 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
skippersp
Cheater
![]() Reputation: 0
Joined: 27 Dec 2014
Posts: 28
|
 Posted: Thu Oct 14, 2021 4:43 pm Post subject: Need opinion - trying to hook Lua game |
 |
|
I am working on a game called Onmyoji in the Otherworld: Sayaka's Story with a modified Lua engine, and making no progress.
A bit to say but the TLDR is:
* string searched '$LuaVersion 5.4.3 blah blah' so that's a start
* No lua54.dll shipped, no module reference
* Can't find lua_gettop, pcall, and loadbuffer (no matching patterns and string refs)
* Typedefs/calling conventions are correct so it could be wrong pointers to modified api
Should I give up and go home or am I missing something?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8586
Location: 127.0.0.1
|
| Posted: Thu Oct 14, 2021 6:46 pm Post subject: |
|
|
If there is no Lua DLL then it was statically linked against. That said, depending on the compiler options used for both compiling Lua's lib, as well as how its imported and compiled for the exe/dll that is using it, you may not find some things like lua_gettop directly. These kinds of calls can be easily inlined by the compiler because it is just a basic pointer cast after some minor math against two-pointers for what it does.
For example, in a game that does not do aggressive inlining, lua_gettop will look like this:
| Code: |
/*
.text:005C1820 mov ecx, [esp+4]
.text:005C1824 mov eax, [ecx+14h]
.text:005C1827 sub eax, [ecx+10h]
.text:005C182A sar eax, 3
.text:005C182D retn
*/
int __cdecl lua_gettop(int a1)
{
return (*(_DWORD *)(a1 + 0x14) - *(_DWORD *)(a1 + 0x10)) >> 3;
}
|
But you can see how simple this kind of setup is so a lot of compilers with some minor optimizations will just inline this anywhere it's used instead.
The easiest way to find Lua calls is to find common string usages and trace back to function calls based on the source code. Lua is open source, so it's pretty straight forward and easy to find calls to things using that approach.
_________________
- Retired. |
|
| Back to top |
|
|
skippersp
Cheater
![]() Reputation: 0
Joined: 27 Dec 2014
Posts: 28
|
| Posted: Thu Oct 14, 2021 8:23 pm Post subject: |
|
|
Thanks for replying.
I easily found a candidate for loadbuffer by looking at db_debug so I have been focusing on it. Now it crashes when I return after the tramp function. A look at my detour func in the debugger shows this:
| Code: |
if (lua_State_ptr2 == 0)
{
lua_State_ptr2 = L;
std::cout << "[luaL_loadbuffer] lua_State_ptr2=*0x" << L << std::endl;
}
return pluaL_loadbuffer(L, buff, size, name);
|
| Code: |
push ebp
mov ebp,esp
cmp dword ptr [kakuriyoLib.lua_State_ptr2],00
push esi
mov esi,[ebp+08]
jne kakuriyoLib.h_loadbuffer+3C
mov ecx,[kakuriyoLib._imp_?coutstd]
mov edx,kakuriyoLib.dll+7918
push "kakuriyoLib.std::endl<char,std::char_traits<char> >"
push esi
mov [kakuriyoLib.lua_State_ptr2],esi // captured lua_state ptr
call "kakuriyoLib.std::operator<<<std::char_traits<char> >"
mov ecx,eax
call dword ptr [kakuriyoLib._imp_??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01PBXZ]
mov ecx,eax
call dword ptr [kakuriyoLib._imp_??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01P6AAAV01AAV01ZZ]
push [ebp+18]
push [ebp+14]
push [ebp+10]
push [ebp+0C]
push esi
call dword ptr [kakuriyoLib.pluaL_loadbuffer] // problems begin
add esp,14
pop esi
pop ebp
ret
|
[/code]
It seems the compiler is playing tricks on me. By using cout or just capturing the lua_state it messed up the stack and registers without proper cleanup
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
