View previous topic :: View next topic |
Author |
Message |
Exoodus How do I cheat? Reputation: 0
Joined: 11 Jun 2018 Posts: 4
|
Posted: Mon Jun 11, 2018 9:32 pm Post subject: Finding address of a certain push in LUA |
|
|
Hey what I want to do is find the address of a push command that pushes the address of a string to the stack. I want to do this in LUA. I used AOBScan to find all instances of the push opcode but now what? I'm very new to this guys. Can someone provide me with some sample code if this is possible?
Code: |
function findPush()
local push = AOBScan("68")
if(push == nil) then
print("Push is Nil")
end
push.destroy()
end
|
And I know part of the string. The command I want to find looks is this:
push Game.00401000
Game.00401000 is the address of the string that I have part of.
Even though I already know the address of this push through x32dbg, I would like to do it this way because I am following a book.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Jun 12, 2018 8:15 am Post subject: |
|
|
is 00401000 the address that's being pushed? if so then simply search for that reversed after the 68, eg AOBScan("68 00 01 40 00") because that's how a push instruction is encoded, 68 + address (backwards by byte because little endian).
If you don't have the address of the string then I guess the only thing you could do would be read the 4 bytes after the push and then try to read that address as a string and see if that matches the string you wanted... but at that point you might as well just scan for the bytes of the string you wanted in the first place (there's going to be a _lot_ of pushes in a x86 program)
Or better, use CE's Dissect Code / Referenced Strings feature to analyze all the pushes for you and then just loop over those eg.
Code: |
local dc = getDissectCode()
-- note references can be duplicated if you rescan the same memory
-- dc.clear() removes all references
dc.dissect('Game') -- module name or base,size to dissect
for k,v in pairs(dc.getReferencedStrings()) do
v = readString(k) -- workaround for bug causing empty strings to be returned
if v == 'whatever string you're looking for' then
local addressesThatUseString = getReferences(v)
-- k = address, v = type vtDword etc.
break -- don't keep looking through the references
end
end
|
edit: though that probably covers more than just push like mov and lea now that I think about it.
_________________
|
|
Back to top |
|
|
Exoodus How do I cheat? Reputation: 0
Joined: 11 Jun 2018 Posts: 4
|
Posted: Tue Jun 12, 2018 11:55 am Post subject: |
|
|
Thx alot. I tried the dissect code route and it's saying
"attempt to call a nil value (global 'getReferences')"
I'm new to LUA so what exactly does this mean?
-edit- it's now saying failure to determine what my string means. Here is my code...
Code: |
local dc = getDissectCode()
-- note references can be duplicated if you rescan the same memory
-- dc.clear() removes all references
dc.dissect("Chapter5_AdvancedMemoryForensics_Scanning.exe") -- module name or base,size to dissect
for k,v in pairs(dc.getReferencedStrings()) do
v = readString(k) -- workaround for bug causing empty strings to be returned
if (v == "Health: %d of %d\n") then
local addressesThatUseString = dc.getReferences(v)
-- k = address, v = type vtDword etc.
print(addressesThatUseString)
--break -- don't keep looking through the references
end
end
|
-edit- ok i escaped the backslash in the string now it gives no output. I know the string exists though...i can find it scanning with CE.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Jun 12, 2018 12:56 pm Post subject: |
|
|
my bad, as you discovered, that should be dc.getReferences()... I actually tested it but then manually typed it instead of copy-pasting the code
Hm... perhaps print all the strings with just print(v) outside the if statement to see if you can find it listed? It's also possible that it's being accessed indirectly in a way that the dissect isn't detecting so it's not in the references.
_________________
|
|
Back to top |
|
|
Exoodus How do I cheat? Reputation: 0
Joined: 11 Jun 2018 Posts: 4
|
Posted: Tue Jun 12, 2018 6:48 pm Post subject: |
|
|
If I print v it's in there but
if (v == "Health: %d of %d")
is failing.
