Mono can't find address

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Mono can't find address

Post by Bakfiets » Sun Jul 16, 2017 8:08 am

I have been at a 'godmode' script for a week now, and yesterday it finally finished.
After testing it one last time this morning before uploading, the Mono features are suddenly broken.

I have the adress called HealthHandler:sendDamage+4af. This address has worked for a week, through computer restarts, and without any problems. This morning however, it suddenly stopped working.
The script enables but doesn't inject when using the Mono-address, but DOES when I scan for the aob.
When using "go to address" in the disassembler with "HealthHandler:sendDamage+4af" takes me to a different address, not even close to where i want to be. If i use the AOB then it puts me at the right address.
Does anyone have and idea's or suggestions?

define:
Image

aobscan
Image
scriptShow

Code: Select all

{ Game   : STRAFE.exe
  Version: 1.0.6
  Date   : 2017-07-15
  Author : Bakfiets

  This script allows two 'godmode' functions to be activated
  1) Infinite HP (prevent health damage)
  2) One-shot-kill
}
USEMONO()
define(SENDDAMAGE_MANIPULATION,HealthHandler:sendDamage+4af)
//aobscan(SENDDAMAGE_MANIPULATION,F3 0F 11 A8 84 00 00 00 48 8B 85 D0 FE FF FF 48 8B 40 40 48 85 C0 74 26) // should be unique

[ENABLE]
alloc(code,$1024,0099B17F)
alloc(INF_HP_ENABLED,1)
alloc(ONE_SHOT_ENABLED,1)
alloc(ONE_SHOT_DAMAGE,1)
label(originalcode)
label(return)
label(one_shot)


ONE_SHOT_DAMAGE:
dd 0

INF_HP_ENABLED:
db 0

ONE_SHOT_ENABLED:
db 0

code:
  cmp [rax+90],42c80000 // _initialhealth == (int)100
  jne one_shot //If not 100, jump to one-shot
  cmp [rax+8C],01 // _canHeal == (int)1
  jne originalcode // Second check for monster
  cmp [INF_HP_ENABLED],0
  je originalcode
  //movss [rax+00000084],xmm5
  jmp return

one_shot:
  cmp [ONE_SHOT_ENABLED],0
  je originalcode
  movss xmm5,[ONE_SHOT_DAMAGE]
  je originalcode

originalcode:
  movss [rax+00000084],xmm5
  jmp return

SENDDAMAGE_MANIPULATION:
  jmp code
  nop
  nop
  nop

return:




registersymbol(SENDDAMAGE_MANIPULATION)
registersymbol(INF_HP_ENABLED)
registersymbol(ONE_SHOT_ENABLED)

[DISABLE]
SENDDAMAGE_MANIPULATION:
  db F3 0F 11 A8 84 00 00 00


unregistersymbol(SENDDAMAGE_MANIPULATION)
dealloc(code)

{
// ORIGINAL CODE - INJECTION POINT: 0099B17F

""+99B14A: 48 89 85 48 FF FF FF           -  mov [rbp-000000B8],rax
""+99B151: 48 8B 85 48 FF FF FF           -  mov rax,[rbp-000000B8]
""+99B158: 48 8B C8                       -  mov rcx,rax
""+99B15B: F3 0F 10 81 84 00 00 00        -  movss xmm0,[rcx+00000084]
""+99B163: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+99B167: 48 8B 8D C8 FE FF FF           -  mov rcx,[rbp-00000138]
""+99B16E: F3 0F 10 49 08                 -  movss xmm1,[rcx+08]
""+99B173: F3 0F 5A C9                    -  cvtss2sd xmm1,xmm1
""+99B177: F2 0F 5C C1                    -  subsd xmm0,xmm1
""+99B17B: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+99B17F: F3 0F 11 A8 84 00 00 00        -  movss [rax+00000084],xmm5
// ---------- DONE INJECTING  ----------
""+99B187: 48 8B 85 D0 FE FF FF           -  mov rax,[rbp-00000130]
""+99B18E: 48 8B 40 40                    -  mov rax,[rax+40]
""+99B192: 48 85 C0                       -  test rax,rax
""+99B195: 74 26                          -  je HealthHandler:sendDamage+4ed
""+99B197: 48 8B 85 D0 FE FF FF           -  mov rax,[rbp-00000130]
""+99B19E: 48 8B 40 40                    -  mov rax,[rax+40]
""+99B1A2: 48 8B C8                       -  mov rcx,rax
""+99B1A5: 48 83 EC 20                    -  sub rsp,20
""+99B1A9: 83 38 00                       -  cmp dword ptr [rax],00
""+99B1AC: 49 BB C0 E3 97 52 00 00 00 00  -  mov r11,UnityEngine.Events:UnityEvent:Invoke
}

Squall8
Expert Cheater
Expert Cheater
Posts: 148
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 66

Re: Mono can't find address

Post by Squall8 » Sun Jul 16, 2017 9:17 am

I tend not to over rely on mono, especially in my scripts. Its good for using as reference to find a specific assembly region and dissecting structures. From there you can debug as normal to see if any instruction you found would be viable. Then write your script out through a simple aob injection.

But if you're dead set on keeping it that way, try a couple things:

Code: Select all

1.
Replace - alloc(code,$1024,0099B17F)
with
alloc(code,$1024,STRAFE.exe)
----------------------------------------------------
2.
ONE_SHOT_DAMAGE:
dd 0  //

INF_HP_ENABLED:
db 0  //    Use "dq 0".  Being a 64bit process.

ONE_SHOT_ENABLED:
db 0  //
----------------------------------------------------
3.
alloc(INF_HP_ENABLED,1)  //
alloc(ONE_SHOT_ENABLED,1)  // alloc(ONE_SHOT_ENABLED,8)  //Allocate more memory.
alloc(ONE_SHOT_DAMAGE,1)  //
----------------------------------------------------
4. Double check the flow of your script. I only really took a quick look at it. But make sure everything in there has a chance to execute, nothing gets skipped over (it happens easier than you might think).

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Mon Jul 17, 2017 5:11 pm

Hey Squall,

thanks for the general tips, those are really helpful!
I had tried allocating to STRAFE.exe before but it would never activate, somehow it does now.

The reason i wanted to use Mono features is because it would JIT the necessary parts(?), thus not having to take damage before being able to enable the cheat. I also noticed the missing dealloc's, but apart from that i can't find any fault in the code that could trigger it not working with Mono, but working with AOBScan (unless i don't understand some intricincies.

Squall8
Expert Cheater
Expert Cheater
Posts: 148
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 66

Re: Mono can't find address

Post by Squall8 » Mon Jul 17, 2017 5:30 pm

Try using this instead of USEMONO().

Code: Select all

[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}
Also another workaround would be to find an instruction that constantly updates.

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Tue Jul 18, 2017 6:09 pm

Squall8 wrote:
Mon Jul 17, 2017 5:30 pm
Try using this instead of USEMONO().

Code: Select all

[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}
Also another workaround would be to find an instruction that constantly updates.
That's funny, this works (for the moment). I thought USEMONO() is equal to the lua-call. Guess not?
*edit* aaaand it stopped working after a couple restarts. Guess ill keep it on aobscan :/

User avatar
FreeER
Cheater
Cheater
Posts: 33
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 2
Contact:

Re: Mono can't find address

Post by FreeER » Tue Jul 18, 2017 6:40 pm

Bakfiets wrote:
Tue Jul 18, 2017 6:09 pm
I thought USEMONO() is equal to the lua-call. Guess not?
For the record USEMONO is equivalent to the monoAA_USEMONO function (registered as an AA command in mono_initialize) in monoscript.lua, which mostly just calls LaunchMonoCollector with some error checking...
monoAA_USEMONOShow

Code: Select all

function monoAA_USEMONO(parameters, syntaxcheckonly)
  --called whenever an auto assembler script encounters the USEMONO() line
  --the value you return will be placed instead of the given line
  --In this case, returning a empty string is fine
  --Special behaviour: Returning nil, with a secondary parameter being a string, will raise an exception on the auto assembler with that string

  --another example:
  --return parameters..":\nnop\nnop\nnop\n"
  --you'd then call it using usemono(00400500) for example

  if (syntaxcheckonly==false) and (LaunchMonoDataCollector()==0) then
    return nil,translate("The mono handler failed to initialize")
  end

  return "" --return an empty string (removes it from the internal aa assemble list)
end
I don't know mono very well, so I can't really offer any help here (though it does sound a bit like there could be multiple functions with the same name and you're getting whichever one was loaded first...)

