 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
MH00
How do I cheat?
![]() Reputation: 0
Joined: 29 Jul 2024
Posts: 9
Location: Ohio
|
 Posted: Wed Nov 06, 2024 8:50 am Post subject: Where is LUA tutorials? |
 |
|
I am starting out trying to use LUA. I found a listing to print a register value using LUA but it failed for me. I asked about it and told to ignore the error but the $LUA code only runs when I inject not when the program runs and $luacode crashes the browser. I have not gotten any reply for the 2 questions I asked.
Please help me to do simple print - where is a list of functions to use $LUA and the params needed for each of the calls??
I have searched for lua tutorial but can only find forum about them. Where is some lua tutorial how to use CE to call a $LUA function so I can do a simple print?? Do I need to downoad it or how do I invoke the tutorial?
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 150
Joined: 06 Jul 2014
Posts: 4641
|
| Posted: Wed Nov 06, 2024 12:08 pm Post subject: |
|
|
It's real hard for other people to say what's wrong when you don't post your full script.
In step 2 of the CE tutorial (Help menu -> CE Tutorial x86_64), this works:
| Code: | [ENABLE]
aobscanmodule(Step2UpdateHealth,Tutorial-x86_64.exe,29 83 F8 07 00 00)
alloc(newmem,$1000,Step2UpdateHealth)
label(return)
newmem:
{$luacode damage=eax}
print('Damage:', damage)
{$asm}
sub [rbx+000007F8],eax
jmp return
Step2UpdateHealth:
jmp newmem
nop
return:
registersymbol(Step2UpdateHealth)
[DISABLE]
Step2UpdateHealth:
db 29 83 F8 07 00 00
unregistersymbol(Step2UpdateHealth)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: Tutorial-x86_64.exe+2B4BC
Tutorial-x86_64.exe+2B490: 55 - push rbp
Tutorial-x86_64.exe+2B491: 48 89 E5 - mov rbp,rsp
Tutorial-x86_64.exe+2B494: 48 8D A4 24 D0 FE FF FF - lea rsp,[rsp-00000130]
Tutorial-x86_64.exe+2B49C: 48 89 9D F0 FE FF FF - mov [rbp-00000110],rbx
Tutorial-x86_64.exe+2B4A3: 48 89 CB - mov rbx,rcx
Tutorial-x86_64.exe+2B4A6: 48 C7 45 F8 00 00 00 00 - mov qword ptr [rbp-08],00000000
Tutorial-x86_64.exe+2B4AE: 90 - nop
Tutorial-x86_64.exe+2B4AF: B9 05 00 00 00 - mov ecx,00000005
Tutorial-x86_64.exe+2B4B4: E8 57 47 FE FF - call Tutorial-x86_64.exe+FC10
Tutorial-x86_64.exe+2B4B9: 83 C0 01 - add eax,01
// ---------- INJECTING HERE ----------
Tutorial-x86_64.exe+2B4BC: 29 83 F8 07 00 00 - sub [rbx+000007F8],eax
// ---------- DONE INJECTING ----------
Tutorial-x86_64.exe+2B4C2: 48 8D 4D F8 - lea rcx,[rbp-08]
Tutorial-x86_64.exe+2B4C6: E8 45 DA FD FF - call Tutorial-x86_64.exe+8F10
Tutorial-x86_64.exe+2B4CB: 8B 8B F8 07 00 00 - mov ecx,[rbx+000007F8]
Tutorial-x86_64.exe+2B4D1: 41 B9 FF 00 00 00 - mov r9d,000000FF
Tutorial-x86_64.exe+2B4D7: 4C 8D 85 F8 FE FF FF - lea r8,[rbp-00000108]
Tutorial-x86_64.exe+2B4DE: 48 C7 C2 FF FF FF FF - mov rdx,FFFFFFFFFFFFFFFF
Tutorial-x86_64.exe+2B4E5: 48 63 C9 - movsxd rcx,ecx
Tutorial-x86_64.exe+2B4E8: E8 A3 AB FD FF - call Tutorial-x86_64.exe+6090
Tutorial-x86_64.exe+2B4ED: 45 31 C0 - xor r8d,r8d
Tutorial-x86_64.exe+2B4F0: 48 8D 95 F8 FE FF FF - lea rdx,[rbp-00000108]
} |
In CE 7.5, you can't assign this to the cheat table due to the bug mentioned in the other topic you posted to. Assign a blank script to the table (or just comment out the {$luacode} part), edit that script in the table, click "OK", then click "Yes" when it asks if you're sure you want to edit it to this
The standard Lua API is documented here:
http://www.lua.org/manual/5.3/contents.html#contents
CE's Lua API is "officially" documented in celua.txt in the main CE directory. There is some undocumented stuff not in that file. The CE wiki also has some information, but some of the examples are a bit off.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
MH00
How do I cheat?
