|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
BakeACake How do I cheat? Reputation: 0
Joined: 26 Dec 2018 Posts: 7
|
Posted: Wed Dec 26, 2018 5:58 am Post subject: CELUA_ExecuteFunctionByReference crashes the game |
|
|
I have this code to call a lua function from asm:
Code: |
{$lua}
function myfunction(h)
return 14
end
{$asm}
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
alloc(functionidRot,4)
alloc(functionnameRot,16)
functionidRot:
dd 0
functionnameRot:
db 'myfunction',0
[ENABLE]
alloc(newmemRot, 2048, "metro.exe"+24108F)
registersymbol(newmemRot)
alloc(newmemPos, 2048, "metro.exe"+89E02F)
registersymbol(newmemPos)
globalalloc(v_debug, 32)
v_debug:
dd 8
newmemRot:
movss [rcx+00000650],xmm1 { up down }
movss [rcx+00000654],xmm2 { left right }
sub rsp,60
mov [rsp+20],rcx
mov [rsp+28],rdx
mov [rsp+30],r8
mov [rsp+38],r9
mov [rsp+40],r10
mov [rsp+48],r11
mov [rsp+50],rax
//[rsp+58]=paramlist
mov ecx,[functionidRot]
test ecx,ecx
jne short hasrefidRot
mov rcx, functionnameRot
call CELUA_GetFunctionReferenceFromName
mov [functionidRot],eax
mov ecx,eax
hasrefidRot:
mov edx,1
lea r8,[rsp+58]
mov eax, B
mov [r8],rax
mov r9, 1
call CELUA_ExecuteFunctionByReference
mov dword ptr [v_debug], eax
mov rcx,[rsp+20]
mov rdx,[rsp+28]
mov r8,[rsp+30]
mov r9,[rsp+38]
mov r10,[rsp+40]
mov r11,[rsp+48]
mov rax,[rsp+50]
add rsp,60
jmp metro.exe+24109F
metro.exe+24108F:
jmp newmemRot
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
[DISABLE]
dealloc(newmemRot)
dealloc(newmemPos)
dealloc(functionidRot)
dealloc(functionnameRot)
dealloc(v_debug)
unregistersymbol(newmemRot)
unregistersymbol(newmemPos)
metro.exe+24108F:
db F3 0F 11 89 50 06 00 00 F3 0F 11 91 54 06 00 00
metro.exe+89E02F:
db 89 87 E8 00 00 00 41 8B 47 0C 89 87 EC 00 00 00 41 8B 47 10 C7 47 08 01 00 00 00 89 87 F0 00 00 00
|
So the game crashes when calling CELUA_ExecuteFunctionByReference.
But it does execute the lua script.
If you write down showMessage("sample") in the lua function, it will be executed and freezes the game instead of crashing it.
Does anyone know why this happens?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25283 Location: The netherlands
|
Posted: Wed Dec 26, 2018 6:50 am Post subject: |
|
|
is v_debug changed ?
if you remove the call and replace it with:
Code: |
mov [rsp],0
mov [rsp+8],0
mov [rsp+10],0
mov [rsp+18],0
|
does it still crash?
is the stack aligned or unaligned at the position of your hook?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
BakeACake How do I cheat? Reputation: 0
Joined: 26 Dec 2018 Posts: 7
|
Posted: Wed Dec 26, 2018 7:30 am Post subject: |
|
|
Dark Byte wrote: | is v_debug changed ?
if you remove the call and replace it with:
Code: |
mov [rsp],0
mov [rsp+8],0
mov [rsp+10],0
mov [rsp+18],0
|
does it still crash?
is the stack aligned or unaligned at the position of your hook? |
1. the default value of 0x08 in v_debug will not change in the entire process.
I traced the debugger and tried to check whether eax changes to the return value in the CELUA_ExecuteFunctionByReference call.
It crashes somewhere during the execution of the call.
2. It does not crash with your code
3. I'm not very familiar what a 16-bit aligned address is, so I just thought that reserving 16-bytes in rsp would let me be on a save path.
My previous attempt also didn't worked with my game process:
Edit : (It also crashed in the call)
Code: |
[ENABLE]
{$lua}
function printStringFromAddr(a, b)
return math.abs(-100)
end
{$asm}
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
globalalloc(newmemRot,2048)
globalalloc(newmemPos,2048)
globalalloc(funcName,256)
globalalloc(paramList,64)
globalalloc(addresswithluafunctionidstored, 32)
globalalloc(v_debug, 32)
v_debug:
db 8
newmemRot:
movss [rcx+00000650],xmm1
movss [rcx+00000654],xmm2
push eax
mov eax,[addresswithluafunctionidstored]
test eax,eax
jne short hasrefid
push funcName
call CELUA_GetFunctionReferenceFromName
mov [addresswithluafunctionidstored],eax
hasrefid:
/////////relevant part/////////
mov [paramList],4
mov [paramList+4],3
push 0
push paramList
push 2
push eax
call CELUA_ExecuteFunctionByReference
mov [v_debug], eax
pop eax
jmp metro.exe+24109F
///////////////////////////////
newmemPos:
mov [rdi+000000E8],eax
mov eax,[r15+0C]
mov [rdi+000000EC],eax
mov eax,[r15+10]
mov [rdi+08],00000001
mov [rdi+000000F0],eax
jmp metro.exe+89E050
funcName:
db 'printStringFromAddr',0
paramList:
dd 9
metro.exe+24108F:
jmp newmemRot
nop
nop
metro.exe+89E02F:
jmp newmemPos
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
[DISABLE]
metro.exe+24108F:
db F3 0F 11 89 50 06 00 00 F3 0F 11 91 54 06 00 00
metro.exe+89E02F:
db 89 87 E8 00 00 00 41 8B 47 0C 89 87 EC 00 00 00 41 8B 47 10 C7 47 08 01 00 00 00 89 87 F0 00 00 00
dealloc(v_debug)
unregistersymbol(v_debug)
dealloc(newmemRot)
dealloc(newmemPos)
dealloc(funcName)
dealloc(paramList)
dealloc(addresswithluafunctionidstored)
|
But it worked all fine when only used with createthread(newmem) while it wasn't really attached to the game.
Thank you for your fast answer by the way.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25283 Location: The netherlands
|
Posted: Wed Dec 26, 2018 7:59 am Post subject: |
|
|
if it's at the function starts changes are that the stack hasn't been aligned yet (usually a sub rsp,xxx8 along the line that does that)
If you call windows api's with an unaligned stack it will behave unexpected
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
BakeACake How do I cheat? Reputation: 0
Joined: 26 Dec 2018 Posts: 7
|
Posted: Wed Dec 26, 2018 8:33 am Post subject: |
|
|
Dark Byte wrote: | if it's at the function starts changes are that the stack hasn't been aligned yet (usually a sub rsp,xxx8 along the line that does that)
If you call windows api's with an unaligned stack it will behave unexpected |
Thank you!
You where right, it works with taking 8 bytes from the stack pointer before calling the function:
Code: |
//...
sub rsp,8
call CELUA_ExecuteFunctionByReference
mov dword ptr [v_debug], eax
add rsp, 8
//...
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|