 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
fakuivan
Newbie cheater
![]() Reputation: 0
Joined: 27 Dec 2018
Posts: 17
|
 Posted: Thu Feb 07, 2019 2:21 am Post subject: Hook empty printf function so that it prints to cheat engine |
 |
|
I'm modding a game with the console GUI stripped out from it. I was able to track down the printf function to this piece of assembly:
| Code: |
.text:00007FF7703A7E70 ; =============== S U B R O U T I N E =======================================
.text:00007FF7703A7E70
.text:00007FF7703A7E70
.text:00007FF7703A7E70 ; int printf(const char *Format, ...)
.text:00007FF7703A7E70 printf proc near ; CODE XREF: sub_7FF7703527C0+4C↑p
.text:00007FF7703A7E70 ; sub_7FF770352820+642↑p ...
.text:00007FF7703A7E70
.text:00007FF7703A7E70 arg_8 = qword ptr 10h
.text:00007FF7703A7E70 arg_10 = qword ptr 18h
.text:00007FF7703A7E70 arg_18 = qword ptr 20h
.text:00007FF7703A7E70
.text:00007FF7703A7E70 mov [rsp+arg_8], rdx
.text:00007FF7703A7E75 mov [rsp+arg_10], r8
.text:00007FF7703A7E7A mov [rsp+arg_18], r9
.text:00007FF7703A7E7F retn
.text:00007FF7703A7E7F printf endp
.text:00007FF7703A7E7F
.text:00007FF7703A7E80
.text:00007FF7703A7E80 ; =============== S U B R O U T I N E =======================================
|
I have this piece of code from a leaked development version of the game that does have a GUI for the console, it's the same function but with the functionality there:
| Code: |
.text:00007FF74ED267A0 ; int printf(char *fmt, ...)
.text:00007FF74ED267A0 printf proc near ; CODE XREF: sub_7FF74EA41980+401↑p
.text:00007FF74ED267A0 ; sub_7FF74EA41980+751↑p ...
.text:00007FF74ED267A0
.text:00007FF74ED267A0 arg_0 = qword ptr 8
.text:00007FF74ED267A0 arg_8 = qword ptr 10h
.text:00007FF74ED267A0 arg_10 = qword ptr 18h
.text:00007FF74ED267A0 arg_18 = qword ptr 20h
.text:00007FF74ED267A0
.text:00007FF74ED267A0 mov [rsp+arg_0], rcx
.text:00007FF74ED267A5 mov [rsp+arg_8], rdx
.text:00007FF74ED267AA mov [rsp+arg_10], r8
.text:00007FF74ED267AF mov [rsp+arg_18], r9
.text:00007FF74ED267B4 sub rsp, 28h
.text:00007FF74ED267B8 mov rdx, rcx
.text:00007FF74ED267BB lea r8, [rsp+28h+arg_8]
.text:00007FF74ED267C0 mov ecx, 2
.text:00007FF74ED267C5 call sub_7FF74ED26F10
.text:00007FF74ED267CA add rsp, 28h
.text:00007FF74ED267CE retn
.text:00007FF74ED267CE printf endp
|
This is how it looks like on IDA's pseudocode:
| Code: |
int printf(char *fmt, ...)
{
int result; // eax
va_list va; // [rsp+38h] [rbp+10h]
va_start(va, fmt);
sub_7FF74ED26F10(2, fmt, (char **)va);
return result;
}
|
Would it be possible to inject code on that function so that it prints to cheat engine as a kind of stdout? How would I go about doing such a thing?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25858
Location: The netherlands
|
| Posted: Thu Feb 07, 2019 4:46 am Post subject: |
|
|
use the CELUASERVER (autoassemble template "call lua function") and call a function in CE and pass it the stack pointer
Then in your lua function parse the stack and display the debug info
(first push rcx, rdx, r8 and r9 before passing the stack, and don't forget to undo that push
Also, because you'll be at function start, adjust the template sub rsp,20 to rsp,28 as the stack hasn't been aligned yet
)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
fakuivan
Newbie cheater
![]() Reputation: 0
Joined: 27 Dec 2018
Posts: 17
|
| Posted: Sat Feb 09, 2019 10:39 pm Post subject: |
|
|
Thanks for the help with the sub 28 thing. I had to call vnsprintf using ASM because LUA's ``string.format`` lacks the ability to read different data types from memory based on the format string.
This is the final script:
| Code: | { Game : Dishonored2.exe
Version:
Date : 2019-02-07
Author : fakui
This script does blah blah blah
}
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
define(printf_end,console_printf_function+A)
[ENABLE]
{$lua}
function commandConsolePrintf(parameter)
formattedStringSize = parameter
output = readString("printf_output_buffer", formattedStringSize)
print(("[Console] %s"):format(output))
return 0
end
{$asm}
assert(console_printf_function, 48 89 54 24 10 4C 89 44 24 18 4C 89 4C 24 20 C3)
aobscanmodule(vsnprintf,Dishonored2.exe,48 83 EC 38 4C 89 4C 24 20 45 33 C9 E8 07000000 48 83 C4 38 C3)
alloc(newmem,$1000,printf_end)
define(buffer_size,$1000)
alloc(printf_output_buffer,buffer_size)
label(code)
label(return_)
label(lua_printf_call)
newmem:
mov [rsp+8],rcx // push fmt
pushfq
push rax
push rcx
push rdx
push r8
push r9
push r10
push r11
// Format the string
mov rcx, printf_output_buffer // buffer
mov rdx, buffer_size // size
mov r8, [rsp+48] // fmt
lea r9, [rsp+50] // va_list
call vsnprintf
// Call lua to read the buffer
mov rdx, eax // pass format length
//mov rdx, buffer // pass buffer
//lea rdx, [rsp+48] // pass fmt + va_list
mov rcx, lua_printf_call
sub rsp, 28
call CELUA_ExecuteFunction
add rsp, 28
pop r11
pop r10
pop r9
pop r8
pop rdx
pop rcx
pop rax
popfq
jmp return_
lua_printf_call:
db 'return commandConsolePrintf(parameter)',0
code:
mov [rsp+20],r9
jmp newmem
printf_end:
jmp code
return_:
registersymbol(printf_output_buffer)
[DISABLE]
{$lua}
commandConsolePrintf = nil
{$asm}
printf_end:
db 4C 89 4C 24 20
dealloc(newmem)
dealloc(printf_output_buffer)
unregistersymbol(printf_output_buffer)
{
// ORIGINAL CODE - INJECTION POINT: "Dishonored2.exe"+57E7A
"Dishonored2.exe"+57E63: 90 - nop
"Dishonored2.exe"+57E64: 48 8B C7 - mov rax,rdi
"Dishonored2.exe"+57E67: 48 83 C4 30 - add rsp,30
"Dishonored2.exe"+57E6B: 5F - pop rdi
"Dishonored2.exe"+57E6C: C3 - ret
"Dishonored2.exe"+57E6D: CC - int 3
"Dishonored2.exe"+57E6E: CC - int 3
"Dishonored2.exe"+57E6F: CC - int 3
"Dishonored2.exe"+57E70: 48 89 54 24 10 - mov [rsp+10],rdx
"Dishonored2.exe"+57E75: 4C 89 44 24 18 - mov [rsp+18],r8
// ---------- INJECTING HERE ----------
"Dishonored2.exe"+57E7A: 4C 89 4C 24 20 - mov [rsp+20],r9
// ---------- DONE INJECTING ----------
"Dishonored2.exe"+57E7F: C3 - ret
"Dishonored2.exe"+57E80: 48 89 5C 24 08 - mov [rsp+08],rbx
"Dishonored2.exe"+57E85: 57 - push rdi
"Dishonored2.exe"+57E86: 48 83 EC 20 - sub rsp,20
"Dishonored2.exe"+57E8A: 8B 51 0C - mov edx,[rcx+0C]
"Dishonored2.exe"+57E8D: 48 8B D9 - mov rbx,rcx
"Dishonored2.exe"+57E90: F6 C2 40 - test dl,40
"Dishonored2.exe"+57E93: 75 1E - jne Dishonored2.exe+57EB3
"Dishonored2.exe"+57E95: 48 8B 09 - mov rcx,[rcx]
"Dishonored2.exe"+57E98: 48 85 C9 - test rcx,rcx
}
{
// vsnprintf: "Dishonored2.exe"+137D350
"Dishonored2.exe"+137D339: 8D 41 9F - lea eax,[rcx-61]
"Dishonored2.exe"+137D33C: 83 F8 19 - cmp eax,19
"Dishonored2.exe"+137D33F: 77 03 - ja Dishonored2.exe+137D344
"Dishonored2.exe"+137D341: 83 C1 E0 - add ecx,-20
"Dishonored2.exe"+137D344: 8B C1 - mov eax,ecx
"Dishonored2.exe"+137D346: C3 - ret
"Dishonored2.exe"+137D347: 33 D2 - xor edx,edx
"Dishonored2.exe"+137D349: E9 92 FE FF FF - jmp Dishonored2.exe+137D1E0
"Dishonored2.exe"+137D34E: CC - int 3
"Dishonored2.exe"+137D34F: CC - int 3
// ---------- BEGIN PROCEDURE ----------
"Dishonored2.exe"+137D350: 48 83 EC 38 - sub rsp,38
"Dishonored2.exe"+137D354: 4C 89 4C 24 20 - mov [rsp+20],r9
"Dishonored2.exe"+137D359: 45 33 C9 - xor r9d,r9d
"Dishonored2.exe"+137D35C: E8 07 00 00 00 - call Dishonored2.exe+137D368
"Dishonored2.exe"+137D361: 48 83 C4 38 - add rsp,38
"Dishonored2.exe"+137D365: C3 - ret
// ---------- END PROCEDURE ----------
"Dishonored2.exe"+137D366: CC - int 3
"Dishonored2.exe"+137D367: CC - int 3
"Dishonored2.exe"+137D368: 48 8B C4 - mov rax,rsp
"Dishonored2.exe"+137D36B: 48 89 58 08 - mov [rax+08],rbx
"Dishonored2.exe"+137D36F: 48 89 68 10 - mov [rax+10],rbp
"Dishonored2.exe"+137D373: 48 89 70 18 - mov [rax+18],rsi
} |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
