 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
BakeACake
How do I cheat?
![]() Reputation: 0
Joined: 26 Dec 2018
Posts: 7
|
 Posted: Mon Feb 03, 2020 4:37 am Post subject: CELUA_ExecuteFunctionByReference call crashes the game |
 |
|
I have had the same problem in the past called "CELUA_ExecuteFunctionByReference crashes the game"
It was solved back then by aligning 8 byte of stack space right before calling the function.
However writing the following code the same way didn't work this time and I have no Idea, why the execution fails yet again:
| Code: |
{$lua}
function toggleTurnFreezer(e)
return 4
end
{$asm}
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
[ENABLE]
aobscan(aobTurn, 44 88 0C 11 80 3D 4B 40 88 00 00 0F 85 36 05 00 00 8B 05 11 40 88 00 03 C3 3B 05 45 40 88 00 89 05 03 40 88 00)
registersymbol(aobTurn)
alloc(newmemTurn, 1024, "snes9x-x64.exe")
registersymbol(newmemTurn)
label(returnNewmemTurn)
alloc(funcNameId, 4)
registersymbol(funcNameId)
funcNameId:
dd 0
alloc(funcNameString, 16)
registersymbol(funcNameString)
funcNameString:
db 'toggleTurnFreezer', 0
alloc(paramPlaceholder, 8)
paramPlaceholder:
dd 0
alloc(result, 8)
registersymbol(result)
result:
dd 0
aobTurn-4:
jmp newmemTurn
nop
nop
nop
newmemTurn:
movzx ecx,r8w
mov [rcx+rdx],r9l
cmp ax, 7EB
jne returnNewmemTurn
cmp bx, 8
jne returnNewmemTurn
cmp cx, B038
jne returnNewmemTurn
cmp rsi, 0
jne returnNewmemTurn
cmp r8, 7EB038
jne returnNewmemTurn
cmp r10, B13C
jne returnNewmemTurn
//------------------
sub rsp,60
mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax
mov ecx, [funcNameId]
test ecx, ecx
jne short hasrefid
mov rcx, funcNameString
sub rsp, 8
call CELUA_GetFunctionReferenceFromName
add rsp, 8
mov [funcNameId], eax
mov ecx, eax
hasrefid:
mov edx, 1
lea r8, [rsp+58]
mov rax, paramPlaceholder
mov [r8], rax
mov r9, 1
sub rsp, 10
call CELUA_ExecuteFunctionByReference // crash happens
add rsp, 10
mov [result], eax
mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,60
//------------------
mov [rcx+rdx], 1818181
returnNewmemTurn:
jmp aobTurn+4
[DISABLE]
aobTurn-4:
db 41 0F B7 C8 44 88 0C 11
dealloc(newmemTurn)
unregistersymbol(aobTurn)
unregistersymbol(newmemTurn)
dealloc(funcNameId)
unregistersymbol(funcNameId)
dealloc(funcNameString)
unregistersymbol(funcNameString)
dealloc(paramPlaceholder)
dealloc(result)
unregistersymbol(result)
|
I would be very thankful for any help and suggestions.
Thank you in advance!
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25813
Location: The netherlands
|
| Posted: Mon Feb 03, 2020 6:10 am Post subject: |
|
|
You are already in an aligned state so your "sub rsp, 8" will unalign the stack which may mess up the next call due toi corrupted stack vars
(that sub rsp,10 is also not necesary but shouldn't hurt)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
BakeACake
How do I cheat?
![]() Reputation: 0
Joined: 26 Dec 2018
Posts: 7
|
| Posted: Mon Feb 03, 2020 6:40 am Post subject: |
|
|
| Dark Byte wrote: | You are already in an aligned state so your "sub rsp, 8" will unalign the stack which may mess up the next call due toi corrupted stack vars
(that sub rsp,10 is also not necesary but shouldn't hurt) |
These are edits from previous attempts to determine why the game crashes.
I corrected it again the way you suggested, however it still leads me to a game crash.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25813
Location: The netherlands
|
| Posted: Mon Feb 03, 2020 6:45 am Post subject: |
|
|
try simplifying your code
change rdx and r9 to 0 to rule out it's a parameter passing issue or async issue
commenting out "call CELUA_ExecuteFunctionByReference" works just fine?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25813
Location: The netherlands
|
| Posted: Mon Feb 03, 2020 6:55 am Post subject: |
|
|
It fails because "toggleTurnFreezer" takes 18 bytes (17+1 for the 0 terminator) and you only allocate 16 bytes for it, so the next alloc will overwrite the last few bytes of the name
which will make CELUA_GetFunctionReferenceFromName fail and return -1
and if an async errors out it doesn't return
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
BakeACake
How do I cheat?
