfortunately, the real one is the second one.
So, I would need a way to find that.
The function call itself is pretty long and the two instances of it differ only in jump offsets and dynamic addresses - both of which you need to have a wildcard for or else the code won't be found the next time.
I tried including bytes before and bytes after, but it's all padding and that's not quite reliable.
Is there a technique to check that I found the right code?
Dunno, maybe:
- do AOB scan
- check that some dynamic offsets are within expected range
- if not, continue the AOB scan where we left off (or, start another scan at the same address +1byte in a loop).
Thanks!
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Nov 23, 2017 9:42 am Post subject: |
|
|
Changing the bytecode before it's compiled would be nice.
The caller could have a good AoB signature.
If it's always the second one:
Code: | [ENABLE]
{$lua}
if syntaxcheck then return end
local res = assert(AOBScan('12 34 ?? ?? ab cd', '+X'), 'No results found')
assert(res.Count >= 2, 'Not enough results found')
registerSymbol('INJECT', res[1])
res.destroy()
{$asm}
// ...
[DISABLE]
unregistersymbol(INJECT)
//... |
If it's not always the second one, modify the above code to check for discrepancies and return the one that's correct.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Nov 23, 2017 8:36 pm Post subject: |
|
|
You could always enable the Mono dissector and go directly to the named method.
I was able to use the mono_class_get_method_from_name call to retrieve the MonoMethod pointer.
I'm not sure if you're able to then resolve that further into the actual memory address.
|
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 942
|
Posted: Fri Nov 24, 2017 2:57 am Post subject: |
|
|
Hopefully this is useful,
Progressive Aobscan
http://forum.cheatengine.org/viewtopic.php?p=5733312#5733312
===== guess following is wrong response
If it is about overloaded functions, it may have some info by searching mono_method_getSignature or mono_class_findMethodByDesc in forum.
mono_class_findMethodByDesc is more easy to use, I wrap the function below and show some examples. The example assembly is Particle Fleet Emergence.
It may need a dot net de-compiler for better reference.
Code: |
if readInteger'mono_domain_get' then pcall(LaunchMonoDataCollector) end
function findMethByDesc (methoddesc, assemblyname)
if type(assemblyname)=='number' then
local try = mono_class_findMethodByDesc(assemblyname, methoddesc)
return try and try~=0 and try
end
local assemblies = mono_enumAssemblies()
local assm = ';'..(assemblyname or
'Assembly-CSharp;UnityEngine;Assembly-UnityScript;Assembly-CSharp-firstpass'):lower()..';'
for i=1, #assemblies do
local image = mono_getImageFromAssembly(assemblies[i])
local imagename = mono_image_get_name(image)
if assm:find(';'..imagename:lower()..';',1,true) then
local try = mono_class_findMethodByDesc(image, methoddesc)
if try and try~=0 then return try,imagename end
end
end
return nil
end
function jitMethByDesc (methoddesc, assemblyname)
local meth = findMethByDesc (methoddesc, assemblyname)
return meth and meth~=0 and mono_compile_method(meth) or nil
end
--
print(0,findMethByDesc'ClipperLib.ClipperBase:.ctor') -- use . instead of : between ns and class
print(1,findMethByDesc"*:.ctor(single)")-- wildcard for ns and class (can omit for both) but not args, only use if give unique match
print(2,findMethByDesc"GameSpace:LoadGame")-- () and args can be omit, not unique in overloaded functions
print(3,findMethByDesc"GameSpace:LoadGame(string,bool,bool,GameSpace/CATEGORY,int)") -- seems / is type separator for enum?, . for class? see last examples
print(4,findMethByDesc"GameSpace:LoadGame(ProceduralMap,bool,GameSpace/CATEGORY,int)") -- overloaded
print(5,findMethByDesc"GameSpace:LoadGame(string,ProceduralMap,bool,bool,GameSpace/CATEGORY,int)") -- overloaded
print(6,findMethByDesc":GetTimeStringSeconds(single,bool)")-- some decompiler use a different type name, eg float->single
print(7,findMethByDesc":get_MAX_ENERGY")-- getter
print('x-nested class',findMethByDesc"EffectManager+<Delay>c__Iterator10:.ctor")-- not work for nested class
--mor example for type separator
print(9,findMethByDesc":.ctor(UnityEngine.Texture2D)")-- ok
print('x-differet-type-separator',findMethByDesc":.ctor(UnityEngine/Texture2D)")-- failed
-- note: case-sensitive and exact, eg. no spacing between args ","
-- output:
0 953941264 Assembly-CSharp
1 953943704 Assembly-CSharp
2 204254064 Assembly-CSharp
3 204254064 Assembly-CSharp
4 204254096 Assembly-CSharp
5 204254128 Assembly-CSharp
6 204189840 Assembly-CSharp
7 204253456 Assembly-CSharp
x-nested class
9 953935960 Assembly-CSharp
x-differet-type-separator
|
bye~
_________________
- Retarded. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|