Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Mono code injection leads to wrong address

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
ymiu
Cheater
Reputation: 0

Joined: 16 Dec 2018
Posts: 41

PostPosted: Tue Jan 15, 2019 3:06 pm    Post subject: Mono code injection leads to wrong address Reply with quote

Code:
usemono()

// BBI.Game.Simulation:Inventory:.ctor+49- 83 3E 00    - cmp dword ptr [rsi],00 { 0 }
// BBI.Game.Simulation:Inventory:.ctor+4c- 48 63 46 28 - movsxd  rax,dword ptr [rsi+28]
define(bytes, 83 3E 00 48 63 46 28)

[ENABLE]
assert(BBI.Game.Simulation:Inventory:.ctor+49, bytes)
... additional code omitted


This script never enables when I try. There are no messages or errors to figure out why it wasn't working, so I just went to my memory viewer and tried Go to address: BBI.Game.Simulation:Inventory:.ctor+49 but it takes me to an address labeled BBI.Core.Data:ExtractorManager:Load+9

So I'm guessing this causes my assert() to fail. Any idea why the mono address is taking me to the wrong location?
Back to top
View user's profile Send private message
salumor
Advanced Cheater
Reputation: 0

Joined: 14 Jan 2019
Posts: 84

PostPosted: Tue Jan 15, 2019 3:54 pm    Post subject: Reply with quote

I am quite new too, so I may be wrong, please do correct me, but when i read it few things came to mind:

- do you act. have a jump entry? I don't see any define/aobscan/... where you'd hook at.
- Are you sure it stays at that address? I tend to use aobregionscan for that purpose.
- Are you sure the code is supposed to be hooked at ..Inventory:.ctor+49 ? Where did you take it from? It's not a function you usually can hook on as far as I did understood. Some info: (replace " // " with .) answers // unity // com/questions/232531/class-constructor // html
Back to top
View user's profile Send private message
ymiu
Cheater
Reputation: 0

Joined: 16 Dec 2018
Posts: 41

PostPosted: Tue Jan 15, 2019 4:15 pm    Post subject: Reply with quote

The injection point begins later at BBI.Game.Simulation:Inventory:.ctor+49: The structure of the script is fine-- it's copied from another Mono game I wrote a bunch of scripts for. The actual injection just adds a jmp and two nops. I didn't want to get bogged down with those details because, regardless if the script is correct, the memory browser showed me that trying to go directly to that function doesn't actually bring me there. That's the real problem.

I used an AOBScan to find the correct code to make sure it was still there. It was, and it hasn't moved for the couple hours I've had it up. More importantly, even when I'm already navigating within the function, right clicking and choosing Go to address: BBI.Game.Simulation:Inventory:.ctor+49 still takes me to BBI.Core.Data:ExtractorManager:Load+9 instead.

I followed your link, but not sure what that's supposed to tell me. I already debugged the function and found that RSI has the address I'm trying to capture. I'm not sure what you mean when you say "it's not a function you usually can hook on". I'm not aware of any limitations like that. I thought you could inject anywhere as long as you don't step on any unintended bytes, and take care that the registers and flags have what they should have when returning back from the injected code.
Back to top
View user's profile Send private message
salumor
Advanced Cheater
Reputation: 0

Joined: 14 Jan 2019
Posts: 84

PostPosted: Tue Jan 15, 2019 4:31 pm    Post subject: Reply with quote

ymiu wrote:
I'm not sure what you mean when you say "it's not a function you usually can hook on". I'm not aware of any limitations like that. I thought you could inject anywhere as long as you don't step on any unintended bytes, and take care that the registers and flags have what they should have when returning back from the injected code.
Not sure how to write it clearly. Did you ever choose the option to ... Mono\Dissect Mono .... were your ever able to do a Just-in-time (JIT) compilation with anything except methods? Same with .ctor. It's not some static memory you can hoock and change, but ... I don't rly understand it too ... That some1 more experienced has to answer. I mean I do believe it's possible, but not with a simple JITC.

Anyway, you're sure that ctor is the only option to get the address you're interested in?
Back to top
View user's profile Send private message
ymiu
Cheater
Reputation: 0

Joined: 16 Dec 2018
Posts: 41

PostPosted: Tue Jan 15, 2019 5:08 pm    Post subject: Reply with quote

I can Dissect Mono, but I get lost in the list that it produces. I'm not sure what to do with all that info.

I'm not sure what a JIT compilation is.

I did get the script working using aobscan (very slow), however I'm now realizing that the RSI register contains different pointers each time it's called. I didn't debug it enough to see that before.

It's definitely not the only place to look, and I'll keep trying other spots. But getting back to my original point, I'd like to understand why Go to address takes me to a completely different place.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Jan 16, 2019 1:08 am    Post subject: Reply with quote

perhaps the dot in .ctor causes an calculation error
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ymiu
Cheater
Reputation: 0

Joined: 16 Dec 2018
Posts: 41

PostPosted: Wed Jan 16, 2019 5:35 pm    Post subject: Reply with quote

Perhaps. I was thinking something like this, but don't know enough about the engine to be sure. Of course it errors out when I omit the dot. I guess there's no way around it?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Jan 16, 2019 6:06 pm    Post subject: Reply with quote

check out monoscript.lua for the available functions
find the class and then enumerate the methods to find the method and then jit/compile it to get the address

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites