 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
 Posted: Thu Feb 19, 2015 2:08 pm Post subject: Module inject |
 |
|
| how to inject a module with a lua script?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Thu Feb 19, 2015 3:04 pm Post subject: |
|
|
| Code: | | injectDLL(filename): Injects a dll, and returns true on success |
_________________
- Retired. |
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 21, 2015 8:06 am Post subject: |
|
|
| actually i wanted to inject a exe (its module) into a process (to duplicate the original exe module). in short a exe injector coded in c vb or lua
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 21, 2015 4:46 pm Post subject: |
|
|
Umm... what? lol you can't inject an exe into an exe! You're going to have to clarify what you mean or what you're trying to do, as their probably is a way to do what you want, but it's probably not how you're thinking it'll work.
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 21, 2015 6:49 pm Post subject: |
|
|
| i have to make a copy of the main module of Far Cry 4 and inject the copy in the game so i have the same module two times
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 21, 2015 7:09 pm Post subject: |
|
|
Oh okay see that makes more sense now. What you need to do is not inject a second game into the first, but instead make a copy of the entire region of memory the game takes up. This is to bypass a CRC check or something right?
Either save the memory region with CE and use the loadbinary function of Auto Assembler or Lua, or create a copy of the memory "on-the-fly" with AA or Lua (obviously executed before enabling any cheats)
Then your script to bypass the crc will point the check to your copy of the memory instead of the original.
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 21, 2015 9:03 pm Post subject: |
|
|
| thank alot
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sun Feb 22, 2015 5:32 am Post subject: |
|
|
| little question , functions like VirtualAlloc and VirtualAllocEx can be used in 64bit applications and how to ?
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Mon Feb 23, 2015 10:21 am Post subject: |
|
|
You compile as 64-bit and it just works 
Or in ASM You pass the parameters/arguments via registers+stack instead of just the stack. If you're doing a Lua or AA script though it can allocate memory for you more easily with 'alloc(memorycopy,123456)' where '123456' is the size in bytes, or Lua: 'allocateSharedMemory(name, size)'
I'd recommend just allocating it that way, but if you insist on calling VirtualAlloc instead of using CE's features:
"Integer values are passed (in order left to right) in RCX, RDX, R8, and R9. Arguments five and higher are passed on the stack. All arguments are right-justified in registers. This is done so the callee can ignore the upper bits of the register if need be and can access only the portion of the register necessary.
Floating-point and double-precision arguments are passed in XMM0 – XMM3 (up to 4) with the integer slot (RCX, RDX, R8, and R9) that would normally be used for that cardinal slot being ignored (see example) and vice versa."
Parameter Passing: https://msdn.microsoft.com/en-us/library/zthk2dkh.aspx
x64 Calling Convention: https://msdn.microsoft.com/en-us/library/ms235286.aspx
So something like:
| Code: |
[enable]
alloc(Alloc64,1024)
label(pMemoryCopy)
label(Exit)
registersymbol(Alloc64)
registersymbol(pMemoryCopy)
createthread(Alloc64)
Alloc64:
push rbp
mov rbp,rsp
and rsp,fffffff0
sub rsp,60
xor rcx,rcx //mov rcx,0; optional parameter 'lpAddress'
mov rdx,#123456 //Size Of Memory Allocation / Bypass Area
mov r8,1000 //MEM_COMMIT
mov r9,40 //PAGE_EXECUTE_READWRITE
call kernel32.VirtualAlloc
test rax,rax
je Exit //jmp is followed if allocation failed
mov [pMemoryCopy],rax
//mov rax,[pMemoryCopy] //well it's already in rax ;)
mov rbx,FarCry4.exe+1000
mov rcx,#123456 //Size Of FarCry4 Bypass Area
@@:
mov dl,[rbx]
mov [rax],dl
inc rax
inc rbx
dec rcx
jne @b
{ //This would deallocate it, but you need it around don't you? :D
mov rcx,[pMemoryCopy] //pointer to memory to be free'd
xor rdx,rdx //must be zero if MEM_RELEASE
mov r8,8000 //MEM_RELEASE
call kernel32.VirtualFree
}
Exit:
mov rsp,rbp
pop rbp
ret
pMemoryCopy:
dd 0
[disable]
dealloc(Alloc64)
unregistersymbol(Alloc64)
unregistersymbol(pMemoryCopy)
|
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Mon Feb 23, 2015 10:50 am Post subject: |
|
|
| I don't know how to thank you enough
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Mon Feb 23, 2015 6:50 pm Post subject: |
|
|
last question , once you make a copy of the memory , how do you link the file of your copy (.CEM) to your table when you use for example Loadbinary(Copy, Copy.CEM)? and how to get as return point the address of that region?
