View previous topic :: View next topic |
Author |
Message |
Bavarian Cheater Reputation: 0
Joined: 28 Feb 2018 Posts: 30
|
Posted: Thu Dec 27, 2018 6:48 pm Post subject: force CE main form update and wait until it is done |
|
|
my pseudo/shorten code looks as follows. I inject code into a exe, whenever code is triggered it updates symbol "pointer", based on this symbol i have 7 level offsets memrecs. I would like to grab actual pointer.value from lua and failed doing this.
the code works perfect, the issue is, lua script grabs previous value of pointer rather than the one which AA just updated. How to force update propagation? I avoid passing updated pointer via parameters, because memrec uses 7 levels of offsets which i do not want to hardcode into AA.
any pieces of advice are appreciated. thanks.
looking for something like sendmessage instead of postmessage
Code: |
[ENABLE]
{$lua}
func()
al = AddressList.getMemoryRecordByDescription("my pointer")
getMainForm().update()
print(al.Value) --<<<<<< gets old value
end
{$asm$}
registersymbol(pointer)
newmem:
call CELUA_GetFunctionReferenceFromName //calls lua func()
jmp return
INJECT:
mov [pointer], rcx
call newmem
return: |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Dec 27, 2018 10:44 pm Post subject: |
|
|
Providing correct code is nice. That code doesn't show much.
This situation shouldn't happen because the Value property is read by calling ReadProcessMemory. It's accessing the actual value in that process at that time.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Dec 28, 2018 2:03 am Post subject: |
|
|
perhaps a1.reinterpret()
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Bavarian Cheater Reputation: 0
Joined: 28 Feb 2018 Posts: 30
|
Posted: Fri Dec 28, 2018 5:36 am Post subject: |
|
|
reinterpret() did not help.
adding full scale short version. attached.
I updated code to work with x64 tutorial on step 6. step 6 allows you to change pointer.
however I can't reproduce the issue on tutorial. the only difference between my table and tutorial one is that my table is huge and I read 4 derived items. My assumption, while CE UI is being updated, lua call is too fast and grabs old value.
in a nutshell,
- game triggers injected code
- injected code updates symbol "pointer" and calls lua func
- standard CE table displays "pointer" under memrec with name "my pointer"
- lua func grabs memrec.Value
visually i see that the UI gets updated with correct values.
maybe i could run my lua code in a thread and pause it for 1-2 secs before accessing memrec
Code: | [ENABLE]
{$lua}
function main()
local mr = AddressList.getMemoryRecordByDescription('my pointer');
print(mr.Value) -- <<<prints old value if CE form is large
end
{$asm}
aobscanmodule(INJECT,Tutorial-x86_64.exe,8B 45 E0 89 02 48)
alloc(newmem,$1000,"Tutorial-x86_64.exe"+2CAE9)
registersymbol(pointer)
registersymbol(INJECT)
label(return)
label(call_lua_proc)
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
newmem:
//code
mov eax,[rbp-20]
mov [rdx],eax
//inject
mov [pointer], rdx
sub rsp, 8
call call_lua_proc
add rsp, 8
jmp return
///////////////
call_lua_proc:
///////////////
sub rsp,60
mov [rsp+20],rax
mov [rsp+28],rcx
mov [rsp+30],rdx
mov [rsp+38],r8
mov [rsp+40],r9
mov [rsp+48],r10
mov [rsp+50],r11
//mov [rsp+58],xx //16 bytes alignment
mov ecx,[funcid]
test ecx,ecx
jne short hasrefid
//no reference yet
mov rcx,funcname
call CELUA_GetFunctionReferenceFromName //Basically calls createRef(functionname) and returns the value
mov [funcid],eax
mov ecx,eax
hasrefid: //here ecx contains the referenceid
mov edx,#0 //numofparams
mov r8,0 //params
mov r9,0 //0=no async, 1=async.
call CELUA_ExecuteFunctionByReference
//restoring the possibly changed registers
mov rax,[rsp+20]
mov rcx,[rsp+28]
mov rdx,[rsp+30]
mov r8, [rsp+38]
mov r9, [rsp+40]
mov r10,[rsp+48]
mov r11,[rsp+50]
//mov xx,[rsp+58]
add rsp,60 //free stackspace
ret
pointer:
dq baadf00d
funcid:
dd 0
funcname:
db 'main',0
INJECT:
jmp newmem
return:
[DISABLE]
INJECT:
db 8B 45 E0 89 02
unregistersymbol(pointer)
unregistersymbol(INJECT)
dealloc(newmem) |
Code: | <?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>23976</ID>
<Description>"my pointer"</Description>
<ShowAsHex>1</ShowAsHex>
<VariableType>8 Bytes</VariableType>
<Address>pointer</Address>
</CheatEntry>
</CheatEntries>
</CheatTable>
|
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Dec 28, 2018 6:18 am Post subject: |
|
|
reading out mr.Value calls readProcessMemory directly, it doesn't cache or touch the gui at all
mr.reinterpret() should have worked
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Bavarian Cheater Reputation: 0
Joined: 28 Feb 2018 Posts: 30
|
Posted: Fri Dec 28, 2018 9:08 am Post subject: |
|
|
I added this code to verify assumption with slow UI update.
code started reading new values.
Code: |
function main()
createThread(
function(Thread)
sleep(2000); main2();
end
);
end
|
reinterpret() still does not refresh pointer
can it be related to nesting depth? I'm reading from second depth child with related addressing.
Code: |
<CheatEntry>
<ID>23976</ID>
<Description>"Parent"</Description>
<Options moAllowManualCollapseAndExpand="1"/>
<ShowAsHex>1</ShowAsHex>
<VariableType>8 Bytes</VariableType>
<Address>pointer</Address>
<Offsets>
<Offset>+8</Offset>
</Offsets>
<CheatEntries>
<CheatEntry>
<ID>23984</ID>
<Description>"child"</Description>
<Options moAllowManualCollapseAndExpand="1"/>
<ShowAsHex>1</ShowAsHex>
<VariableType>8 Bytes</VariableType>
<Address>+0</Address>
<Offsets>
<Offset>+80</Offset>
<Offset>+20</Offset>
</Offsets>
</CheatEntry>
</CheatEntries>
</CheatEntry>
|
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Dec 28, 2018 9:32 am Post subject: |
|
|
in your lua function call readPointer("pointer") and print out that result. see if it shows something useful
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Bavarian Cheater Reputation: 0
Joined: 28 Feb 2018 Posts: 30
|
Posted: Fri Dec 28, 2018 9:50 am Post subject: |
|
|
readPointer("pointer") - prints actual pointer's value.
what i also just tried, i cloned problem memrecs and replaced all clones with absolute addressing.
now all new memrecs with absolute addressing do work as expected and provide actual values while old memrecs, which are configured with relative addressing, - they still do not work and provide updated values only after delay of ~1-2 secs
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Dec 28, 2018 10:19 am Post subject: |
|
|
check out memrec.getCurrentAddress()
and try
Code: |
local mrx=AddressList.getMemoryRecordByDescription('bla')
while (mrx~=nil) do
mrx.reinterpret()
mrx=mrx.Parent
end
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Bavarian Cheater Reputation: 0
Joined: 28 Feb 2018 Posts: 30
|
Posted: Fri Dec 28, 2018 12:17 pm Post subject: |
|
|
grand merci. now it works!!!
it is worth adding Description in celua.txt now section of this api is void
i got the idea, reinterpret() did not have affect on children with with relative pointers and did real job on records where there were symbol(s) with absolute pointers
thank you, DB
|
|
Back to top |
|
|
|