![]() Reputation: 0
Joined: 29 Jul 2024
Posts: 9
Location: Ohio
|
| Posted: Tue Nov 19, 2024 12:47 am Post subject: $luacode crashes the browser |
|
|
I tried your listing. It worked for the CE tutorial and MS Edge (I dislike Edge -- they make some things hard to use).
But when I try the $luacode in the Firefox browser for me it crashes the browser and it has hung the browser so I had to crash it because there was no response from it.
When I first tried the code I got an error:
<<Error in line 0 (loadlibrary(luaclient-x86_64.dll)) :C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll could not be injected>>
so I add this line to the code:
loadlibrary(luaclient-x86_64.dll)
I tried to find where the crash occurs by stepping into each call and got to some kernel error
kernel32.GetLastError - EB 0E - jmp kernel32.GetLastError+10 { ->->KERNELBASE.GetLastError }
kernel32.GetLastError+2- 90 - nop
and here is the call stack:
luaclient-x86_64.dll+B7DF - 175CAC00,00000000,CBD2734B,0093E3E0,...
luaclient-x86_64.dll+A5CE - 00000000,CABF8899,00000000,0093DA98,...
luaclient-x86_64.dll+A867 - 190B3078,140AA200,0093E13C,CB9A11EB,...
luaclient-x86_64.dll+9B02 - 64181D70,140AA240,140AA2C0,CB9A11EB,...
luaclient-x86_64.dll+79F6 - 140AA240,0093D918,1A2C9200,CB5BAB32,...
luaclient-x86_64.dll+26926 - 1A2C9200,00000000,0093D9C0,00000000,...
luaclient-x86_64.dll+1E711 - CBD273DB,00000000,0093D9C0,0093E3E0,...
luaclient-x86_64.dll+1DFC6 - 00000000,0093E13C,CBD27CBB,1D0A71C0,...
7FEC9840428 - 0000000F,0093E13C,00000586,CB5EE96B,...
0000000F - 0093E13C,00000586,CB5EE96B,0093DA90,...
0093E13C - 00000586,CB5EE96B,0093DA90,C9840298,...
00000586 - CB5EE96B,0093DA90,C9840298,00000000,...
xul.dll+186E96B - 0093DA90,C9840298,00000000,CAD8C698,...
00000000 - 00000000,00000000,00000000,00000000,...
Then I just did "step over" for a long time and somewhere along the way the browser window disappeared and the code went away leaving ?? some where near this:
luaclient-x86_64.dll+1E201 - - ??
luaclient-x86_64.dll+1E202 - - ??
luaclient-x86_64.dll+1E203 - - ??
So, I have failed to do a simple print with lua and do not know what I have done wrong.
| Code: | [ENABLE]
aobscanmodule(INJECT32,xul.dll,48 89 06 4C 39 F8) // should be unique
alloc(newmem,$200,INJECT32)
label(code)
label(return)
loadlibrary(luaclient-x86_64.dll)
newmem:
{$luacode hldrax=rax}
print('rax ',hldrax)
{$asm}
code:
mov [rsi],rax
cmp rax,r15
jmp return
INJECT32:
jmp newmem
nop
return:
registersymbol(INJECT32)
[DISABLE]
INJECT32:
db 48 89 06 4C 39 F8
unregistersymbol(INJECT32)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: xul.dll+1D7672A
xul.dll+1D7670A: 48 8B 39 - mov rdi,[rcx]
xul.dll+1D7670D: 48 89 F8 - mov rax,rdi
xul.dll+1D76710: 48 C1 E8 30 - shr rax,30
xul.dll+1D76714: 3D FB FF 00 00 - cmp eax,0000FFFB
xul.dll+1D76719: 72 0C - jb xul.dll+1D76727
xul.dll+1D7671B: 48 89 F8 - mov rax,rdi
xul.dll+1D7671E: 4C 21 F0 - and rax,r14
xul.dll+1D76721: 48 83 38 00 - cmp qword ptr [rax],00
xul.dll+1D76725: 74 4B - je xul.dll+1D76772
xul.dll+1D76727: 48 8B 03 - mov rax,[rbx]
// ---------- INJECTING HERE ----------
xul.dll+1D7672A: 48 89 06 - mov [rsi],rax
xul.dll+1D7672D: 4C 39 F8 - cmp rax,r15
// ---------- DONE INJECTING ----------
xul.dll+1D76730: 0F 87 80 00 00 00 - ja xul.dll+1D767B6
xul.dll+1D76736: 4C 39 FF - cmp rdi,r15
xul.dll+1D76739: 76 26 - jna xul.dll+1D76761
xul.dll+1D7673B: 4C 21 F7 - and rdi,r14
xul.dll+1D7673E: 48 8B 07 - mov rax,[rdi]
xul.dll+1D76741: 48 85 C0 - test rax,rax
xul.dll+1D76744: 74 1B - je xul.dll+1D76761
xul.dll+1D76746: 80 B8 71 01 00 00 00 - cmp byte ptr [rax+00000171],00
xul.dll+1D7674D: 74 12 - je xul.dll+1D76761
} |
Also - is there a tutorial about using lua with the CE so that I can learn more about how to use lua??