very last question , how to give the process handle to allocateSharedMemory(name, size)?
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Feb 24, 2015 7:11 am Post subject: |
 |
|
| kitesan wrote: | last question , once you make a copy of the memory , how do you link the file of your copy (.CEM) to your table when you use for example Loadbinary(Copy, Copy.CEM)? and how to get as return point the address of that region?
very last question , how to give the process handle to allocateSharedMemory(name, size)? |
Hmmm... Well this is odd. You're supposed to have the .CEM file in the same directory as the .CT file is saved in, and loadbinary should load it. First I had to save my .CT and then re-open it before it would recognize that the .CEM file was indeed there, and so I didn't get a file not found error anymore. However it still wouldn't let me enable my script no matter what I tried. Even by providing the full path, it knew the file was there when syntax checking after editing the script but still wouldn't let it be ticked / enabled. I even tried putting the .CEM in the same directory as the game, but that didn't work either.
It was always easy to use before, perhaps in CE 6.4 it's broken? I'll find out about it.
Anyway by using the Lua equivalent I managed to work around that issue: "readRegionFromFile"
One issue though is there doesn't seem to be a "releaseSharedMemory" and Lua seems to execute when you finish editing a script as well as when enabling it, so you could end up allocating a lot of memory and not ever free it while getting your script working the way you want!
By the way you did have "don't include Cheat Engine header" ticked right?
Still have the "MemCopy.CEM" or whatever you named it in the same directory as where the .CT is saved:
| Code: |
[enable]
{$lua}
unregisterSymbol("pMemoryCopy") --unregister if already registered, so we don't get stuck unable to enable
copyAddress=allocateSharedMemory("MemoryCopy",123456) --allocate memory for copy
readRegionFromFile("MemCopy.CEM",copyAddress) --read file into memory for copy
registerSymbol("pMemoryCopy",copyAddress) --register it as a symbol so you can use it in Auto Assembler
{$asm}
{
alloc(CRCBypass,1024)
<--
CRC Bypass Code Here
-->
}
[disable]
//dealloc(CRCBypass)
unregistersymbol(pMemoryCopy)
|
As for giving allocateSharedMemory a proccess handle, I don't think you can do that: (From CE's help 'Script engine' page)
| Code: |
allocateSharedMemory(name, size):
Creates a shared memory object of the given size if it doesn't exist yet. If size is not given and there is no shared region with this name then the default size
of 4096 is used
It then maps this shared memory block into the currently targeted process. It returns the address of mapped region in the target process
|
Or make the copy upon enabling the script (rather than having a pre-made copy "MemCopy.CEM")
| Code: |
[enable]
alloc(MakeCopyThread,1024)
alloc(pMemoryCopy,123456)
label(MakeCopy)
registersymbol(pMemoryCopy)
createthread(MakeCopyThread)
MakeCopyThread:
push rbp
mov rbp,rsp
and rsp,fffffff0
sub rsp,20
mov rax,pMemoryCopy //used CE to allocate this time :D
mov rbx,FC4.dll //start of bypass area
mov rcx,#123456 //Size Of FarCry4 Bypass Area
MakeCopy:
mov dl,[rbx]
mov [rax],dl
inc rax
inc rbx
dec rcx
jne MakeCopy
mov rsp,rbp
pop rbp
ret
pMemoryCopy:
dq 0
{
<--
CRC Bypass Code Here
-->
}
[disable]
dealloc(MakeCopyThread)
unregistersymbol(pMemoryCopy)
|
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Tue Feb 24, 2015 9:55 am Post subject: |
|
|
| You are an angel.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
