Inject multiple places

[Fruitpunch]

Hello,

So I want to inject multiple places and since I only found info about it in LUA, I decided to try. I attempted to piece this code together from multiple (sort of similar) examples but it doesn't work.

I have no prior experience with LUA so hopefully some of you can point out what's wrong with this code.

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count

local script = [[
alloc(value,8)
label(return)
label(value)
registersymbol(value)

newmem:
  mov [value],rdi
  movss xmm7,[rdi+00000394]
  jmp return

value:
  dd 0
  
%s:
  jmp newmem
  nop 3
return:]]

registerSymbol("newmem", mem)

function injections(t)
         for i=1, resultCount, 1 do
             local injection = "vals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer()

timer.Interval = 1
timer.OnTimer = injections(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "vals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

{$asm}
unregistersymbol(value)
dealloc(value)

[ShyTwig16]

Hello,

So I want to inject multiple places and since I only found info about it in LUA, I decided to try. I attempted to piece this code together from multiple (sort of similar) examples but it doesn't work.

I have no prior experience with LUA so hopefully some of you can point out what's wrong with this code.

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count

local script = [[
alloc(value,8)
label(return)
label(value)
registersymbol(value)

newmem:
  mov [value],rdi
  movss xmm7,[rdi+00000394]
  jmp return

value:
  dd 0
  
%s:
  jmp newmem
  nop 3
return:]]

registerSymbol("newmem", mem)

function injections(t)
         for i=1, resultCount, 1 do
             local injection = "vals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer()

timer.Interval = 1
timer.OnTimer = injections(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "vals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

{$asm}
unregistersymbol(value)
dealloc(value)

One thing to keep in mind is that with CE versions prior to 7.3, the lua "registerSymbol" will throw an error if the symbol already exists. And you're registering the symbol "value" in every injection, so only the last one will remain; but since the address for value is what gets assembled it should only matter if you are using value as an address in the address list, if not you really don't need to register it as a symbol. Then you are using "dd" (data double, double word or 4 bytes) to initialize "value" when you should be using "dq" (data quad, quad word or 8 byes), but since you do allocate 8 bytes it really shouldn't matter. But since you also create a label "value" and place it in "newmem", it's hard to which one it's using. And you have every injection point jumping to the same location and depending on how far things are it might require a 14 byte jump. And the memory for "value" could be to far from the injection point; AA "alloc" takes a third parameter "allocate near". You should pass the injection address or symbol to the "alloc" command. But with you reallocating for every injection point, but using the same memory for the hook you probably need to use a registry for the address of "value" since a hardcoded address is only RSP + the signed value of the 4 bytes (in a 64 bit process); thus if the address for "value" is larger/smaller than RSP +/- 0x7FFFFFFF then is can't be assembled as a hardcoded address.
[Link]

[Fruitpunch]

Okay, thanks for the info.

Value was supposed to be allocated only once. Now that you point it out, that's obvious. I tried to do it in Lua but I wasn't successful and moved it to asm which was a mistake with the contradictory label. I use the value as an address so I need to registersymbol it.

All I need is to have the jmp newmem and nop 3 be written to all of the addresses found by aobscan.

I've tried to make that script work without the value in there at all, so that is not the only reason this does not work. There must be something wrong in the lua code.

[ShyTwig16]

Okay, thanks for the info.

Value was supposed to be allocated only once. Now that you point it out, that's obvious. I tried to do it in Lua but I wasn't successful and moved it to asm which was a mistake with the contradictory label. I use the value as an address so I need to registersymbol it.

All I need is to have the jmp newmem and nop 3 be written to all of the addresses found by aobscan.

I've tried to make that script work without the value in there at all, so that is not the only reason this does not work. There must be something wrong in the lua code.

If you make all the injection points jump to the same place, it's likely that the jumps are too far for 5 byte jumps to hold, so you'll need to use 14 byte jumps or allocate new memory for each one so they can hopefully be closer. But there is no guarantee they will, it just depends on how large the game's code is in memory. Although I'm yet to run into a situation were using the third parameter for "alloc" didn't work. But with games getting as large as they are, it's bound to happen at some point.

[Fruitpunch]

I tried this code:

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count

local script = [[
label(return)

newmem:
  movss xmm7,[rdi+00000394]
  movaps xmm6,xmm7
  movzx ebp,byte ptr [rcx+00000176]
  jmp return

%s:
  jmp far newmem
  nop 4
return:]]

registerSymbol("newmem", mem)

function healthVals(t)
         for i=1, resultCount, 1 do
             local injection = "healthVals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer() --this runs after everything else is finished so
                            --aobscan is finished before we run the loop

timer.Interval = 1
timer.OnTimer = healthVals(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "healthVals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

It writes it but the script is not enabled so it's still screwed. The address of first injection is 2B4 D88E 5EEF and
second address is 7FF7 6D03 8DAF. So if I understand your writing correctly they are too far apart.

I'm not sure I understand this: " allocate new memory for each one so they can hopefully be closer". You mean for example do it inside the loop where I'm doing the autoAssemble? But that would mean that the two different injection points would have
a different jmp code which is not what I want. So in this case what I aim to do is not possible?

[ShyTwig16]

I tried this code:

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count

local script = [[
label(return)

newmem:
  movss xmm7,[rdi+00000394]
  movaps xmm6,xmm7
  movzx ebp,byte ptr [rcx+00000176]
  jmp return

%s:
  jmp far newmem
  nop 4
return:]]

registerSymbol("newmem", mem)

function healthVals(t)
         for i=1, resultCount, 1 do
             local injection = "healthVals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer() --this runs after everything else is finished so
                            --aobscan is finished before we run the loop

timer.Interval = 1
timer.OnTimer = healthVals(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "healthVals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

It writes it but the script is not enabled so it's still screwed. The address of first injection is 2B4 D88E 5EEF and
second address is 7FF7 6D03 8DAF. So if I understand your writing correctly they are too far apart.

I'm not sure I understand this: " allocate new memory for each one so they can hopefully be closer". You mean for example do it inside the loop where I'm doing the autoAssemble? But that would mean that the two different injection points would have
a different jmp code which is not what I want. So in this case what I aim to do is not possible?

You can right click the script in the address list to see the error message. And doing it this way you'll have to use 14 byte jumps and restore 14 byte when disabling.

But at this point I'm really wondering, why do you need to inject in some many places like this?

[miraikolus]

I'd rather validate the results. I mean .... 7FF7 6D03 8DAF doesn't look like a valid address (131.037 GB ... or 127TB (not PB, sry). Ok that's not the prob. but ... 125 TB difference from addr1 to addr2 ...). This seems more like a temporary stored offset with overflow.

Another point might be the abuse of registers. Like I had the problem, that (global)alloc(addr,size,near) could in .... 1 of 20 times still allocate >2GB diff. Find the solution to that [Link] (rl example my script (City) and btw. also ... not yet injection but multi registerSymbol in lua while scanning incl. diff offsets in "All own cities..")

EDIT: You can also try to allocate the "newmem" not in lua but near a addr (unique aob or module+offset) but yeah. First start of a aobscan in CE and look at the difference lowest and highest addr. (1GB = 4000 0000 in HEX, divide though that in Calc\Prog\Hex or / (1024*1024*1024) in DEC. 1TB=100 0000 0000 in HEX). Then in lua if you got anything 7F* (signed) or FF* be skeptical.
But you can simply try it: open Memory Viewer and "Go to address" to check if it's rly valid. In any way a manual aob scan in CE and (generally speaking) whatever the lua loop tries to address should be the same and i'd bet that doesn't match. So add some prints of addr. you try to scan & register.

EDIT: I've thought a bit about it and ... are you sure you want to hook ALL these addr? Are you able to - do you got needed access to all addr? You could also save the autoAssemble result and check on the error.

[Fruitpunch]

You can right click the script in the address list to see the error message. And doing it this way you'll have to use 14 byte jumps and restore 14 byte when disabling.

But at this point I'm really wondering, why do you need to inject in some many places like this?

So, it's looks like to me that the "jmp far" is a 14 byte jmp since there are so many bytes when I try to enable the script. But disabling, was this actually the correct way: writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00, 0x0F, 0x28, 0xF7, 0x0F, 0xB6, 0xA9, 0x76, 0x01, 0x00, 0x00) ?

Oh, and I didn't know about that error message before, good to know. I'm getting <<Access violation>>. No idea for what.

To the question of why, I'd rather not give that away, since we live in times, where we have scumbags getting payed to look through public forums. Let's just say I'm looking for different ways to deal with a problem. This is just one of them.

I'd rather validate the results. I mean .... 7FF7 6D03 8DAF doesn't look like a valid address (131.037 GB ... or 127PB. Ok that's not the prob. but ... 125 PB difference from addr1 to addr2 ...). This seems more like a temporary stored offset with overflow.

Another point might be the abuse of registers. Like I had the problem, that (global)alloc(addr,size,near) could in .... 1 of 20 times still allocate >2GB diff. Find the solution to that [Link] (rl example my script (City) and btw. also ... not yet injection but multi registerSymbol in lua while scanning incl. diff offsets in "All own cities..")

EDIT: You can also try to allocate the "newmem" not in lua but near a addr (unique aob or module+offset) but yeah. First start of a aobscan in CE and look at the difference lowest and highest addr. (1GB = 4000 0000 in HEX, divide though that in Calc\Prog\Hex or / (1024*1024*1024) in DEC). Then in lua if you got anything 7F* (signed) or FF* be skeptical.
But you can simply try it: open Memory Viewer and "Go to address" to check if it's rly valid. In any way a manual aob scan in CE and (generally speaking) whatever the lua loop tries to address should be the same and i'd bet that doesn't match. So add some prints of addr. you try to scan & register.

