Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Lua + Code Injection

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
penpenpen
Cheater
Reputation: 0

Joined: 23 Feb 2014
Posts: 39

PostPosted: Tue Oct 21, 2014 7:00 am    Post subject: Lua + Code Injection Reply with quote

Hey everyone,

I need some help debugging.

how can I use Lua to inject a Code at
Code:
02F66783 - 66 0F1F 84 00 00000000  - nop [eax+eax+00000000]
02F6678C - 66 66 66 90           - nop
[b]02F66790 - F3 0F6F 06            - movdqu xmm0,[esi][/b]// Injection here
02F66794 - F3 0F7F 04 3E         - movdqu [esi+edi],xmm0
02F66799 - F3 0F6F 4E 10         - movdqu xmm1,[esi+10]


That reads the contents of esi as a string and copies it to either a txt file or a TMemo.

Regards
penpenpen
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Oct 21, 2014 8:45 am    Post subject: Reply with quote

You could just do a normal code injection and use the windows api (or dll injection) to store the value of esi to a file that has no share deny attributes. That way you can read the file while it's being written


anyhow, here is an example of an auto assembler script that calls lua when the hit me button has been clicked. (it's for the tutorial step 2)
It saves the EBX register and passed it on to myfunction

The actual script starts from "alloc(newmem,128) " the stuff before it is generic initialization code generated by the call ce lua function template (with the exception of the {$lua} part )

Code:

{$lua}
openLuaServer("CELUASERVER")

function myfunction(param) --create a global function called myfunction
  print("this function got called")
  print("Do something with "..string.format("%x", param))
end

{$asm}

loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
globalalloc(luainit, 128)
globalalloc(LuaFunctionCall, 128)
label(luainit_exit)
globalalloc(luaserverinitialized, 4)
globalalloc(luaservername, 12)

luaservername:
db 'CELUASERVER',0

luainit:
cmp [luaserverinitialized],0
jne luainit_exit
push luaservername
call CELUA_Initialize //this function is defined in the luaclient dll
mov [luaserverinitialized],eax
luainit_exit:
ret

LuaFunctionCall:
push ebp
mov ebp,esp
call luainit

push [ebp+c]
push [ebp+8]
call CELUA_ExecuteFunction
pop ebp
ret 8
//luacall call example:
//push integervariableyouwishtopasstolua
//push addresstostringwithfunction  //(The lua function will have access to the variable passed by name "parameter")
//call LuaFunctionCall
//When done EAX will contain the result of the lua function


alloc(newmem,128)
alloc(myluascript, 2048)
label(returnhere)
label(originalcode)
label(exit)

myluascript:
db 'myfunction(parameter)',0

newmem: //this is allocated memory, you have read,write,execute access
//placeyour code here
push eax

push ebx
push myluascript
call LuaFunctionCall
pop eax

originalcode:
sub [ebx+00000480],eax

exit:
jmp returnhere

"Tutorial-i386.exe"+24FFB:
jmp newmem
nop
returnhere:


if you wish to call this from inside lua you just need to call it with
Code:

autoAssemble([[
  <copy/paste script in here>
]])


note: you don't have to declare myfunction in the script, you can declare it in the main lua script as well

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
penpenpen
Cheater
Reputation: 0

Joined: 23 Feb 2014
Posts: 39

PostPosted: Tue Oct 21, 2014 2:32 pm    Post subject: Reply with quote

Hey, thanks for the reply.

I'm rather clueless on how to save a file with assembler.

I tried some code I found:

Code:
  //Create File
  mov ah,3ch
  mov cx,00000000b
  lea dx,filename
  int 21h
  jc error
  mov handle,ax
  //Write File
  //...
  //Close File
  mov ah,3eh
  mov bx,handle
  int 21h
  jc error


where even the first line doesnt work.

Can you post a code snippet that creates a file, opens a file and writes a registers Value to the file ?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Oct 21, 2014 3:08 pm    Post subject: Reply with quote

That code only works on ms-dos in realmode

Check out msdn for CreateFile and WriteFile. Then call those functions with the proper parameters.

Anyhow, in cases like this i'd almost always go for dll injection. (Using the same method as shown in the ut2k4 topic)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
penpenpen
Cheater
Reputation: 0

Joined: 23 Feb 2014
Posts: 39

PostPosted: Tue Oct 21, 2014 3:47 pm    Post subject: Reply with quote

Hey.

I think always writing a dll for small debug stuff takes too much time. Debugging the dll itself usually takes a while for me. So I thought It'd be faster if I just let CE write debug files for me.

I got it working within delphi/lazarus (loading the functions you mentioned from kernel32.dll (used openfile.. which is limited to 128bytes filepath length i guess)).

I've tried some stuff and this seems to work just fine:

Code:
var
  hmod: HMODULE;
  OpenFile, WriteFile, CloseHandle : pointer;
  filename1:string;
  msg,pOFSTRUCTvar:pointer;
  OFSTRUCTvar:OFSTRUCT;
  writtenbytes: LPDWORD;
begin
 filename1 := 'G:\bla\test.txt';
 msg := @filename1;
 pOFSTRUCTvar := @OFSTRUCTvar;

   // load module for api functions
  hmod := LoadLibrary('kernel32');
  if hmod <> 0 then
    try
      //Load Functions Addresses from kernel 32 dll
      OpenFile := GetProcAddress(hmod, 'OpenFile');
      WriteFile := GetProcAddress(hmod, 'WriteFile');
      CloseHandle  := GetProcAddress(hmod, 'CloseHandle');
      if WriteFile <> nil then
      begin
        asm
   // Open a file for writing or for creating.
   push dword $1000           //  Create File
   push pOFSTRUCTvar           // Pointer to an "offstruct" var that holds infos about the file just created
   push dword filename1
   call [OpenFile]
   mov dword [ebp-4], eax          // Copy the file handle to ebp-4

        // Write  text to  file
        mov ecx, msg    //Put message to write to ecx
   push dword 0
   push writtenbytes            // lpNumberOfBytesWritten probably shows Number of bytes it has written ??
   push dword 126     //  Bytes to read
   push dword [ecx]                  // Address of the message
   push dword [ebp-4]              //  File Handle
   call [WriteFile]

        //Close the File, so it can be read from notepad++
        push dword [ebp-4]              //  File Handle
   call [CloseHandle]
        end;
      end;
    finally
      FreeLibrary(hmod);
    end;


How does this code translate to the CE auto assembler ?
How can I use different variable types there ?
( I guess one could skip the file create part )
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Oct 22, 2014 5:52 am    Post subject: Reply with quote

With dll injection i meant just use high level code.
Like Tfilestream.create('filename', fmCreate or fmShareDenyNone) and then just write to it (writeDword)

Also, if you inlude windows in the useslist you can also use those api's without assembler

As for translating it to AA script, you already have it in asm, so there's not much to deal with. Just save/restore the registers

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
penpenpen
Cheater
Reputation: 0

Joined: 23 Feb 2014
Posts: 39

PostPosted: Wed Oct 22, 2014 9:31 am    Post subject: Reply with quote

Dark Byte wrote:
With dll injection i meant just use high level code.
Like Tfilestream.create('filename', fmCreate or fmShareDenyNone) and then just write to it (writeDword)

Also, if you inlude windows in the useslist you can also use those api's without assembler

As for translating it to AA script, you already have it in asm, so there's not much to deal with. Just save/restore the registers


Well If I inject a Dll I can also open up a console window for debugging.
Opportunities are endless I'd say Smile.

I guess you're right dll debugging is probably the way to go.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites