Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25298 Location: The netherlands
|
Posted: Tue Sep 22, 2020 4:07 am Post subject: Lua function call using Auto Assembler |
|
|
This code will hook the "Hit me" button in the 64-bit tutorial and call a lua function which shows information about the click, and then manipulate the state before continuing
Code: |
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
[ENABLE]
{$lua}
function luahook_tutorial_step2_click(addressOfDecrease, addressBeingAccessed)
print(string.format("luahook_tutorial_step2_click. Writing to %.8x. addressOfDecrease=%.8x",addressBeingAccessed,addressOfDecrease))
print(string.format("old decrease amount was %d", readInteger(addressOfDecrease)))
writeInteger(addressOfDecrease,-1) --change the decrease to -1. value--1 = value+1
print(string.format("new decrease amount is %d", readInteger(addressOfDecrease)))
return 123; --returns 123, which would be the value of rax upon return. (Alternatively, I could have coded it so the new decrease value is fetched from RAX)
end
{$asm}
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"Tutorial-x86_64.exe"+2B08C)
alloc(luafunctionid,4)
alloc(luafunctionname,256)
label(returnhere)
label(originalcode)
label(exit)
luafunctionname:
db 'luahook_tutorial_step2_click',0
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
//save the state (stack is already aligned so not needed to realign, just allocate space)
sub rsp,20+a*8 //20 for 32 byte scractspace for the function, 4*8 for storing rax and rbx and pointers to them, 6*8 to store rcx,rdx,r8,r9,r10 and r11
//rsp to rsp+1f is used as scratchspace for functions
//store parameters you might be interested in
mov [rsp+20],rax
mov [rsp+28],rbx
//setup parameter space:
lea rax,[rsp+20]
mov [rsp+30],rax
//need to keep the stack aligned, and might as well use it to store the address being accessed
lea rax,[rbx+7f0]
mov [rsp+38],rax
//store these registers as they may get changed:
mov [rsp+40],rcx
mov [rsp+48],rdx
mov [rsp+50],r8
mov [rsp+58],r9
mov [rsp+60],r10
mov [rsp+68],r11
//now the lua call part
mov ecx,[luafunctionid] //check if the functionid is obtained
test ecx,ecx
jne short hasrefid
//no, obtain the ID
mov rcx,luafunctionname
call CELUA_GetFunctionReferenceFromName //Basically calls createRef(functionname) and returns the value
mov [luafunctionid],eax
mov ecx,eax //functionid
hasrefid: //there is a functionID to use
//at this point ecx contains the functionid
mov edx,2 //only the addresses of RAX and RBX are to be passed. So 2
lea r8,[rsp+30] //the addresses to RAX and RBX are at RSP+30
mov r9,0 //0=no async, 1=async. Use async if you do not wish to update the GUI. Faster
call CELUA_ExecuteFunctionByReference
//function returned. You could check the returnvalue in rax, but in this case I don't care
//restore the registers
mov rax,[rsp+20] //restore rax. this could have been changed by the lua code using a writeInteger on parameter 1
mov rbx,[rsp+28] //restore rbx (though likely not changed)
//restore the changed registers
mov rcx,[rsp+40]
mov rdx,[rsp+48]
mov r8,[rsp+50]
mov r9,[rsp+58]
mov r10,[rsp+60]
mov r11,[rsp+68]
add rsp,20+a*8
//and now call the original code
originalcode:
sub [rbx+000007F0],rax
exit:
jmp returnhere
"Tutorial-x86_64.exe"+2B08C:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-x86_64.exe"+2B08C:
sub [rbx+000007F0],eax
//Alt: db 29 83 F0 07 00 00
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|