Mono related lua invoke or asm call C# System.String constructor
Posted: Thu Dec 01, 2022 2:56 pm
I'm trying to add some extra feedback to some Character Info panels for a game that uses IL2CPP ( this would've probably taken 5 minutes with DNSPY otherwise ) ...
Managed to get the parameters of interest calling a mono function that supplies them from ASM ( I'm calling a AOB signature of the function )
those parameters get to lua and I can make lua print this string in console when hovering units in combat
But of course I don't want this string in the lua console.. I want it to the
to display seamlessly in game when hovering combat units
And here I'm kid of stuck ... I could SIMPLY OVERWRITE CharacterInformationsTooltip.m_characterLevel(textmeshpro).m_text.Value with a Shorter or equal string ..
I can get its address :
UnicodeStringAddr = readQword( readQword( readQword(CharacterInformationsTooltip + 0x90) + 0xC8) + 0x14)
Problem is my string WILL BE LONGER ! (high risk of overwritting stuff ..)
The game does call TMPro.TMP_Text.set_text before ..
Problem1
how do I call a constructor of System.String in ASM ? (randomly dig trough traces till I stumble upon an example ? Build c# project and see how the constructor call translates into ASM ? ) ..
To make the string.object argument to be able to call settext from ASM.
Problem2
is it simpler to mono invoke this set text from lua ? (doubt) ..
The parameter is a unicode string which I have.. Do I really need to go digging for functions/method ids when I can easily access the actual function address from my injection point ?
If I put a breakpoint when the hover window is active to get the function settext function addr could I invoke it from LUA engine for test purpose while the game is frozen for test purpose ? Doesn't sound right .. Will probably need to attempt the monoinvokes from my lua script that concatenates the string ..and crash crash crash
...
EDIT
Problem3
Simpler still ?
- make a mock? string object struct to pass as argument and see if it works
0 copy the addr pointer from an actual string.object I have access to (should be common for all system.string objects ?)
0x10 put strlen
0x14 put the unicode str
pass address of this struct in rdx , call set text and pray)
Managed to get the parameters of interest calling a mono function that supplies them from ASM ( I'm calling a AOB signature of the function )
// Try call_1
lea r9,[rbp+30] // orig
lea r8,[rbp-50] // orig
mov edx,0000005
mov rcx,rdi
call AOB_BM_f_CharacterInformationsTooltip_getStatInformations
//SAVE [rbp+30] COURAGE !!
mov edx, [rbp+30]
mov [CbtUI_Hover_Courage_Agility_Params], edx // Courage
// Try call_2
lea r9,[rbp+30] // orig
lea r8,[rbp-50] // orig
mov edx,0000001
mov rcx,rdi
call AOB_BM_f_CharacterInformationsTooltip_getStatInformations
//SAVE [rbp+30] AGILITY !!
mov edx, [rbp+30]
mov [CbtUI_Hover_Courage_Agility_Params+4], edx // Agility
those parameters get to lua and I can make lua print this string in console when hovering units in combat
function CbtUI_Hover_Courage_Agility(params)
local Courage = readInteger(params)
local Agility = readInteger(params+0x4)
local CharacterInformationsTooltip = readQword(params+0x100)
local Character = readQword(CharacterInformationsTooltip + 0x160)
local Character_Level = readInteger( readQword(Character + 0x138) +0x40)
print(string.format("LvL:%2d Courage:%2d Agility:%2d", Character_Level, Courage, Agility))
-- sample lua console output
-- LvL: 5 Courage: 9 Agility:14
-- LvL: 3 Courage:30 Agility: 9
-- LvL: 3 Courage:30 Agility: 9
end
But of course I don't want this string in the lua console.. I want it to the
CharacterInformationsTooltip.m_characterLevel(textmeshpro).m_text.Value to display seamlessly in game when hovering combat units
And here I'm kid of stuck ... I could SIMPLY OVERWRITE CharacterInformationsTooltip.m_characterLevel(textmeshpro).m_text.Value with a Shorter or equal string ..
I can get its address :
UnicodeStringAddr = readQword( readQword( readQword(CharacterInformationsTooltip + 0x90) + 0xC8) + 0x14)
Problem is my string WILL BE LONGER ! (high risk of overwritting stuff ..)
The game does call TMPro.TMP_Text.set_text before ..
// SIMPLER TO INVOKE IN LUA ??
//CALL TMPro.TMP_text.set_text
// R9 or Rax used for calling setText of object using virtual function table
// arguments
// RCX ptr to TextMeshPro object that displays Unit LvL string
// RDX ptr SYSTEM.String object with my unicode string
// R8 get loaded offset of setText addr + 0x8
// call qword ptr [R9+530] // r9 = [[rsi + 90]] where RSI pointer to the CharacterInformationsTooltip
// [RSI+90] ptr to TextMeshPro object that displays Unit LvL string
Problem1
how do I call a constructor of System.String in ASM ? (randomly dig trough traces till I stumble upon an example ? Build c# project and see how the constructor call translates into ASM ? ) ..
To make the string.object argument to be able to call settext from ASM.
Problem2
is it simpler to mono invoke this set text from lua ? (doubt) ..
The parameter is a unicode string which I have.. Do I really need to go digging for functions/method ids when I can easily access the actual function address from my injection point ?
If I put a breakpoint when the hover window is active to get the function settext function addr could I invoke it from LUA engine for test purpose while the game is frozen for test purpose ? Doesn't sound right .. Will probably need to attempt the monoinvokes from my lua script that concatenates the string ..and crash crash crash
...EDIT
Problem3
Simpler still ?
- make a mock? string object struct to pass as argument and see if it works
0 copy the addr pointer from an actual string.object I have access to (should be common for all system.string objects ?)
0x10 put strlen
0x14 put the unicode str
pass address of this struct in rdx , call set text and pray
)
.. Maybe I can do something bout that ..