Cheat Engine

[BigCrock5]

I'm trying to inject code into a unity game and run it using CREATETHREAD.

If I run the same code using a code injection hook, it runs fine.

If I run it using CREATETHREAD, the game crashes instantly.

Is there something I'm missing?

[ParkourPenguin]

A quick search tells you C0000005 is an access violation.

You aren't passing the right arguments, globals aren't in the correct state, and/or there's a pointer path from some argument or global to some value that isn't in the correct state. Step into the code and figure it out. (a break-and-trace might help)

[BigCrock5]

I was thinking it may be related to some registers not being available because it's running a new thread or something like that.

If I call the code from a hook it works perfectly, if I call the exact same code from a thread, it does not work.

I created a small test app and hooked into it and called it on that and it worked, so I'm guessing there is some global state that cannot be accessed.

Or unity has a certain time window where you can make these updates.

But a buffer overflow sounds odd.

EDIT:

So I did some debugging, it fails on a piece of code:

[ParkourPenguin]

Oh, right, my bad. In windows x64 ABI the stack must have a shadow store for the four register parameters (0x20 bytes) prior to a call as well as 16-byte alignment most of the time.
https://docs.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170

The 16-byte alignment is what's causing movaps ("move aligned packed singles") to fail. If you fixed that, it might still fail if the return address was corrupted.

Allocating 0x28 bytes on the stack w/ `sub rsp,28` will give 0x20 bytes for the shadow store and align the stack to 0x10 bytes (the other 8 were from the return address of the call that called "mycode")

I think you could also just do a tail call and everything will work:

[BigCrock5]

So `jmp` instead of `call` will work?

Just curious, how would this work if I wanted to call multiple functions? Once I've used jmp, I cannot get back?

[ParkourPenguin]

`call` works by pushing the return address (next instruction) on the stack. `ret` uses that to return to the caller.
`jmp` simply branches to the target address. In general, there's no way to get back to where you started from.
Look up "tail call" for more information.

If you want to call several functions, then you can't generally do that with a single jmp. You'll have to allocate space on the stack to adhere to windows x64 calling conventions.

[Dark Byte]

Also, since it's unity, likely il2cpp? you'll often have to call il2cpp_thread_attach to setup the TLS information for the current thread in case the routine you're calling wants to call something .net specific

[BigCrock5]

How can I observe the return value of a function if I’m using jmp?

I’d originally planned to mov output,rax after the call but it seems that wont be possible with jmp.

[Dark Byte]

don't use jmp, use call

[BigCrock5]

And in that case, what should I sub from rsp?

[Dark Byte]

28

8 to align and 20 for scratchspace

[BigCrock5]

I've made a lot of progress, but some functions don't seem to work, and others do.

For example, I can call the set_position function on a Unity Transform, but get_position just crashes the game.

Seems to be an access violation again, this approach works for

Component->get_gameObject

GameObject -> get_transform

but not

Transform -> get_position

Not really sure what to do next.

I'm trying to run the following:

[Dark Byte]

you're sure they take no parameters ?

[BigCrock5]

It's a C# property, so I'm assuming it just takes the thisPtr and nothing else.

[Bloodybone]

When you have a funtion that returns a Vector3, the first parameter should be a memory location that can hold 3 Floats.

So using your code, you'll have to change it like so: