Cheat Engine

[nvz]

Hi all, sorry for this long post but i was looking for informations about lua hacking, if i'm not
wrong many users here have done it in many games.

In the last month i tried to learn as much as possible, making some tests on Don't Starve game.
I also created my own "game" in Visual Studio with Luajit and hacked it, so i could see
how lua works. Most of my info was from a page that explains the Lua bytecode:
wiki.luajit.org/Bytecode-2.0

in my game the Lua dll is embedded, but i found the gettop, pcall, and loadstring functions,
and they work correctly, altough if i try to call some game functions the game crashes. But if i use
"generic" functions like "print the date" or "print the system time" it works well.
This is probably because i dont know how to get the Lua state and the
"universe" used by Lua (that is usually called "_G" if i am not wrong). So i can access only
the global variables.
The game loads its lua files from a datafile, anyway i was able to extract the Lua files (in bytecode) and decompile
them with the LuaJit Decompiler (luajit-decomp-master is the name of the file i am using). So i have
a lot of infos of what the scripts do. It would be great if i could replace the files inside the datafile,
so i could use my own scripts, but i have not tried yet.

Anyway i was able to create some hack for the game changing the bytecode at runtime (modifyng
the Double type values, or changing some conditional statements, for example from
"check if value is false" to "check if is true".

So i wanted to ask some suggestions on what to do now:
i wanted to get some Lua game like Dragone Age inquisition and learn from other people hacking.
Do you think it will be useful?

Or maybe i should try to learn how to load my own scripts and change the game variables?
I have also many other questions, but for now it would be great if you can suggest "what to do now".

[atom0s]

[nvz]

ty atomos ^^ ok here is what i tried:
in the game i am hacking this gettop and loadstring code is the same of the one in Don't Starve, instead the pcall is different but i found it:
.exe+1CD890 - 8B 44 24 04 - mov eax,[esp+04]
.exe+1CD894 - 8B 4C 24 10 - mov ecx,[esp+10]
.exe+1CD898 - 53 - push ebx
.exe+1CD899 - 56 - push esi
.exe+1CD89A - 8B 70 08 - mov esi,[eax+08]
.exe+1CD89D - 8A 9E 89000000 - mov bl,[esi+00000089]
.exe+1CD8A3 - 80 E3 F0 - and bl,-10 { 240 }
.exe+1CD8A6 - 85 C9 - test ecx,ecx
.exe+1CD8A8 - 74 1C - je .exe+1CD8C6
.exe+1CD8AA - 7E 11 - jle .exe+1CD8BD

in the dontstarve cheat table posted on this forum the pcall is called with
this:

24A60025 - 8B 4C 24 04 - mov ecx,[esp+04]
24A60029 - 6A 00 - push 00 { 0 }
24A6002B - 6A FF - push -01 { 255 }
24A6002D - 6A 00 - push 00 { 0 }
24A6002F - 51 - push ecx
24A60030 - E8 5BD882DC - call .exe+1CD890

so i used loadstring to load a simple script (a=5) and it worked correctly,
it created a Double type in memory that holds 5.00. Then this memory
is not used until i change it with for example a=6, and it correctly writes
6.00 in the same address, so i am sure that's the real address in memory
of the "a" variable. Do you think then that the Lua State is stored in ecx,
after the code mov ecx,[esp+04] ? When pcall is used, that address
stored in ecx is always the same, and is near the memory area that the
Lua scripts use. Anyway i think i'm still working with the "global table",
not sure yet how to get the "private" table. I'll update the post later when i try other things.

[atom0s]

lua_pcall is defined as:

[nvz]

so that's what these argoments do, very useful. So i think i am already
accessing the correct Lua State, the only problem is that everything in the
game is used in "class", "metamethod" etc. and I am not yet sure on how
to call them. For example, i know there are variable called "Velocity" or
"Strength" but if i use them i get error "trying the call a nil value". Probably
because they belong to some object/class.
Two questions: is there a way to "spy" the tables and see what values
they hold? I am trying to use a code found somewhere, that use:

for n,v in pairs(_G) do etc. etc.

but i'm not sure is working. Also, is there a way to get the "print" output
somewhere, right now i have to search inside the memory to read the output when i use the function. In a console application it would be automatic.
Sorry for the noob questions ^^

[atom0s]

If you have the state pointer you can override Lua's print function entirely via lua_register(...). Just redirect it to the output method of your choice, such as debug strings (OutputDebugString) and use a tool like DbgView to watch the messages.

For me, I allow prints to be a multiple argument call, I also convert everything to a string by force to ensure it can be printed directly.