|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
penpenpen Cheater Reputation: 0
Joined: 23 Feb 2014 Posts: 39
|
Posted: Tue Oct 21, 2014 7:00 am Post subject: Lua + Code Injection |
|
|
Hey everyone,
I need some help debugging.
how can I use Lua to inject a Code at
Code: | 02F66783 - 66 0F1F 84 00 00000000 - nop [eax+eax+00000000]
02F6678C - 66 66 66 90 - nop
[b]02F66790 - F3 0F6F 06 - movdqu xmm0,[esi][/b]// Injection here
02F66794 - F3 0F7F 04 3E - movdqu [esi+edi],xmm0
02F66799 - F3 0F6F 4E 10 - movdqu xmm1,[esi+10]
|
That reads the contents of esi as a string and copies it to either a txt file or a TMemo.
Regards
penpenpen
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Tue Oct 21, 2014 8:45 am Post subject: |
|
|
You could just do a normal code injection and use the windows api (or dll injection) to store the value of esi to a file that has no share deny attributes. That way you can read the file while it's being written
anyhow, here is an example of an auto assembler script that calls lua when the hit me button has been clicked. (it's for the tutorial step 2)
It saves the EBX register and passed it on to myfunction
The actual script starts from "alloc(newmem,128) " the stuff before it is generic initialization code generated by the call ce lua function template (with the exception of the {$lua} part )
Code: |
{$lua}
openLuaServer("CELUASERVER")
function myfunction(param) --create a global function called myfunction
print("this function got called")
print("Do something with "..string.format("%x", param))
end
{$asm}
loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
globalalloc(luainit, 128)
globalalloc(LuaFunctionCall, 128)
label(luainit_exit)
globalalloc(luaserverinitialized, 4)
globalalloc(luaservername, 12)
luaservername:
db 'CELUASERVER',0
luainit:
cmp [luaserverinitialized],0
jne luainit_exit
push luaservername
call CELUA_Initialize //this function is defined in the luaclient dll
mov [luaserverinitialized],eax
luainit_exit:
ret
LuaFunctionCall:
push ebp
mov ebp,esp
call luainit
push [ebp+c]
push [ebp+8]
call CELUA_ExecuteFunction
pop ebp
ret 8
//luacall call example:
//push integervariableyouwishtopasstolua
//push addresstostringwithfunction //(The lua function will have access to the variable passed by name "parameter")
//call LuaFunctionCall
//When done EAX will contain the result of the lua function
alloc(newmem,128)
alloc(myluascript, 2048)
label(returnhere)
label(originalcode)
label(exit)
myluascript:
db 'myfunction(parameter)',0
newmem: //this is allocated memory, you have read,write,execute access
//placeyour code here
push eax
push ebx
push myluascript
call LuaFunctionCall
pop eax
originalcode:
sub [ebx+00000480],eax
exit:
jmp returnhere
"Tutorial-i386.exe"+24FFB:
jmp newmem
nop
returnhere:
|
if you wish to call this from inside lua you just need to call it with
Code: |
autoAssemble([[
<copy/paste script in here>
]])
|
note: you don't have to declare myfunction in the script, you can declare it in the main lua script as well
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
penpenpen Cheater Reputation: 0
Joined: 23 Feb 2014 Posts: 39
|
Posted: Tue Oct 21, 2014 2:32 pm Post subject: |
|
|
Hey, thanks for the reply.
I'm rather clueless on how to save a file with assembler.
I tried some code I found:
Code: | //Create File
mov ah,3ch
mov cx,00000000b
lea dx,filename
int 21h
jc error
mov handle,ax
//Write File
//...
//Close File
mov ah,3eh
mov bx,handle
int 21h
jc error |
where even the first line doesnt work.
Can you post a code snippet that creates a file, opens a file and writes a registers Value to the file ?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Tue Oct 21, 2014 3:08 pm Post subject: |
|
|
That code only works on ms-dos in realmode
Check out msdn for CreateFile and WriteFile. Then call those functions with the proper parameters.
Anyhow, in cases like this i'd almost always go for dll injection. (Using the same method as shown in the ut2k4 topic)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
penpenpen Cheater Reputation: 0
Joined: 23 Feb 2014 Posts: 39
|
Posted: Tue Oct 21, 2014 3:47 pm Post subject: |
|
|
Hey.
I think always writing a dll for small debug stuff takes too much time. Debugging the dll itself usually takes a while for me. So I thought It'd be faster if I just let CE write debug files for me.
I got it working within delphi/lazarus (loading the functions you mentioned from kernel32.dll (used openfile.. which is limited to 128bytes filepath length i guess)).
I've tried some stuff and this seems to work just fine:
Code: | var
hmod: HMODULE;
OpenFile, WriteFile, CloseHandle : pointer;
filename1:string;
msg,pOFSTRUCTvar:pointer;
OFSTRUCTvar:OFSTRUCT;
writtenbytes: LPDWORD;
begin
filename1 := 'G:\bla\test.txt';
msg := @filename1;
pOFSTRUCTvar := @OFSTRUCTvar;
// load module for api functions
hmod := LoadLibrary('kernel32');
if hmod <> 0 then
try
//Load Functions Addresses from kernel 32 dll
OpenFile := GetProcAddress(hmod, 'OpenFile');
WriteFile := GetProcAddress(hmod, 'WriteFile');
CloseHandle := GetProcAddress(hmod, 'CloseHandle');
if WriteFile <> nil then
begin
asm
// Open a file for writing or for creating.
push dword $1000 // Create File
push pOFSTRUCTvar // Pointer to an "offstruct" var that holds infos about the file just created
push dword filename1
call [OpenFile]
mov dword [ebp-4], eax // Copy the file handle to ebp-4
// Write text to file
mov ecx, msg //Put message to write to ecx
push dword 0
push writtenbytes // lpNumberOfBytesWritten probably shows Number of bytes it has written ??
push dword 126 // Bytes to read
push dword [ecx] // Address of the message
push dword [ebp-4] // File Handle
call [WriteFile]
//Close the File, so it can be read from notepad++
push dword [ebp-4] // File Handle
call [CloseHandle]
end;
end;
finally
FreeLibrary(hmod);
end; |
How does this code translate to the CE auto assembler ?
How can I use different variable types there ?
( I guess one could skip the file create part )
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed Oct 22, 2014 5:52 am Post subject: |
|
|
With dll injection i meant just use high level code.
Like Tfilestream.create('filename', fmCreate or fmShareDenyNone) and then just write to it (writeDword)
Also, if you inlude windows in the useslist you can also use those api's without assembler
As for translating it to AA script, you already have it in asm, so there's not much to deal with. Just save/restore the registers
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
penpenpen Cheater Reputation: 0
Joined: 23 Feb 2014 Posts: 39
|
Posted: Wed Oct 22, 2014 9:31 am Post subject: |
|
|
Dark Byte wrote: | With dll injection i meant just use high level code.
Like Tfilestream.create('filename', fmCreate or fmShareDenyNone) and then just write to it (writeDword)
Also, if you inlude windows in the useslist you can also use those api's without assembler
As for translating it to AA script, you already have it in asm, so there's not much to deal with. Just save/restore the registers |
Well If I inject a Dll I can also open up a console window for debugging.
Opportunities are endless I'd say .
I guess you're right dll debugging is probably the way to go.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|