![]() Reputation: 0
Joined: 26 Dec 2018
Posts: 7
|
| Posted: Mon Feb 03, 2020 1:03 pm Post subject: |
|
|
| Dark Byte wrote: | It fails because "toggleTurnFreezer" takes 18 bytes (17+1 for the 0 terminator) and you only allocate 16 bytes for it, so the next alloc will overwrite the last few bytes of the name
which will make CELUA_GetFunctionReferenceFromName fail and return -1
and if an async errors out it doesn't return |
It stopped crashing with your suggestions!
However it does not call the function, it just doesn't crash.
I set async to 0 and allocated 2 more bytes from the stack pointer to reach the required 18 bytes for toggleTurnFreezer.
Thank you for your fast help so far, much appreciated! 
My code looks like this now:
| Code: |
{$lua}
function toggleTurnFreezer(e)
showMessage('this msg does not appear')
return 4
end
{$asm}
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
[ENABLE]
aobscan(aobTurn, 44 88 0C 11 80 3D 4B 40 88 00 00 0F 85 36 05 00 00 8B 05 11 40 88 00 03 C3 3B 05 45 40 88 00 89 05 03 40 88 00)
registersymbol(aobTurn)
alloc(newmemTurn, 1024, "snes9x-x64.exe")
registersymbol(newmemTurn)
label(returnNewmemTurn)
alloc(funcNameId, 4)
registersymbol(funcNameId)
funcNameId:
dd 0
alloc(funcNameString, 16)
registersymbol(funcNameString)
funcNameString:
db 'toggleTurnFreezer', 0
alloc(paramPlaceholder, 8)
paramPlaceholder:
dd 0
alloc(result, 8)
registersymbol(result)
result:
dd 0
aobTurn-4:
jmp newmemTurn
nop
nop
nop
newmemTurn:
movzx ecx,r8w
mov [rcx+rdx],r9l
cmp ax, 7EB
jne returnNewmemTurn
cmp bx, 8
jne returnNewmemTurn
cmp cx, B038
jne returnNewmemTurn
cmp rsi, 0
jne returnNewmemTurn
cmp r8, 7EB038
jne returnNewmemTurn
cmp r10, B13C
jne returnNewmemTurn
//------------------
sub rsp,62
mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax
mov ecx, [funcNameId]
test ecx, ecx
jne short hasrefid
mov rcx, funcNameString
call CELUA_GetFunctionReferenceFromName
mov [funcNameId], eax
mov ecx, eax
hasrefid:
mov edx, 1
lea r8, [rsp+58]
mov rax, paramPlaceholder
mov [r8], rax
mov r9, 0
call CELUA_ExecuteFunctionByReference
mov [result], rax
mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,62
//------------------
mov [rcx+rdx], 1818181
returnNewmemTurn:
jmp aobTurn+4
[DISABLE]
aobTurn-4:
db 41 0F B7 C8 44 88 0C 11
dealloc(newmemTurn)
unregistersymbol(aobTurn)
unregistersymbol(newmemTurn)
dealloc(funcNameId)
unregistersymbol(funcNameId)
dealloc(funcNameString)
unregistersymbol(funcNameString)
dealloc(paramPlaceholder)
dealloc(result)
unregistersymbol(result)
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25813
Location: The netherlands
|
| Posted: Mon Feb 03, 2020 1:38 pm Post subject: |
|
|
You need to adjust this
| Code: |
alloc(funcNameString, 16)
|
Not the stack
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
BakeACake
How do I cheat?
![]() Reputation: 0
Joined: 26 Dec 2018
Posts: 7
|
| Posted: Mon Feb 03, 2020 2:35 pm Post subject: |
|
|
| Dark Byte wrote: | You need to adjust this
| Code: |
alloc(funcNameString, 16)
|
Not the stack |
Oh now I see.
Alright I got it now with your help!
I got it wrong in a hurry previously, but I added the two missing bytes for the string and it worked just fine now.
Thank you a lot, you have been a great help!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
