Confusing game crash [Mono problem]

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Confusing game crash [Mono problem]

Post by GreenHouse »

I'm having a problem that is really weird. There's an address that If I add it to the address list, or try to go to it, it makes a game instantly crash.
The line is 'UnityEngine.UI:SetPropertyUtility:SetStruct'. I don't see how that could make a game crash when I'm not injecting or enabling anything. Mono crashes and it makes the game crash. I tried on some other games and the same happens. If that address exists, it crashes the game, If it doesn't it lags Cheat Engine when typing it.
Copy/Pasting the address, makes it crash, and If I type it myself it lags Cheat Engine mid-way. Always when Mono is enabled. Here are 3 examples in the video(I only show one game, but I tried 3 more and the same thing happened):
1- It crashes when I try to add the address to the list.
2- It crashes the moment I enable Mono when having the address in the list.
3- Typing the address lags Cheat Engine and when the address is fully written, it crashes.



Edit: Fixed video URL for the forum media update.
Last edited by GreenHouse on Fri Jun 07, 2019 1:46 pm, edited 1 time in total.

panraven
Table Makers
Table Makers
Posts: 121
Joined: Fri Mar 03, 2017 12:03 am
Reputation: 108

Re: Confusing game crash [Mono problem]

Post by panraven »

Probably the game use a special version mono-***.dll, namely mono-2.0-bdwgc.
Since ce attach to first dll named as "mono-***.dll" using LoadLibrary to use mono api,
then use getProcAddress to find *Exported* api by name,
the crash could be due to calling getProcAddress with an *un-exported* function name,
and ce don't trap exception when the getProcAddress failed.

The suspected mono function should be jit related,
since ce can parse class struct,
but crash when request a function symbol's address (the jit function entry).

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: Confusing game crash [Mono problem]

Post by GreenHouse »

panraven wrote:
Sun Mar 03, 2019 3:35 pm
Probably the game use a special version mono-***.dll, namely mono-2.0-bdwgc.
Since ce attach to first dll named as "mono-***.dll" using LoadLibrary to use mono api,
then use getProcAddress to find *Exported* api by name,
the crash could be due to calling getProcAddress with an *un-exported* function name,
and ce don't trap exception when the getProcAddress failed.

The suspected mono function should be jit related,
since ce can parse class struct,
but crash when request a function symbol's address (the jit function entry).
The crash is not exclusive to that game. I tried with multiple games, and they have the same exact problem.
And it's not a problem that occurs when attaching it on a wrong DLL. That address does exist, and you can make it work If you go manually using the Mono window and Jit. The thing is that when you try to go directly to the address, then it makes it crash.
And even If you Jit the address, and they try to go manually, the same happens.

panraven
Table Makers
Table Makers
Posts: 121
Joined: Fri Mar 03, 2017 12:03 am
Reputation: 108

Re: Confusing game crash [Mono problem]

Post by panraven »

I see.

I install the game isr from steam and try to see what happens.
So I find the said class UnityEngine.UI:SetPropertyUtility in a decompiler (JustDecompile).

There is 3 function, however only SetColor is normal function, which when I replace the address in video with
UnityEngine.UI:SetPropertyUtility:SetColor the address parse successes.
The SetPropertyUtility:SetStruct is interpreted as
SetPropertyUtility:SetStruct<T> in the decompiler.

The SetPropertyUtility:SetStruct<T> actually a kind of function template, it must be feed with some type parameter (the capital T) to actually instant a function to be jit-ed specific to that type, for instance the usage of the class show by the decompiler are like SetStruct<bool> or SetStruct<float>,
these are 2 separated function in native code form if jit-ed .

It may be related to these function template nature that it cannot be jit-ed without specified the type T, but I'm not going further more

It seems it is not game play related, which most game play logic should be in Assembly-CSharp or some others, but not these generic UI assembly.
May be you can inject a custom ui assembly for your purpose instead of manipulating it using mono-api.
gl

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: Confusing game crash [Mono problem]

Post by GreenHouse »

panraven wrote:
Mon Mar 04, 2019 4:35 pm
I see.

I install the game isr from steam and try to see what happens.
So I find the said class UnityEngine.UI:SetPropertyUtility in a decompiler (JustDecompile).

There is 3 function, however only SetColor is normal function, which when I replace the address in video with
UnityEngine.UI:SetPropertyUtility:SetColor the address parse successes.
The SetPropertyUtility:SetStruct is interpreted as
SetPropertyUtility:SetStruct<T> in the decompiler.

