 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Azuki
Newbie cheater
![]() Reputation: 0
Joined: 18 Feb 2025
Posts: 10
|
 Posted: Tue Feb 18, 2025 4:17 pm Post subject: Override behavior of dotNet SymbolHandler |
 |
|
Greetings,
I want to change how CE handles the lookup of dotNet names, predominantly in the Structure Dissect view, but in the future also in the Disassembly view. 
Currently it gets the names through this path:
| Code: |
TFrmStructures2.DefineNewStructureDialog -> SymHandler.GetLayoutFromAddress -> TDotNetPipe.GetAddressData
|
I know I can change the behavior by just recompiling Cheat Engine, or hooking the function, but it would be neat to have a way to change the behavior through a plugin or a table lua script.
CE supports lua callbacks to get information of an address (as seen in the DefineNewStructureDialog function), but it's hidden behind the if statement since it's already grabbed the information over the pipe.
Is there a current (simple) way of changing the behavior of name getting, or do I have to bite the bullet and recompile CE?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 467
Joined: 09 May 2003
Posts: 25679
Location: The netherlands
|
| Posted: Tue Feb 18, 2025 4:24 pm Post subject: |
|
|
get 7.6 (it should be up, though still called 7.5, waiting for a last edit, but it's ok enough)
registerStructureNameLookup has a new parameter, first. set it to true and it'll get called before the .net name lookup callback happens
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Azuki
Newbie cheater
![]() Reputation: 0
Joined: 18 Feb 2025
Posts: 10
|
| Posted: Tue Feb 18, 2025 4:58 pm Post subject: |
|
|
| Dark Byte wrote: | get 7.6 (it should be up, though still called 7.5, waiting for a last edit, but it's ok enough)
registerStructureNameLookup has a new parameter, first. set it to true and it'll get called before the .net name lookup callback happens |
alright I just re-downloaded from official site and it seems to not work, the installer says it's version is 7.5, and the binaries it deploys to disk are already a few years old.
official site mentions 7.6 being "recalled" due to something going wrong, and i'm sadly not a patreon to test on the newest 7.6.
registered callback function is not invoked.
here's the code for anyone interested though
| Code: | function structureLookupCallback(address)
--showMessage('structureLookupCallback invoked')
local dnDataCollector = getDotNetDataCollector()
local data = dnDataCollector.getAddressData(address)
local name = data["ClassName"]
if name == "garbage_name" then
name = "cleartext_name"
end
return name
end
registerStructureNameLookup(structureLookupCallback, true)
|
it can be expanded to sift through a list, which allows for in-house "deobfuscation" of names if a user has a namemap (could be generated by pattern matching old non-obfuscated builds of binaries, for example)
i've implemented this in a c# plugin, this code is verbatim, as I don't wanna source dump the entire thing here, but maybe it's interesting for some people
| Code: |
public override bool EnablePlugin()
{
var lua = sdk.lua;
try
{
if (!_functionsRegistered)
{
// Register the C# function to lua
lua.Register("namecallback", NameCallback);
_functionsRegistered = true;
}
// Call registerStructureNameLookup and save returned id so we can unregister it later
lua.GetGlobal("registerStructureNameLookup");
lua.PushString("namecallback");
lua.PushBoolean(true);
lua.PCall(2, 1);
if (!lua.IsInteger(-1))
throw new Exception("err: registerStructureNameLookup didn't return an integer!");
// Grab the integer from the stack
_nameLookupId = (int)lua.ToInteger(-1);
// Pop the integer from stack
lua.Pop(1);
}
finally
{
lua.SetTop(0);
}
return true;
}
public int NameCallback()
{
var lua = sdk.lua;
// Grab the address from the stack
if (!lua.IsNumber(-1))
throw new Exception("err: top value is not a number!");
var address = (uint)lua.ToInteger(-1);
// Pop the integer from stack
lua.Pop(1);
// Grab the name from the dotnet pipe
var dotNetCollector = new DotNetDataCollector();
var realName = dotNetCollector.GetAddressData(address);
// Modify the name however you see fit
var mapName = realName;
lua.PushString(mapName);
return 1;
}
|
The DotNetDataCollector is just a wrapper based around the CE Object, GetAddressData was implemented like this
| Code: |
// In theory this name is wrong, as we only get the name out of the AddressData record, but eh who cares
public string GetAddressData(uint address)
{
var className = string.Empty;
try
{
lua.PushCEObject(CEObject);
// Grab function
lua.PushString("getAddressData");
lua.GetTable(-2);
if (!lua.IsFunction(-1))
throw new Exception("err: getAddressData not found!");
// Push the argument onto lua's stack
lua.PushInteger(address);
// Call the function, it returns one lua table
lua.PCall(1, 1);
if (!lua.IsTable(-1))
throw new Exception("err: getAddressData didn't return a table!");
// Get the name from the table
lua.PushString("ClassName");
lua.GetTable(-2);
if (!lua.IsString(-1))
throw new Exception("err: ClassName is not a string!");
// Convert to string and pop it from stack
className = lua.ToString(-1);
lua.Pop(1);
}
finally
{
lua.SetTop(0);
}
return className;
}
|
|
|
| Back to top |
|
|
Azuki
Newbie cheater
![]() Reputation: 0
Joined: 18 Feb 2025
Posts: 10
|
| Posted: Wed Feb 19, 2025 12:53 pm Post subject: |
|
|
Okay, small update on my part here.
I've been working together with a friend who is a Patreon and therefore has access to 7.6 and we think we discovered a bug in the structure dissect in the current 7.6 with the new behavior of registerStructureNameLookup.
The new registerStructureNameLookup allows for registering a lookup function which runs even if CE has better sources available, this subsequently bypasses the automatic filling from DotNetAddressData in TfrmStructures2.DefineNewStructureDialog because the bool hasAddressData is set to false (because we registered our own name look up), at least that's what I assume, since 7.6 source is not public.
Now because the automatic filling is not run, it passes execution to the StructureDissectOverride callbacks, and the structure can be manually filled/edited on creation.
Now when a child structure is encountered, it auto fills using data from the DotNetPipe even if a StructureNameLookup callback with the boolean set to true is registered, this happens in TStructElement.AutoCreateChildStruct, there it first sees if a DotNetLayout is available on the address, and then auto fills. I don't know if this is still the case in the 7.6 source, as it's not public, but the behavior seems to say that this part hasn't been changed. Is this wanted, an accident or a bug? (also please pardon the fact that I attached the image, I'm not allowed to post pictures or have an avatar orz)
| Description: |
|
| Filesize: |
36.89 KB |
| Viewed: |
1880 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 467
Joined: 09 May 2003
Posts: 25679
Location: The netherlands
|
| Posted: Mon Feb 24, 2025 4:33 pm Post subject: |
|
|
registerStructureDissectOverride doesn't have a "first" override, so no, not a bug, just an oversight. Maybe in the next version
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Azuki
Newbie cheater
![]() Reputation: 0
Joined: 18 Feb 2025
Posts: 10
|
| Posted: Mon Feb 24, 2025 5:18 pm Post subject: |
|
|
| Dark Byte wrote: | | registerStructureDissectOverride doesn't have a "first" override, so no, not a bug, just an oversight. Maybe in the next version |
alright thanks for your response and time 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