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Tue Jul 18, 2017 7:16 pm

I guess that must be it freeER.. After checking "instances of class", the list is too long to even start counting. Seems like everything (including seperate body parts) in this game has a healthHandler attached to is :/

User avatar
FreeER
Cheater
Cheater
Posts: 33
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 2
Contact:

Re: Mono can't find address

Post by FreeER » Tue Jul 18, 2017 8:05 pm

The number of instances shouldn't directly matter, at least in theory, since they would use the same function/code, it's just if you had different functions named the same thing, aka "function overloading", and taking different arguments... IF that's the issue then this may help http://forum.cheatengine.org/viewtopic.php?p=5659563

Squall8
Expert Cheater
Expert Cheater
Posts: 148
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 66

Re: Mono can't find address

Post by Squall8 » Wed Jul 19, 2017 1:07 am

@FreeER
Thanks for the info. I thought they were a bit different.

@Bakfiets
I've been working on quite a few mono games lately (not by choice lol). I'll work on some this weekend and see what I can come up with regarding this issue.

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Wed Jul 19, 2017 5:44 pm

FreeER wrote:
Tue Jul 18, 2017 8:05 pm
The number of instances shouldn't directly matter, at least in theory, since they would use the same function/code, it's just if you had different functions named the same thing, aka "function overloading", and taking different arguments... IF that's the issue then this may help http://forum.cheatengine.org/viewtopic.php?p=5659563
You are making a terrible amount of sense. It indeed has 1 overloading method (or 2, perspectives ;P)
Quick scan of the topic reveals it's an interesting one to read, thank you!

I will certainly post the progress once i can get my hands free from work projects.

@squall8 good luck! may the mono treat you gently, she's a hard mistress. But you have to give her credit for spilling al her junk on demand.

Squall8
Expert Cheater
Expert Cheater
Posts: 148
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 66

Re: Mono can't find address

Post by Squall8 » Sat Jul 22, 2017 10:52 pm

Bakfiets wrote:
Wed Jul 19, 2017 5:44 pm
Alright I finally did some testing on my end. Try using assert under enable. Parameter in this case:

Code: Select all

assert --(name used in define,bytes used for original injection). You can simply copy them over from disable.
Example:

Code: Select all

{ Game   : TheInitial.exe
  Version: 
  Date   : 2017-07-18
  Author : Squall8
}

define(infhealth,ACTGameObject:DoDamage+dc)
[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}

assert(infhealth,F3 0F 11 AE D4 00 00 00)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  cmp [rsi+000000C4],0
  jne code
  fld [rsi+000000D0]
  fstp [rsi+000000D4]
  jmp return

code:
  movss [rsi+000000D4],xmm5
  jmp return

infhealth:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(infhealth)

[DISABLE]

infhealth:
  db F3 0F 11 AE D4 00 00 00

unregistersymbol(infhealth)
dealloc(newmem)
Let me know if that helped.

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Sun Jul 23, 2017 4:14 pm

@Squall8
Unfortunately it didn't work. Even if, the assert would be true for all the overloading functions :/

Schnitzelmaker
Expert Cheater
Expert Cheater
Posts: 92
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 38

Re: Mono can't find address

Post by Schnitzelmaker » Sun Jul 23, 2017 4:39 pm

Bakfiets wrote:
Sun Jul 23, 2017 4:14 pm
@Squall8
Unfortunately it didn't work. Even if, the assert would be true for all the overloading functions :/
I don't have the game so i can't look into. But my question is it overloaded method or shared instruction?

If it is an overloaded method you can use the lua version of mono_findMethodByDesc, but unfortunately in CE 6.7 it contains a bug. (fixed already on github)


A fixed version would be:
Show

Code: Select all

function mono_findMethodByDescFixed(assemblyname, methoddesc)
  --if debug_canBreak() then return nil end
  local assemblies = mono_enumAssemblies()
  for i=1, #assemblies do
      local image = mono_getImageFromAssembly(assemblies[i])
      local imagename = mono_image_get_name(image)
      if imagename == assemblyname then
        return mono_class_findMethodByDesc(image, methoddesc)
      end
  end
  return nil
end
I also wrote me an extension to use it as aa command:

Code: Select all

function monoAA_FINDMONOMETHODBYDESCFIXED(parameters, syntaxcheckonly)
  local name, assemblyname, fullmethodnamestring, methoddesc, methodaddress
  local c,d

  --print(parameters)
  --parse the parameters
  c=string.find(parameters,",")
  if c~=nil then
    name=string.sub(parameters, 1,c-1)

    fullmethodnamestring=string.sub(parameters, c+1, #parameters)
    d=string.find(fullmethodnamestring,",")
    if (d~=nil) then
      assemblyname=string.sub(fullmethodnamestring, 1,d-1)
      methoddesc=string.sub(fullmethodnamestring, d+1, #fullmethodnamestring)
    else
      return nil,"Assemblyname/Method desc missing"
    end
  else
    return nil,translate("Invalid parameters (name could not be determined)")
  end

  assemblyname=assemblyname:match "^%s*(.-)%s*$" --trim
  methoddesc=methoddesc:match "^%s*(.-)%s*$" --trim

  if syntaxcheckonly then
    return "define("..name..",00000000)"
  end

  if (monopipe==nil) or (monopipe.Connected==false) then
    LaunchMonoDataCollector()
  end

  if (monopipe==nil) or (monopipe.Connected==false) then
    return nil,translate("The mono handler failed to initialize")
  end

  --print("assemblyname: " .. assemblyname)
  --print("methoddesc: " .. methoddesc)
  local method=mono_findMethodByDescFixed(assemblyname, methoddesc)
  --print("method: " .. method)
  if (method==0) then
    return nil,methoddesc..translate(" could not be found")
  end

  methodaddress=mono_compile_method(method)
  --print("methodaddress: " .. methodaddress)
  if (methodaddress==0) then
    return nil,methoddesc..translate(" could not be jitted")
  end

  local result="define("..name..","..string.format("%x", methodaddress)..")"
  --print("result: " .. result)

 -- showMessage(result)

  return result
end


registerAutoAssemblerCommand("FINDMONOMETHODBYDESCFIXED", monoAA_FINDMONOMETHODBYDESCFIXED)

Example in aa:

Code: Select all

FINDMONOMETHODBYDESCFIXED(Agent_DamageAddress, Assembly-CSharp, Agent:Damage(PlayfieldObject,bool))

Squall8
Expert Cheater
Expert Cheater
Posts: 148
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 66

Re: Mono can't find address

Post by Squall8 » Mon Jul 24, 2017 8:29 pm

I figured it would, I just wanted to be sure. I tried to replicate the issue to see what else I could do, but I couldn't even seem to find an overloaded function.. I might download the game later then. I'm also curious to know if any of the scripts Schnitzelmaker mentioned work out for you in this case. I don't have much knowledge in lua though.

Mono/Unity Engine and all that shit is complete garbage.. Lately most of these devs release half-assed pieces of work, make a small paycheck and abandon the game. It's ridiculous..

User avatar
Bakfiets
Fearless Donors
Fearless Donors
Posts: 22
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 3

Re: Mono can't find address

Post by Bakfiets » Tue Jul 25, 2017 1:29 pm

Squall8 wrote:
Mon Jul 24, 2017 8:29 pm
I figured it would, I just wanted to be sure. I tried to replicate the issue to see what else I could do, but I couldn't even seem to find an overloaded function.. I might download the game later then. I'm also curious to know if any of the scripts Schnitzelmaker mentioned work out for you in this case. I don't have much knowledge in lua though.

Mono/Unity Engine and all that shit is complete garbage.. Lately most of these devs release half-assed pieces of work, make a small paycheck and abandon the game. It's ridiculous..
Any help is deeply appreciated!
I haven't tried the lua scripts yet, I first want to read up on LUA (in combination with CE). In a few weeks I vacation so it's planned then :)
I'm afraid i have to disagree on your stance. The engine is and should not be responsible for hit-and-run tactics. Funny enough, this weeks Jimquisition from Jim Sterling is about this issue :)

Post Reply

Who is online

Users browsing this forum: No registered users