View previous topic :: View next topic |
Author |
Message |
ymiu Cheater Reputation: 0
Joined: 16 Dec 2018 Posts: 41
|
Posted: Tue Jan 15, 2019 3:06 pm Post subject: Mono code injection leads to wrong address |
|
|
Code: | usemono()
// BBI.Game.Simulation:Inventory:.ctor+49- 83 3E 00 - cmp dword ptr [rsi],00 { 0 }
// BBI.Game.Simulation:Inventory:.ctor+4c- 48 63 46 28 - movsxd rax,dword ptr [rsi+28]
define(bytes, 83 3E 00 48 63 46 28)
[ENABLE]
assert(BBI.Game.Simulation:Inventory:.ctor+49, bytes)
... additional code omitted |
This script never enables when I try. There are no messages or errors to figure out why it wasn't working, so I just went to my memory viewer and tried Go to address: BBI.Game.Simulation:Inventory:.ctor+49 but it takes me to an address labeled BBI.Core.Data:ExtractorManager:Load+9
So I'm guessing this causes my assert() to fail. Any idea why the mono address is taking me to the wrong location?
|
|
Back to top |
|
|
salumor Advanced Cheater Reputation: 0
Joined: 14 Jan 2019 Posts: 87
|
Posted: Tue Jan 15, 2019 3:54 pm Post subject: |
|
|
I am quite new too, so I may be wrong, please do correct me, but when i read it few things came to mind:
- do you act. have a jump entry? I don't see any define/aobscan/... where you'd hook at.
- Are you sure it stays at that address? I tend to use aobregionscan for that purpose.
- Are you sure the code is supposed to be hooked at ..Inventory:.ctor+49 ? Where did you take it from? It's not a function you usually can hook on as far as I did understood. Some info: (replace " // " with .) answers // unity // com/questions/232531/class-constructor // html
|
|
Back to top |
|
|
ymiu Cheater Reputation: 0
Joined: 16 Dec 2018 Posts: 41
|
Posted: Tue Jan 15, 2019 4:15 pm Post subject: |
|
|
The injection point begins later at BBI.Game.Simulation:Inventory:.ctor+49: The structure of the script is fine-- it's copied from another Mono game I wrote a bunch of scripts for. The actual injection just adds a jmp and two nops. I didn't want to get bogged down with those details because, regardless if the script is correct, the memory browser showed me that trying to go directly to that function doesn't actually bring me there. That's the real problem.
I used an AOBScan to find the correct code to make sure it was still there. It was, and it hasn't moved for the couple hours I've had it up. More importantly, even when I'm already navigating within the function, right clicking and choosing Go to address: BBI.Game.Simulation:Inventory:.ctor+49 still takes me to BBI.Core.Data:ExtractorManager:Load+9 instead.
I followed your link, but not sure what that's supposed to tell me. I already debugged the function and found that RSI has the address I'm trying to capture. I'm not sure what you mean when you say "it's not a function you usually can hook on". I'm not aware of any limitations like that. I thought you could inject anywhere as long as you don't step on any unintended bytes, and take care that the registers and flags have what they should have when returning back from the injected code.
|
|
Back to top |
|
|
salumor Advanced Cheater Reputation: 0
Joined: 14 Jan 2019 Posts: 87
|
Posted: Tue Jan 15, 2019 4:31 pm Post subject: |
|
|
ymiu wrote: | I'm not sure what you mean when you say "it's not a function you usually can hook on". I'm not aware of any limitations like that. I thought you could inject anywhere as long as you don't step on any unintended bytes, and take care that the registers and flags have what they should have when returning back from the injected code. | Not sure how to write it clearly. Did you ever choose the option to ... Mono\Dissect Mono .... were your ever able to do a Just-in-time (JIT) compilation with anything except methods? Same with .ctor. It's not some static memory you can hoock and change, but ... I don't rly understand it too ... That some1 more experienced has to answer. I mean I do believe it's possible, but not with a simple JITC.
Anyway, you're sure that ctor is the only option to get the address you're interested in?
|
|
Back to top |
|
|
ymiu Cheater Reputation: 0
Joined: 16 Dec 2018 Posts: 41
|
Posted: Tue Jan 15, 2019 5:08 pm Post subject: |
|
|
I can Dissect Mono, but I get lost in the list that it produces. I'm not sure what to do with all that info.
I'm not sure what a JIT compilation is.
I did get the script working using aobscan (very slow), however I'm now realizing that the RSI register contains different pointers each time it's called. I didn't debug it enough to see that before.
It's definitely not the only place to look, and I'll keep trying other spots. But getting back to my original point, I'd like to understand why Go to address takes me to a completely different place.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Wed Jan 16, 2019 1:08 am Post subject: |
|
|
perhaps the dot in .ctor causes an calculation error
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ymiu Cheater Reputation: 0
Joined: 16 Dec 2018 Posts: 41
|
Posted: Wed Jan 16, 2019 5:35 pm Post subject: |
|
|
Perhaps. I was thinking something like this, but don't know enough about the engine to be sure. Of course it errors out when I omit the dot. I guess there's no way around it?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Wed Jan 16, 2019 6:06 pm Post subject: |
|
|
check out monoscript.lua for the available functions
find the class and then enumerate the methods to find the method and then jit/compile it to get the address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|