The SetPropertyUtility:SetStruct<T> actually a kind of function template, it must be feed with some type parameter (the capital T) to actually instant a function to be jit-ed specific to that type, for instance the usage of the class show by the decompiler are like SetStruct<bool> or SetStruct<float>,
these are 2 separated function in native code form if jit-ed .

It may be related to these function template nature that it cannot be jit-ed without specified the type T, but I'm not going further more

It seems it is not game play related, which most game play logic should be in Assembly-CSharp or some others, but not these generic UI assembly.
May be you can inject a custom ui assembly for your purpose instead of manipulating it using mono-api.
gl
I understand. But the thing is that the address has things in it, it doesn't need any extra parameter from my side. As I said, you can get to it by Jitting. And when you do, the address you get is exactly 'UnityEngine.UI:SetPropertyUtility'. Then If you copy that, and try to add it to the list, it crashes.
But well... If you're right and there's an extra parameter in it, that I didn't see, then I guess I'll go from Jit instead of directly.
Thanks :D

User avatar
dharmang1910
Expert Cheater
Expert Cheater
Posts: 120
Joined: Thu Jun 08, 2017 4:16 am
Reputation: 183

Re: Confusing game crash [Mono problem]

Post by dharmang1910 »

I also face many crashes in unity games now, while backtracing and injecting. I have windows 10 64 bit latest version. Some unity games have anticheat mechanism i have found and also have exception raising api's so cheat engine can not handle exceptions and game crashes. I also face that game are not crashing in x64dbg but only crashing in Cheat engine. So i feel that in your case there is some exception raises because game lags and then crashes mostly done while exception occurs. Are you also using windows 10 as mine??

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: Confusing game crash [Mono problem]

Post by GreenHouse »

dharmang1910 wrote:
Fri Jun 07, 2019 1:00 pm
I also face many crashes in unity games now, while backtracing and injecting. I have windows 10 64 bit latest version. Some unity games have anticheat mechanism i have found and also have exception raising api's so cheat engine can not handle exceptions and game crashes. I also face that game are not crashing in x64dbg but only crashing in Cheat engine. So i feel that in your case there is some exception raises because game lags and then crashes mostly done while exception occurs. Are you also using windows 10 as mine??
Yes, I do use Windows 10. The thing is that it never happened ~3 years ago. And now I have many constant crashes and freezes. I don't know If it's because of Cheat Engine or because of how those games are made. But it's pretty annoying.

User avatar
dharmang1910
Expert Cheater
Expert Cheater
Posts: 120
Joined: Thu Jun 08, 2017 4:16 am
Reputation: 183

Re: Confusing game crash [Mono problem]

Post by dharmang1910 »

GreenHouse wrote:
Fri Jun 07, 2019 1:45 pm
Yes, I do use Windows 10. The thing is that it never happened ~3 years ago. And now I have many constant crashes and freezes. I don't know If it's because of Cheat Engine or because of how those games are made. But it's pretty annoying.
I think there is two possibility. The core components of OS and/or .Net is getting updated or there is some compatibility issue of Cheat engine with windows 10 because DBVM is still not fully compatible with windows 10. And I'm also getting frustrated in Unity games because of frequent crashes.

Btw try this script before doing any backtracing or injecting. I have made this while debugging in x64dbg and found that game is less crashing if the game have implemented exception raising apis.

Code: Select all

[ENABLE]
KERNELBASE.RaiseException+62:
db 90 90 90 90 90 90 90
 
[DISABLE]
KERNELBASE.RaiseException+62:
db 48 FF 15 EF 21 16 00

Code: Select all

[ENABLE]
ntdll.RtlRaiseException:
db c3 90

[DISABLE]
ntdll.RtlRaiseException:
db 40 55

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: Confusing game crash [Mono problem]

Post by GreenHouse »

dharmang1910 wrote:
Fri Jun 07, 2019 5:15 pm
I think there is two possibility. The core components of OS and/or .Net is getting updated or there is some compatibility issue of Cheat engine with windows 10 because DBVM is still not fully compatible with windows 10. And I'm also getting frustrated in Unity games because of frequent crashes.

Btw try this script before doing any backtracing or injecting. I have made this while debugging in x64dbg and found that game is less crashing if the game have implemented exception raising apis.
I'll sure try that. I hope that it helps with the crashes.
Thanks.

Post Reply

Who is online

Users browsing this forum: No registered users