|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
mik How do I cheat? Reputation: 0
Joined: 02 Oct 2008 Posts: 3
|
Posted: Thu Nov 10, 2022 9:44 am Post subject: Hacking game with lua engine |
|
|
Hi all,
not sure if this is correct place asking for support..
I am trying to run lua commands inside "intravenous", this is a game using lua51.dll
1. step I am doing is to obtain aob for lua_gettop, luaL_loadstring and lua_pcall in aob script.
2. step is to use lua code (executeCodeEx) in CE to show input dialog for command and then execute load-string and pcall.
Currently I always receive error below in pcall execution:
Quote: | No idea how to handle the type you provided for parameter 5 |
My code:
AOB:
Code: | { Game : intravenous.exe
Version:
Date : 2022-11-10
Author : mik
This script does blah blah blah
}
[ENABLE]
aobscanmodule(aobGetLuaState,lua51.dll,48 8B 41 18 48 2B 41 10) // lua51.lua_gettop
alloc(newmem,$1000,aobGetLuaState)
aobscanmodule(aobLoadString,lua51.dll,48 89 5C 24 08 57 48 81 EC ** ** ** ** 48 8B F9) // lua51.luaL_loadstring
aobscanmodule(aobPcall,lua51.dll,48 89 5C 24 08 57 48 83 EC 20 8B 59 08 4C 8B D1) // should be unique
label(code)
label(return)
label(pLuaState)
registersymbol(pLuaState)
registersymbol(aobLoadString)
registersymbol(aobPcall)
newmem:
mov [pLuaState],rcx
code:
mov rax,[rcx+18]
sub rax,[rcx+10]
jmp return
pLuaState:
dq 0
aobGetLuaState:
jmp newmem
nop
nop
nop
return:
registersymbol(aobGetLuaState)
[DISABLE]
aobGetLuaState:
db 48 8B 41 18 48 2B 41 10
unregistersymbol(aobGetLuaState)
unregistersymbol(aobLoadString)
unregistersymbol(aobPcall)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: lua51.lua_gettop
lua51.lua_gettable+45: 48 8B 43 18 - mov rax,[rbx+18]
lua51.lua_gettable+49: 48 83 C0 08 - add rax,08
lua51.lua_gettable+4D: 48 8B 4B 18 - mov rcx,[rbx+18]
lua51.lua_gettable+51: 48 8B 00 - mov rax,[rax]
lua51.lua_gettable+54: 48 89 41 F8 - mov [rcx-08],rax
lua51.lua_gettable+58: 48 83 C4 20 - add rsp,20
lua51.lua_gettable+5C: 5B - pop rbx
lua51.lua_gettable+5D: C3 - ret
lua51.lua_gettable+5E: CC - int 3
lua51.lua_gettable+5F: CC - int 3
// ---------- INJECTING HERE ----------
lua51.lua_gettop: 48 8B 41 18 - mov rax,[rcx+18]
// ---------- DONE INJECTING ----------
lua51.lua_gettop+4: 48 2B 41 10 - sub rax,[rcx+10]
lua51.lua_gettop+8: 48 C1 F8 03 - sar rax,03
lua51.lua_gettop+C: C3 - ret
lua51.lua_gettop+D: CC - int 3
lua51.lua_gettop+E: CC - int 3
lua51.lua_gettop+F: CC - int 3
lua51.lua_getupvalue: 48 89 5C 24 08 - mov [rsp+08],rbx
lua51.lua_getupvalue+5: 57 - push rdi
lua51.lua_getupvalue+6: 48 83 EC 30 - sub rsp,30
lua51.lua_getupvalue+A: 48 8B D9 - mov rbx,rcx
lua51.luaL_loadstring: 48 89 5C 24 08 - mov [rsp+08],rbx
lua51.luaL_loadstring+5: 57 - push rdi
lua51.luaL_loadstring+6: 48 81 EC D0 00 00 00 - sub rsp,000000D0
lua51.luaL_loadstring+D: 48 8B F9 - mov rdi,rcx
lua51.luaL_loadstring+10: 48 89 54 24 20 - mov [rsp+20],rdx
lua51.lua_pcall: 48 89 5C 24 08 - mov [rsp+08],rbx
lua51.lua_pcall+5: 57 - push rdi
lua51.lua_pcall+6: 48 83 EC 20 - sub rsp,20
lua51.lua_pcall+A: 8B 59 08 - mov ebx,[rcx+08]
lua51.lua_pcall+D: 4C 8B D1 - mov r10,rcx
}
|
LUA script:
Code: | [ENABLE]
{$lua}
if syntaxcheck then return end
local luaState = getAddressSafe("pLuaState")
local fnLuaLoadString = getAddressSafe( "aobLoadString" )
local fnLuaPcall = getAddressSafe( "aobPcall" )
luaState = readPointer(luaState)
if luaState == 0 then print("No Lua State") error("") return end
if fnLuaLoadString == 0 then print("No luaL_loadstring function found") error("") return end
if fnLuaPcall == 0 then print("No lua_pcall function found") error("") return end
print(string.format('LUA state object address: %x', luaState))
print(string.format('LUA "load string" function address: %x', fnLuaLoadString))
print(string.format('LUA "pcall" function address: %x', fnLuaPcall))
local str = inputQuery( 'Please enter LUA command to be executed', 'Execute:', '' )
if string.len(str) > 0 then
local status, err = executeCodeEx(0, nil, fnLuaLoadString, luaState, str)
print('Compile executed')
print(status)
print(err)
print(string.format('Compiling "%s" - status %s, error %s!', str, result, err))
if status ~= 0 then print(string.format('Compiling "%s" failed with %d!', str, result)) error("") return end
status, err = executeCodeEx(0, nil, 0, result, LUA_MULTRET, 0)
print(string.format('Executing command "%s" - status %s, error %s!', str, result, err))
end
return("assert(true)")
[DISABLE]
|
I am grateful for any help.
Description: |
|
Filesize: |
33.2 KB |
Viewed: |
1095 Time(s) |
|
Description: |
|
Filesize: |
33.38 KB |
Viewed: |
1094 Time(s) |
|
Description: |
|
Filesize: |
107.14 KB |
Viewed: |
1099 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Nov 10, 2022 12:41 pm Post subject: |
|
|
I don't see where you try to call pcall anywhere
mik wrote: | Code: | status, err = executeCodeEx(0, nil, 0, result, LUA_MULTRET, 0) |
| It seems like you're trying to call the address 0 here?
An alternative is to do the work in the target process using {$ccode}. CE can copy the string to execute into the target process and create a remote thread to run it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
mik How do I cheat? Reputation: 0
Joined: 02 Oct 2008 Posts: 3
|
Posted: Thu Nov 10, 2022 2:28 pm Post subject: |
|
|
You are right, some mistake while testing to get scripts running.
New:
Code: | [ENABLE]
{$lua}
if syntaxcheck then return end
local luaState = getAddressSafe("pLuaState")
local fnLuaLoadString = getAddressSafe( "aobLoadString" )
local fnLuaPcall = getAddressSafe( "aobPcall" )
luaState = readPointer(luaState)
if luaState == 0 then print("No Lua State") error("") return end
if fnLuaLoadString == 0 then print("No luaL_loadstring function found") error("") return end
if fnLuaPcall == 0 then print("No lua_pcall function found") error("") return end
print(string.format('LUA state object address: %x', luaState))
print(string.format('LUA "load string" function address: %x', fnLuaLoadString))
print(string.format('LUA "pcall" function address: %x', fnLuaPcall))
local str = inputQuery( 'Please enter LUA command to be executed', 'Execute:', '' )
if string.len(str) > 0 then
local status, err = executeCodeEx(0, nil, fnLuaLoadString, luaState, str)
print('Compile executed')
print(string.format('Compiling "%s" - status %s, error %s!', str, result, err))
if status ~= 0 then print(string.format('Compiling "%s" failed with %d!', str, result)) error("") return end
status, err = executeCodeEx(0, nil, fnLuaPcall, luaState, 0, -1, 0)
print(string.format('Executed command "%s" - status %s, error %s!', str, result, err))
end
return("assert(true)")
[DISABLE]
|
Now it does not fail with error but every command I tried has no visual effect
Description: |
|
Filesize: |
15.86 KB |
Viewed: |
1070 Time(s) |
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|