Code: | local dc = getDissectCode()
-- note references can be duplicated if you rescan the same memory
-- dc.clear() removes all references
dc.dissect("Chapter5_AdvancedMemoryForensics_Scanning.exe") -- module name or base,size to dissect
for k,v in pairs(dc.getReferencedStrings()) do
v = readString(k) -- workaround for bug causing empty strings to be returned
if (v == "Health: %d of %d") then
print(v) else
print("didn't find string")
end
end |
It shows a newline char in x32dbg so I tried with and without that.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Jun 12, 2018 9:52 pm Post subject: |
|
|
does it perhaps start with a space or anything like that? Maybe try if v.find('Health: ') then
_________________
|
|
Back to top |
|
|
Exoodus How do I cheat? Reputation: 0
Joined: 11 Jun 2018 Posts: 4
|
Posted: Tue Jun 12, 2018 11:48 pm Post subject: |
|
|
lol weird...exact same code that was failing now its working.
But the k value is giving me the address of the string. This book says that I should be able to get the address that pushes the string to the stack with LUA. The k value is giving me 405120. The push is 4010F0 and it looks like
push 405120 //pushing the address of the string, this is what I want to find automatically
Is this possible or how do I do this? The purpose of it (the book says) is to get values that are close to the push (the health and the currenthealth) automatically if the game ever updated or something. Or should I even worry about this because I'm thinking there are other ways to automatically find these two values...like find the green base pointers in a scan. Like I said I'm new to all this.
Thx again for your help man.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jun 13, 2018 9:50 am Post subject: |
|
|
Yeah the index, k, is the address of the string itself dc.getReferences(k) will return a table of addresses that use the string's address.
Quote: | Or should I even worry about this because I'm thinking there are other ways to automatically find these two values | yeah there definitely are lol static addresses, pointers (static addresses that store dynamic addresses to what you want, perhaps at an offset), assembly scripts to copy the dynamic addresses into your own allocated memory (creating your own pointer), and just plain AA scripts that change the code to do (or not do) what you want so you don't even need the addresses.
Certainly finding a related string and where it's used it can be helpful to track down a value/address initially which is why CE does have the find referenced strings feature in the first place, but I don't think I've seen anyone suggest relying on that if the game updated since you then have to read code that could have changed from what you expected... makes more sense to use an AOB + readmem imo, and for a one time use it makes more sense to use the existing GUI rather than write lua code (except perhaps as an exercise in using lua).
_________________
|
|
Back to top |
|
|
jgoemat Master Cheater Reputation: 22
Joined: 25 Sep 2011 Posts: 252
|
Posted: Wed Jun 13, 2018 4:17 pm Post subject: |
|
|
I did something similar for Heat Signature. Check out the table script:
https://fearlessrevolution.com/threads/heat-signature.4956/#post-49211
It uses Game Maker Studio and all the script names were there. I did an aobscan for the script name to find it, then did an aobscan for that address in the code, then did an aobscan for the code signature where I wanted to inject and injected at the closest match to where the string pointer was in the game code...
Another thing I've done for static pointers that show up in code is to use an AOBScan for surrounding code, then assign a symbol to the static address in the game code. In an old version of FTL for instance I found this code:
Code: | "FTLGame.exe"+EB63B: A1 80846D00 - mov eax,[FTLGame.exe+2D8480]
"FTLGame.exe"+EB640: 2B 05 7C846D00 - sub eax,[FTLGame.exe+2D847C] // static pointing directly to used energy (max at this + 4)
// ---------- INJECTING HERE ----------
"FTLGame.exe"+EB646: C1 F8 05 - sar eax,05
"FTLGame.exe"+EB649: 39 44 24 40 - cmp [esp+40],eax
// ---------- DONE INJECTING ----------
"FTLGame.exe"+EB64D: 7C 48 - jnge FTLGame.exe+EB697 |
The bytes for the instructions after the mov from the static address were unique and might survive game updates when the static would change, so I had a script like this:
Code: |
LABEL(STATIC_ENERGY)
AOBSCAN(AOB_ENERGY,C1 F8 05 39 44 24 40)
AOB_ENERGY-4:
STATIC_ENERGY:
REGISTERSYMBOL(STATIC_ENERGY)
|
So AOB_ENERGY points to "FTLGame.exe"+EB646 and I assigned STATIC_ENERGY to 4 bytes earlier, which is the static pointer I was looking for.
|
|
Back to top |
|
|
|