Confusing game crash [Mono problem]

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
User avatar
GreenHouse
Expert Cheater
Expert Cheater
Posts: 64
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 32

Confusing game crash [Mono problem]

Post by GreenHouse » Wed Feb 27, 2019 4:05 pm

I'm having a problem that is really weird. There's an address that If I add it to the address list, or try to go to it, it makes a game instantly crash.
The line is 'UnityEngine.UI:SetPropertyUtility:SetStruct'. I don't see how that could make a game crash when I'm not injecting or enabling anything. Mono crashes and it makes the game crash. I tried on some other games and the same happens. If that address exists, it crashes the game, If it doesn't it lags Cheat Engine when typing it.
Copy/Pasting the address, makes it crash, and If I type it myself it lags Cheat Engine mid-way. Always when Mono is enabled. Here are 3 examples in the video(I only show one game, but I tried 3 more and the same thing happened):
1- It crashes when I try to add the address to the list.
2- It crashes the moment I enable Mono when having the address in the list.
3- Typing the address lags Cheat Engine and when the address is fully written, it crashes.


panraven
Cheater
Cheater
Posts: 36
Joined: Fri Mar 03, 2017 12:03 am
Reputation: 18

Re: Confusing game crash [Mono problem]

Post by panraven » Sun Mar 03, 2019 3:35 pm

Probably the game use a special version mono-***.dll, namely mono-2.0-bdwgc.
Since ce attach to first dll named as "mono-***.dll" using LoadLibrary to use mono api,
then use getProcAddress to find *Exported* api by name,
the crash could be due to calling getProcAddress with an *un-exported* function name,
and ce don't trap exception when the getProcAddress failed.

The suspected mono function should be jit related,
since ce can parse class struct,
but crash when request a function symbol's address (the jit function entry).

User avatar
GreenHouse
Expert Cheater
Expert Cheater
Posts: 64
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 32

Re: Confusing game crash [Mono problem]

Post by GreenHouse » Mon Mar 04, 2019 10:50 am

panraven wrote:
Sun Mar 03, 2019 3:35 pm
Probably the game use a special version mono-***.dll, namely mono-2.0-bdwgc.
Since ce attach to first dll named as "mono-***.dll" using LoadLibrary to use mono api,
then use getProcAddress to find *Exported* api by name,
the crash could be due to calling getProcAddress with an *un-exported* function name,
and ce don't trap exception when the getProcAddress failed.

The suspected mono function should be jit related,
since ce can parse class struct,
but crash when request a function symbol's address (the jit function entry).
The crash is not exclusive to that game. I tried with multiple games, and they have the same exact problem.
And it's not a problem that occurs when attaching it on a wrong DLL. That address does exist, and you can make it work If you go manually using the Mono window and Jit. The thing is that when you try to go directly to the address, then it makes it crash.
And even If you Jit the address, and they try to go manually, the same happens.

panraven
Cheater
Cheater
Posts: 36
Joined: Fri Mar 03, 2017 12:03 am
Reputation: 18

Re: Confusing game crash [Mono problem]

Post by panraven » Mon Mar 04, 2019 4:35 pm

I see.

I install the game isr from steam and try to see what happens.
So I find the said class UnityEngine.UI:SetPropertyUtility in a decompiler (JustDecompile).

There is 3 function, however only SetColor is normal function, which when I replace the address in video with
UnityEngine.UI:SetPropertyUtility:SetColor the address parse successes.
The SetPropertyUtility:SetStruct is interpreted as
SetPropertyUtility:SetStruct<T> in the decompiler.

The SetPropertyUtility:SetStruct<T> actually a kind of function template, it must be feed with some type parameter (the capital T) to actually instant a function to be jit-ed specific to that type, for instance the usage of the class show by the decompiler are like SetStruct<bool> or SetStruct<float>,
these are 2 separated function in native code form if jit-ed .

It may be related to these function template nature that it cannot be jit-ed without specified the type T, but I'm not going further more

It seems it is not game play related, which most game play logic should be in Assembly-CSharp or some others, but not these generic UI assembly.
May be you can inject a custom ui assembly for your purpose instead of manipulating it using mono-api.
gl

User avatar
GreenHouse
Expert Cheater
Expert Cheater
Posts: 64
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 32

Re: Confusing game crash [Mono problem]

Post by GreenHouse » Mon Mar 04, 2019 4:42 pm

panraven wrote:
Mon Mar 04, 2019 4:35 pm
I see.

I install the game isr from steam and try to see what happens.
So I find the said class UnityEngine.UI:SetPropertyUtility in a decompiler (JustDecompile).

There is 3 function, however only SetColor is normal function, which when I replace the address in video with
UnityEngine.UI:SetPropertyUtility:SetColor the address parse successes.
The SetPropertyUtility:SetStruct is interpreted as
SetPropertyUtility:SetStruct<T> in the decompiler.

The SetPropertyUtility:SetStruct<T> actually a kind of function template, it must be feed with some type parameter (the capital T) to actually instant a function to be jit-ed specific to that type, for instance the usage of the class show by the decompiler are like SetStruct<bool> or SetStruct<float>,
these are 2 separated function in native code form if jit-ed .

It may be related to these function template nature that it cannot be jit-ed without specified the type T, but I'm not going further more

It seems it is not game play related, which most game play logic should be in Assembly-CSharp or some others, but not these generic UI assembly.
May be you can inject a custom ui assembly for your purpose instead of manipulating it using mono-api.
gl
I understand. But the thing is that the address has things in it, it doesn't need any extra parameter from my side. As I said, you can get to it by Jitting. And when you do, the address you get is exactly 'UnityEngine.UI:SetPropertyUtility'. Then If you copy that, and try to add it to the list, it crashes.
But well... If you're right and there's an extra parameter in it, that I didn't see, then I guess I'll go from Jit instead of directly.
Thanks :D

Post Reply

Who is online

Users browsing this forum: No registered users