Cheat Engine

Hatschi

Has anyone actually tried using the pipe of the monocollector in C#? I'm curious in how it works. I've taken a look at the lua file of the mono collector but it doesn't helped me much at this point.

Dark Byte · Posted: Wed Sep 24, 2014 4:42 am Post subject:

Check out the C part of the monocollector
Pipeserver.cpp

Anyhow, it creates a named pipe called :"\\.\pipe\cemonodc_pid#" where # is the current processid of the process it's in

The name is setup at PipeServer.cpp#32
the pipe is created at PipeServer.cpp#47 (based on your previous request for timeouts, this is where you have to change that, and obviously all other places that do not expect timeouts to occur)

The communication protocol is sadly enough pretty much undocumented, but it's a very basic protocol so shouldn't be too hard to figure out.

Message handling happens at PipeServer.cpp#534

two examples:
InitMono: (command 0)
PipeServer.cpp#62 takes no additional parameters, but it returns a QWORD with the address of the mono dll

So to use it send a 0, and then receive 8 bytes

--
Object_GetClass (Command 1)
PipeServer.cpp#187

takes one parameter. An implemented object, whose address is passed in as a QWORD (You'll find all address specifiers are implemented as a qword because it's the lowest common denominator)

If it succeeds it returns the address of the class (qword) the length of the classname (word) and the name of the class (char*classnamelength)

If it fails it only returns the address 0, but NO name. It won't even send a namelength of 0

So to use it:
Send a 1 and then receive 8 bytes (qword)
if it's 0, that's it. if it's not 0, then read 2 bytes (word) allocate space for a string of that size+1, and then read that string into that space(You will have to 0 extend the string yourself, it's not part of the message)

Just check the lua part that has this fully implemented

Hatschi · Posted: Wed Sep 24, 2014 5:03 am Post subject:

Thanks that was very helpful to understand the theory. Now I need to find out how I call (or read) the pipe after injecting the DLL. The examples on MSDN are either for c++ to c++ or c# to c# but not from c++ to c# or vice versa.

Once I had injected the dll i got the handle of it (also the start address). But from there I have no idea how to communicate over the pipe.

If anyone has an idea, feel free to post it here.

Dark Byte · Posted: Wed Sep 24, 2014 5:10 am Post subject:

Just experiment with named pipes in C# and then apply that on the named pipe for the mono data collector

Imagine writing a program in C# that connects a pipe to a closed source application. It doesn't matter that you don't know what language the original program is written it, as long as you manage to send bytes in and receive bytes from it you're fine

Some basic info:
The process the dll is injected in is the pipe server, so you only have to write the c# client
It's setup to use a byte based communication protocol (not message based)
It uses an infinite timeout, so you can take as long as you wish when debugging.

Hatschi · Posted: Wed Sep 24, 2014 5:51 am Post subject:

When I'm trying to connect to the pipe it says it cannot find the path. Are you sure the pipe server name is "\\.\pipe\cemonodc_pid#" where # is the process ID as integer?

Dark Byte · Posted: Wed Sep 24, 2014 6:10 am Post subject:

yes.
Of course, that's the low level name, perhaps you just need cemonodc_pid#

If you do need the path, make sure that the string formatting is done properly. e.g in C string format it'd be "\\\\.\\pipe\\cemonodc_pid#"

Hatschi · Posted: Wed Sep 24, 2014 2:52 pm Post subject:

"cemonodc_pid3390" (3390 is the PID of the process) I've tried that already as well as "pipe\\ cemonodc_pid3390" and "\\.\\pipe\\cemonodc_pid3390" Everything like that, it still claims that no path like this exist.

is there any way to print out the name?

Dark Byte · Posted: Wed Sep 24, 2014 7:40 pm Post subject:

the pipename then has to be \\.\pipe\cemonodc_pid3390

Hatschi · Posted: Thu Sep 25, 2014 4:18 am Post subject:

//fixed

Dark Byte · Posted: Thu Sep 25, 2014 4:30 am Post subject:

Create your own named pipe server in c# and see if you can get that to work

Anyhow, from reading the msdn the servername you provide is testpipe. I think you want to use "." instead , and then give as name cemonodc_pid#
http://msdn.microsoft.com/en-us/library/bb355390(v=vs.110).aspx

Or use the version where you only give the pipename without providing the servername
http://msdn.microsoft.com/en-us/library/bb340152(v=vs.110).aspx

Hatschi · Posted: Sun Oct 05, 2014 5:35 am Post subject:

//edit: nevermind. It works flawless now.

What do you mean with "An implemented object, whose address is passed in as a QWORD". Can you give me an example what to pass to receive the address of the class?

Dark Byte · Posted: Sun Oct 05, 2014 5:47 am Post subject:

open monoscript.lua and replace

Dark Byte · Posted: Sun Oct 05, 2014 5:57 am Post subject:

Hatschi · Posted: Sun Oct 05, 2014 6:04 am Post subject:

So there is no way I could send for example

"HUD_OverheadStatusContainer:Reposition" (as string or converted to array of bytes or whatever) to get the address of this class? I wonder because this way the memory viewer jumps to when I enter this as address. This is what I'm trying to do. Receive the address of the class by knowing its name.

Dark Byte · Posted: Sun Oct 05, 2014 6:11 am Post subject:

First split up that string into a classname and methodname
classname=HUD_OverheadStatusContainer
methodname=Reposition

you can use MONOCMD_FINDCLASS to find the class named "HUD_OverheadStatusContainer"

Then call MONOCMD_FINDMETHOD with the class and "Reposition" to get the method describer of Reposition

Then call MONOCMD_COMPILEMETHOD with that method describer to get the address of that method, or to compile it if it wasn't jitted yet

Check monoscript.lua on how it does that