|
|
| Back to top |
|
|
MH00
How do I cheat?
![]() Reputation: 0
Joined: 29 Jul 2024
Posts: 9
Location: Ohio
|
| Posted: Thu Jan 02, 2025 9:58 am Post subject: |
|
|
I really would like to use $luacode to do a simple print but when I try to use $luacode the Firefox browser crashes and everything disappears.
What am I doing wrong using $luacode that causes Firefox browser to crash???
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4641
|
| Posted: Thu Jan 02, 2025 12:08 pm Post subject: |
|
|
The script seems fine. The loadlibrary call is unnecessary if you do what I previously mentioned to avoid the bug.
Maybe something about firefox's sandboxing causes some IPC call to fail unexpectedly.
It's unlikely, but maybe there's a branch to the middle of the injection point (e.g. jcc xul.dll+1D7672D).
Try enabling Memory Viewer -> Debug -> Break on unexpected exceptions -> Always. See where it crashes. If that doesn't work, set a breakpoint just before the injection point, enable your code injection, and step into your code until it crashes.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
MH00
How do I cheat?
![]() Reputation: 0
Joined: 29 Jul 2024
Posts: 9
Location: Ohio
|
| Posted: Fri Jan 03, 2025 12:59 am Post subject: |
|
|
I did a step into (see above) and listed call stack of the crash
luaclient-x86_64.dll+79F6 - 140AA240,0093D918,1A2C9200,CB5BAB32,...
luaclient-x86_64.dll+26926 - 1A2C9200,00000000,0093D9C0,00000000,...
luaclient-x86_64.dll+1E711 - CBD273DB,00000000,0093D9C0,0093E3E0,...
luaclient-x86_64.dll+1DFC6 - 00000000,0093E13C,CBD27CBB,1D0A71C0,...
Is there any help about fix to luaclient to not cause crash to Firefox?? 
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4641
|
| Posted: Fri Jan 03, 2025 2:16 am Post subject: |
|
|
I have no idea if your luaclient-x86_64.dll is the same as mine, but assuming it is, the code around luaclient-x86_64.dll+1E201 makes several calls to readFile / writeFile. My guess now is the same as it was earlier: firefox sandboxing causes some IPC call to fail. CE fails to handle these error(s) properly, leading to an exception that crashes the process.
There's nothing you can do to stop that. Instead, work around the problem. Try using breakpoints. e.g. again, CE tutorial step 2:
| Code: | {$lua}
if syntaxcheck then return end
if breakHereAddr then
debug_removeBreakpoint(breakHereAddr)
breakHereAddr = nil
end
{$asm}
[ENABLE]
aobscanmodule(Step2UpdateHealth,Tutorial-x86_64.exe,29 83 F8 07 00 00)
alloc(newmem,$1000,Step2UpdateHealth)
label(breakHere)
label(return)
newmem:
breakHere:
sub [rbx+000007F8],eax
jmp return
Step2UpdateHealth:
jmp newmem
nop
return:
registersymbol(Step2UpdateHealth)
registersymbol(breakHere)
{$lua}
if syntaxcheck then return end
createTimer(1, function()
breakHereAddr = getAddress'breakHere'
debug_setBreakpoint(getAddress'breakHere', function()
print('damage:',RAX&0xFFFFFFFF)
end)
end)
{$asm}
[DISABLE]
Step2UpdateHealth:
db 29 83 F8 07 00 00
unregistersymbol(Step2UpdateHealth)
unregistersymbol(breakHere)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: Tutorial-x86_64.exe+2B4BC
...
}
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
