|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Kronogenics Advanced Cheater Reputation: 0
Joined: 01 Dec 2016 Posts: 82
|
Posted: Sat Mar 03, 2018 5:50 pm Post subject: Create thread function call causing crash |
|
|
The function that I am trying to call:
Code: |
1F9F487BA90 - push rbp
1F9F487BA91 - mov rbp,rsp
1F9F487BA94 - sub rsp,70 { 112 }
1F9F487BA98 - mov [rbp-10],rsi
1F9F487BA9C - mov [rbp-08],rdi
1F9F487BAA0 - mov rsi,rcx
1F9F487BAA3 - xor eax,eax
1F9F487BAA5 - mov [rbp-40],rax
1F9F487BAA9 - mov [rbp-38],rax
1F9F487BAAD - mov [rbp-30],rax
1F9F487BAB1 - mov r11,000001F9B9B2A370 { [F75EABE8] }
1F9F487BABB - call r11
1F9F487BABE - mov rcx,rax
1F9F487BAC1 - cmp dword ptr [rax],00 { 0 }
1F9F487BAC4 - mov r11,000001F9F487BB83 { [232] }
1F9F487BACE - call r11
1F9F487BAD1 - mov rdx,rbp
1F9F487BAD4 - add rdx,-40 { 192 }
1F9F487BAD8 - mov rcx,rax
1F9F487BADB - cmp dword ptr [rax],00 { 0 }
1F9F487BADE - mov r11,000001F9F487BB75 { [232] }
1F9F487BAE8 - call r11
1F9F487BAEB - jmp 1F9F487BB0A
1F9F487BAED - nop
1F9F487BAF0 - mov rdi,[rbp-30]
1F9F487BAF4 - mov rcx,rsi
1F9F487BAF7 - mov rdx,rdi
1F9F487BAFA - xor r8d,r8d
1F9F487BAFD - mov r11,000001F9B9C9DDD2 { [18920] }
1F9F487BB07 - call r11
1F9F487BB0A - mov rcx,rbp
1F9F487BB0D - add rcx,-40 { 192 }
1F9F487BB11 - mov r11,000001F9F487BB67 { [232] }
1F9F487BB1B - call r11
1F9F487BB1E - test eax,eax
1F9F487BB20 - jne 1F9F487BAF0
1F9F487BB22 - sub rsp,08 { 8 }
1F9F487BB26 - call 1F9F487BB31
1F9F487BB2B - add rsp,08 { 8 }
1F9F487BB2F - jmp 1F9F487BB49
1F9F487BB31 - mov [rbp-18],rsp
1F9F487BB35 - sub rsp,20 { 32 }
1F9F487BB39 - mov rax,rbp
1F9F487BB3C - add rax,-40 { 192 }
1F9F487BB40 - mov [rbp-48],rax
1F9F487BB44 - mov rsp,[rbp-18]
1F9F487BB48 - ret
1F9F487BB49 - mov rsi,[rbp-10]
1F9F487BB4D - mov rdi,[rbp-08]
1F9F487BB51 - lea rsp,[rbp+00]
1F9F487BB55 - pop rbp
1F9F487BB56 - ret
|
The code I am using to call it:
Code: |
[enable]
alloc(MyCode,1024)
CreateThread(MyCode)
MyCode:
call 1F9F487BA90
ret
[disable]
dealloc(mycode)
|
But, it is causing an instant crash, and it's probably something simple but I'm not sure what's going wrong. The game doesn't have anti-cheat, as far as I know at least.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sat Mar 03, 2018 6:30 pm Post subject: |
|
|
i think you need to rcx to a proper address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Kronogenics Advanced Cheater Reputation: 0
Joined: 01 Dec 2016 Posts: 82
|
Posted: Sat Mar 03, 2018 6:42 pm Post subject: |
|
|
I'm not really sure what I should set rcx to though.. I say that because the game is a unity game, and the function looks like this if you look at it with ilspy
Code: |
public void UnlockAllBlocks()
{
foreach (BlockMetadata value in BKNNIAIEKGI.LPEHBPMCDHN.Values)
{
this.TryUnlockBlockType(value, false);
}
}
|
It doesn't take any arguments..
Any idea what I should set it to?
But I will poke around and see if I can get it working! Thanks!
Edit: This is the relevant portions of the output.log when it does crash.
Code: |
Write to location 00000000 caused an access violation.
