Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


CELUA_ExecuteFunctionByReference crashes the game

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
BakeACake
How do I cheat?
Reputation: 0

Joined: 26 Dec 2018
Posts: 3

PostPosted: Wed Dec 26, 2018 5:58 am    Post subject: CELUA_ExecuteFunctionByReference crashes the game Reply with quote

I have this code to call a lua function from asm:
Code:


{$lua}
function myfunction(h)
  return 14
end
{$asm}

loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

alloc(functionidRot,4)
alloc(functionnameRot,16)

functionidRot:
dd 0

functionnameRot:
db 'myfunction',0

[ENABLE]
alloc(newmemRot, 2048, "metro.exe"+24108F)
registersymbol(newmemRot)

alloc(newmemPos, 2048, "metro.exe"+89E02F)
registersymbol(newmemPos)

globalalloc(v_debug, 32)
v_debug:
dd 8

newmemRot:
movss [rcx+00000650],xmm1 { up down }
movss [rcx+00000654],xmm2 { left right }
sub rsp,60

mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax

//[rsp+58]=paramlist

mov ecx,[functionidRot]
test ecx,ecx
jne short hasrefidRot

mov rcx, functionnameRot
call CELUA_GetFunctionReferenceFromName
mov [functionidRot],eax
mov ecx,eax

hasrefidRot:
mov edx,1
lea r8,[rsp+58]
mov eax, B
mov [r8],rax

mov r9, 1
call CELUA_ExecuteFunctionByReference

mov dword ptr [v_debug], eax

mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,60
jmp metro.exe+24109F

metro.exe+24108F:
jmp newmemRot
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop

[DISABLE]
dealloc(newmemRot)
dealloc(newmemPos)
dealloc(functionidRot)
dealloc(functionnameRot)
dealloc(v_debug)

unregistersymbol(newmemRot)
unregistersymbol(newmemPos)

metro.exe+24108F:
db F3 0F 11 89 50 06 00 00 F3 0F 11 91 54 06 00 00

metro.exe+89E02F:
db 89 87 E8 00 00 00 41 8B 47 0C 89 87 EC 00 00 00 41 8B 47 10 C7 47 08 01 00 00 00 89 87 F0 00 00 00



So the game crashes when calling CELUA_ExecuteFunctionByReference.
But it does execute the lua script.

If you write down showMessage("sample") in the lua function, it will be executed and freezes the game instead of crashing it.

Does anyone know why this happens?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 360

Joined: 09 May 2003
Posts: 21154
Location: The netherlands

PostPosted: Wed Dec 26, 2018 6:50 am    Post subject: Reply with quote

is v_debug changed ?

if you remove the call and replace it with:
Code:

mov [rsp],0
mov [rsp+8],0
mov [rsp+10],0
mov [rsp+18],0

does it still crash?

is the stack aligned or unaligned at the position of your hook?

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
BakeACake
How do I cheat?
Reputation: 0

Joined: 26 Dec 2018
Posts: 3

PostPosted: Wed Dec 26, 2018 7:30 am    Post subject: Reply with quote

Dark Byte wrote:
is v_debug changed ?

if you remove the call and replace it with:
Code:

mov [rsp],0
mov [rsp+8],0
mov [rsp+10],0
mov [rsp+18],0

does it still crash?

is the stack aligned or unaligned at the position of your hook?


1. the default value of 0x08 in v_debug will not change in the entire process.
I traced the debugger and tried to check whether eax changes to the return value in the CELUA_ExecuteFunctionByReference call.
It crashes somewhere during the execution of the call.

2. It does not crash with your code

3. I'm not very familiar what a 16-bit aligned address is, so I just thought that reserving 16-bytes in rsp would let me be on a save path.

My previous attempt also didn't worked with my game process:

Edit : (It also crashed in the call)

Code:

[ENABLE]
{$lua}
function printStringFromAddr(a, b)
  return math.abs(-100)
end
{$asm}

loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0

globalalloc(newmemRot,2048)
globalalloc(newmemPos,2048)
globalalloc(funcName,256)
globalalloc(paramList,64)
globalalloc(addresswithluafunctionidstored, 32)
globalalloc(v_debug, 32)

v_debug:
db 8

newmemRot:
movss [rcx+00000650],xmm1
movss [rcx+00000654],xmm2

push eax
mov eax,[addresswithluafunctionidstored]
test eax,eax

jne short hasrefid

push funcName
call CELUA_GetFunctionReferenceFromName
mov [addresswithluafunctionidstored],eax
hasrefid:

/////////relevant part/////////
mov [paramList],4
mov [paramList+4],3
push 0
push paramList
push 2
push eax
call CELUA_ExecuteFunctionByReference
mov [v_debug], eax
pop eax
jmp metro.exe+24109F
///////////////////////////////

newmemPos:
mov [rdi+000000E8],eax
mov eax,[r15+0C]
mov [rdi+000000EC],eax
mov eax,[r15+10]
mov [rdi+08],00000001
mov [rdi+000000F0],eax
jmp metro.exe+89E050

funcName:
  db 'printStringFromAddr',0

paramList:
  dd 9

metro.exe+24108F:
jmp newmemRot
nop
nop


metro.exe+89E02F:
jmp newmemPos
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop


[DISABLE]
metro.exe+24108F:
db F3 0F 11 89 50 06 00 00 F3 0F 11 91 54 06 00 00

metro.exe+89E02F:
db 89 87 E8 00 00 00 41 8B 47 0C 89 87 EC 00 00 00 41 8B 47 10 C7 47 08 01 00 00 00 89 87 F0 00 00 00

dealloc(v_debug)
unregistersymbol(v_debug)

dealloc(newmemRot)
dealloc(newmemPos)
dealloc(funcName)
dealloc(paramList)
dealloc(addresswithluafunctionidstored)


But it worked all fine when only used with createthread(newmem) while it wasn't really attached to the game.

Thank you for your fast answer by the way.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 360

Joined: 09 May 2003
Posts: 21154
Location: The netherlands

PostPosted: Wed Dec 26, 2018 7:59 am    Post subject: Reply with quote

if it's at the function starts changes are that the stack hasn't been aligned yet (usually a sub rsp,xxx8 along the line that does that)

If you call windows api's with an unaligned stack it will behave unexpected

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
BakeACake
How do I cheat?
Reputation: 0

Joined: 26 Dec 2018
Posts: 3

PostPosted: Wed Dec 26, 2018 8:33 am    Post subject: Reply with quote

Dark Byte wrote:
if it's at the function starts changes are that the stack hasn't been aligned yet (usually a sub rsp,xxx8 along the line that does that)

If you call windows api's with an unaligned stack it will behave unexpected



Thank you!

You where right, it works with taking 8 bytes from the stack pointer before calling the function:

Code:

//...
sub rsp,8
call CELUA_ExecuteFunctionByReference

mov dword ptr [v_debug], eax
add rsp, 8
//...
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites