Mace
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2013
Posts: 1
|
 Posted: Sun Oct 06, 2013 7:15 pm Post subject: LUA script only working at a certain time? |
 |
|
So I came across a guy who, such that I could further my knowledge on cheat engine, gave me an injection script for a mostly client-side online game (ROBLOX, just for reference). ROBLOX involves building games and then publishing them for others to play, and uses LUA scripts to perform actions. The exploit is as follows:
| Code: | local Exploits, Successes, AddressList, NoRun, Interface = {}, {}, {}, {}, {};
local GlobalOffset = "28";
function GetExploit(index)
local tab, scan, result = Exploits[index], createMemScan(true);
memscan_returnOnlyOneResult(scan, true);
memscan_firstScan(scan, soExactValue, vtByteArray, rtTruncated, table.concat(tab[2], " "), nil, 0, 0x00FFFFFF, "", fsmNotAligned, nil, false, false, false, false);
memscan_waitTillDone(scan);
result = memscan_getOnlyResult(scan);
if result == nil then return nil; end
result = string.format("%X", result + tab[3]);
result = string.rep("0", 8 - string.len(result)) .. result;
return result;
end
function AddExploit(name, hex, offset)
table.insert(Exploits, {name, hex, offset})
end
function toAddr(num)
local num = tonumber(num);
local addr = string.format("%X", num):upper();
addr = string.rep("0", 8 - string.len(addr)) .. addr;
return addr;
end
debugger_onBreakpoint = function()
local function GetAddress(ESPaddr, Offset)
local ESPaddr, Offset = tostring(ESPaddr) or string.rep("0", 8), tostring(Offset == nil and GlobalOffset or Offset);
local SCaddr_base = tonumber("0x" .. ESPaddr) + tonumber("0x" .. Offset);
local SCaddr_cont1, SCaddr_cont2, SCaddr_cont3, SCaddr_cont4 = tostring(string.format("%X", SCaddr_base)), tostring(string.format("%X", SCaddr_base + 1)), tostring(string.format("%X", SCaddr_base + 2)), tostring(string.format("%X", SCaddr_base + 3));
local SCaddr = (readBytes(SCaddr_cont1) + (readBytes(SCaddr_cont2) * 256) + (readBytes(SCaddr_cont3) * 65536) + (readBytes(SCaddr_cont4) * 16777216));
return toAddr(SCaddr);
end
--if readBytes(GetAddress(toAddr(ESP), GlobalOffset), 1) == 0x0D then
local JOIN_addr = GetAddress(toAddr(ESP), GlobalOffset);
local JOIN_len = tonumber("0x"..GetAddress(toAddr(ESP), string.format("%X", tonumber("0x"..GlobalOffset) + 4)));
local JOIN_script_tbl = readBytes(JOIN_addr, JOIN_len, true);
local JOIN_script = "";
table.foreach(JOIN_script_tbl, function(i, v) JOIN_script = JOIN_script .. string.char(v); end);
local script = JOIN_script .. [==[--[[INSERT SCRIPTS HERE]]--]==]
local memory = allocateSharedMemory("[ROBLOX]-ScriptTrainer", string.len(script) + 5);
local mem = toAddr(memory);
local len = toAddr(string.len(script));
local success_catch = writeString(mem, script);
writeBytes(ESP + tonumber("0x" .. GlobalOffset), tonumber("0x" .. mem:sub(7, 8)), tonumber("0x" .. mem:sub(5, 6)), tonumber("0x" .. mem:sub(3, 4)),tonumber("0x" .. mem:sub(1, 2)));
writeBytes(ESP + tonumber("0x" .. GlobalOffset) + 4, tonumber("0x" .. len:sub(7, 8)), tonumber("0x" .. len:sub(5, 6)), tonumber("0x" .. len:sub(3, 4)),tonumber("0x" .. len:sub(1, 2)));
--print("[FiveInjector]: Script Execution location " .. GetAddress(toAddr(ESP), GlobalOffset) .. " with length " .. tonumber("0x" .. len));
pcall(function() debug_removeBreakpoint(EIP); end);
debug_continueFromBreakpoint(co_run);
messageDialog("studio.ashx found and " .. (success_catch and "Thejustifierx successful" or "failed to inject."), (success_catch and 2 or 1), 2);
--else
--debug_continueFromBreakpoint(co_run)
--end
end
function Exec()
local unprotect_mem = {00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 01, 00, 01, 01, 01, 01, 01, 00, 01, 00, 01, 00, 00, 00, 01, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00}
writeBytes("00F24118", unprotect_mem);
pcall(function() object_destroy(Interface.MainFrame); end);
Exploits, Successes, AddressList, Interface = {}, {}, {}, {};
--AddExploit("level", {0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xE8}, 4)
AddExploit("script", {0x83, 0xEC, 0x14, 0x56, 0x57, 0x8B, 0x7C, 0x24, 0x2C, 0x85, 0xFF}, 3)
for i, v in pairs(Exploits) do
local exploit = GetExploit(i);
if (exploit == nil) then
print("[FiveInjector]: Failed \"" .. v[1] .. "\"");
else
pcall(function() debug_removeBreakpoint(exploit); end);
debug_setBreakpoint(exploit);
AddressList[v[1]] = exploit;
table.insert(Successes, v[1]);
print("[FiveInjector]: Success \"" .. v[1] .. "\" [" .. exploit .. "]");
end
end
print("[FiveInjector]: " .. tostring(#Successes) .. "/" .. tostring(#Exploits) .. " exploits found.")
if #Successes == #Exploits then
print("[FiveInjector]: Attached successfully. Listening for studio.ashx now...");
else
messageDialog("[FiveInjector]: Initializing failed. FiveInjector fails to launch", 1, 2);
end
end
function myCheck(_)
local id = getProcessIDFromProcessName("RobloxPlayer.exe");
if id ~= nil then
for i, v in pairs(NoRun) do
if v == id then
return
end
end
table.insert(NoRun, id);
openProcess(id);
debugProcess(2);
Exec();
else
local id2 = getProcessIDFromProcessName("RobloxPlayerBeta.exe");
if id2 ~= nil then
for i, v in pairs(NoRun) do
if v == id2 then
return
end
end
table.insert(NoRun, id2);
openProcess(id2);
debugProcess(2);
Exec();
end
end
end
t = createTimer(nil)
timer_setInterval(t, 500)
timer_onTimer(t, myCheck)
timer_setEnabled(t, true) |
Now, I would like very much to understand how this script works better, but that's not the problem at hand. The issue is, the script fails when my computer clock is set normally. The client shows an error message and keeps the game from starting after the script is attached. But when the computer's date is set to June 1 2012, the script works just fine. The problem is, most large games simply stop sending data during the loading phase of the game when they detect the messed up time. How can I alter the script so that it does not need the time change to function?
EDIT: Well, it turns out that this was patched as I wrote this message. It errors right after it begins listening for studio.ashx, meaning that the exploit is probably being injected to the wrong place. So now the big question is, how would I go about fixing this one or making a new one?
P.S. I am not asking that you fix the script for me, although if you want to go right ahead  I am asking for a little bit of edumacation about how I would go about fixing it myself and/or writing new exploits. Thanks!
My procedure to run the exploit:
1. Set computer date to June 1 2012
2. Start CE 6.2 (won't work with 6.3 for some reason)
3. Open cheat table and paste in the exploit. I left about 6,300 lines of various scripts from the above because I get the same results even with a simple print("Hello World").
4. Click execute, wait for 5 seconds.
5. Click the "Play Game" button. When it is 13% loaded, a popup appears telling me that the exploit was successful.
6. Wait for 5 seconds, and then click the OK button on the popup. The game opens, with the various GUI elements made by the scripts already loaded.
7. The game connects to the server, and either A. Loads completely or B. Loads to a certain number of parts and then stops
8. Hilarity ensues if A.  If B, then the server cannot be exploited until the Date Change is fixed. 
_________________
----------------------------
What's this? Your ScriptKitty has evolved into Exploitakat! |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