Context:
RDI: 0x00000000 RSI: 0x00000000 RAX: 0xecd90000
RBX: 0x00000000 RCX: 0x00000000 RDX: 0xecd90000
RIP: 0xecd90001 RBP: 0x00000000 SegCs: 0x00000033
EFlags: 0x00010246 RSP: 0x4c8ff940 SegSs: 0x0000002b
R8: 0x00000000 R9: 0xecd90000 R10: 0x00000000
R11: 0x00000000 R12: 0x00000000 R13: 0x00000000
R14: 0x00000000 R15: 0x00000000
|
_________________
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Sat Mar 03, 2018 11:47 pm Post subject: |
|
|
Kronogenics wrote: | I'm not really sure what I should set rcx to though.. I say that because the game is a unity game, and the function looks like this if you look at it with ilspy
Code: |
public void UnlockAllBlocks()
{
foreach (BlockMetadata value in BKNNIAIEKGI.LPEHBPMCDHN.Values)
{
this.TryUnlockBlockType(value, false);
}
}
|
It doesn't take any arguments..
Any idea what I should set it to?
But I will poke around and see if I can get it working! Thanks!
Edit: This is the relevant portions of the output.log when it does crash.
Code: |
Write to location 00000000 caused an access violation.
Context:
RDI: 0x00000000 RSI: 0x00000000 RAX: 0xecd90000
RBX: 0x00000000 RCX: 0x00000000 RDX: 0xecd90000
RIP: 0xecd90001 RBP: 0x00000000 SegCs: 0x00000033
EFlags: 0x00010246 RSP: 0x4c8ff940 SegSs: 0x0000002b
R8: 0x00000000 R9: 0xecd90000 R10: 0x00000000
R11: 0x00000000 R12: 0x00000000 R13: 0x00000000
R14: 0x00000000 R15: 0x00000000
|
|
My guess is that you are in the loop, there is no loop code (or a jump back) in the ASM. So I'm betting RCX needs to be a pointer for the "BlockMetadata value" in the "BKNNIAIEKGI.LPEHBPMCDHN.Values" array. So I think you're in the "this.TryUnlockBlockType(value, false)" code.
Try going back some more to see if you find the loop code for the "foreach". It looks like it should be one more RET back, and it will just calculate the pointer for "value" and CALL the "this.TryUnlockBlockType(value, false)" code. And I think you will need to go back even more again, to get to the "UnlockAllBlocks()" code.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Sun Mar 04, 2018 1:32 am Post subject: |
|
|
you will likely need to pass an instance of the class UnlockAllBlocks belongs to
and since it's mono you will have to attach the thread to the mono system (it sets up the threadvars)
(also, look into mono_invoke_method)
http://forum.cheatengine.org/viewtopic.php?p=5729400
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Kronogenics Advanced Cheater Reputation: 0
Joined: 01 Dec 2016 Posts: 82
|
Posted: Sun Mar 04, 2018 5:38 pm Post subject: |
|
|
I have tried the invoke method, but, for whatever reason, as soon as I try to invoke the method the mono pipe dies, I can look at the class functions, but I can't look at the offsets of types etc. It just kills the mono pipe.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Mon Mar 05, 2018 1:43 am Post subject: |
|
|
the mono pipe dies when the invoking caused an exception. Usually meaning the parameter is wrong.
If there are multiple instances try picking a different one
(also, you should be able to reconnect the pipe)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Kronogenics Advanced Cheater Reputation: 0
Joined: 01 Dec 2016 Posts: 82
|
Posted: Mon Mar 05, 2018 6:02 am Post subject: |
|
|
No, I mean, literally as soon as I click the invoke method button, the mono pipe dies. It doesn't pop up the parameter input box. If it helps to know: the game is obfuscated, you can tell because most of the mono is just garbage letters and you can't figure out which is which.
Hence the use of IlSpy.
_________________
|
|
Back to top |
|
|
Kronogenics Advanced Cheater Reputation: 0
Joined: 01 Dec 2016 Posts: 82
|
Posted: Thu Mar 08, 2018 7:56 am Post subject: |
|
|
Any idea why that is? It's not that I'm entering the wrong paramater, it's literally that the instant I click on invoke method (before the window pop's up) the pipe dies.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Thu Mar 08, 2018 1:49 pm Post subject: |
|
|
no idea, try finding out in which line of mono.lua it goes wrong
you just need an instance of this object when you call it (and have thrle thread attached to the mono system
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|