EDIT: I've thought a bit about it and ... are you sure you want to hook ALL these addr? Are you able to - do you got needed access to all addr? You could also save the autoAssemble result and check on the error.

You are correct the first address is a temporary memory address. If I understand your second and third paragraphs correctly you are describing how to check if the address is actually real? I've checked that enabling the script writes to the correct addresses.

[ShyTwig16]

...
So, it's looks like to me that the "jmp far" is a 14 byte jmp since there are so many bytes when I try to enable the script. But disabling, was this actually the correct way: writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00, 0x0F, 0x28, 0xF7, 0x0F, 0xB6, 0xA9, 0x76, 0x01, 0x00, 0x00) ?

Oh, and I didn't know about that error message before, good to know. I'm getting <<Access violation>>. No idea for what.
...

Yeah, that should do the trick for disabling. And "Access violation" is kind of one of those you'd just have to start breaking down the script tell you find what causes the error. And if you want to validate an address with lua you can just use "getAddressSafe", it will return nil if it's not a valid address and the address as a number; it takes strings (symbols, module plus offset, pointers) or numbers.

[miraikolus]

You are correct the first address is a temporary memory address. If I understand your second and third paragraphs correctly you are describing how to check if the address is actually real? I've checked that enabling the script writes to the correct addresses.

How exactly do you mean that - I guess just the register? Cause if assemble too, it would prob. work. But again, do some prints & error checks. F.e. like [Link] (& f.e. my referenced table, "3 lines for offset, scanning aobs & register" and "5 lines for error handling/debugging infos")
That addr., is it being created by the game? If not, but yourself simply allocate near (only possible in asm, either in a parent script or in the 'same & using a timer to check the symbol's address'). Else ... rly?
Could you do a screenshot of the Foundlist in CE when scanning for those aobs as well as the result when replacing autoAssemble(string.format(script, injection)) with:
local result,assinfo =autoAssemble(string.format(script, injection))
print(injection, scan[i-1],tostring(result),tostring(assinfo))

My guess is that not everything can be assembled. 2nd guess "registerSymbol("newmem", mem)" - You try to write the same thing to the same addr, while you are aware that return will be alw. different? script1 return will be f.e. 0222 3333 4444 while script2 0222 3333 5555 .... so whatever injection point is currently active ... you'll end at last script's return. (if you don't want that you need to alloc & register in script, and exchange each newmem with %s and ... f.e. replace-string: 'newmem'..injection. Or your always change the start addr to jump to) But that's just about logic that could crash the game. Nothing that should prevent activation.

[Fruitpunch]

Okay, the last script is working after all. I guess along the way I had managed to save Userdefined symbols and those were messing with the enabling. Now the question is how do I allocate the memory only once for that address I need?

The code I have tried is below. New parts have been marked with "--NEW".

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count
value = nil --NEW

local script = [[
label(return)

newmem:
  mov [test],rdi  --NEW
  movss xmm7,[rdi+00000394]
  movaps xmm6,xmm7
  movzx ebp,byte ptr [rcx+00000176]
  jmp return

%s:
  jmp far newmem
  nop 4
return:]]

registerSymbol("newmem", mem)
registerSymbol("test", value) --NEW

function healthVals(t)
         for i=1, resultCount, 1 do
             local injection = "healthVals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer() --this runs after everything else is finished so
                            --aobscan is finished before we run the loop

timer.Interval = 1
timer.OnTimer = healthVals(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "healthVals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00, 0x0F, 0x28, 0xF7, 0x0F, 0xB6, 0xA9, 0x76, 0x01, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("test") --NEW
unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

[UltimatePoto42]

Okay, the last script is working after all. I guess along the way I had managed to save Userdefined symbols and those were messing with the enabling. Now the question is how do I allocate the memory only once for that address I need?

The code I have tried is below. New parts have been marked with "--NEW".

Code: Select all

{$lua}
if syntaxcheck then return end

[ENABLE]
local mem = allocateMemory(0x1000)
local scan = AOBScan("F3 0F 10 BF 94 03 00 00")
local resultCount = scan.Count
value = nil --NEW

local script = [[
label(return)

newmem:
  mov [test],rdi  --NEW
  movss xmm7,[rdi+00000394]
  movaps xmm6,xmm7
  movzx ebp,byte ptr [rcx+00000176]
  jmp return

%s:
  jmp far newmem
  nop 4
return:]]

registerSymbol("newmem", mem)
registerSymbol("test", value) --NEW

function healthVals(t)
         for i=1, resultCount, 1 do
             local injection = "healthVals" .. tostring(i)
             registerSymbol(injection, scan[i-1])
             autoAssemble(string.format(script, injection))
         end
 
         scan.destroy()
         t.destroy()
end

local timer = createTimer() --this runs after everything else is finished so
                            --aobscan is finished before we run the loop

timer.Interval = 1
timer.OnTimer = healthVals(timer)

[DISABLE]
for i=1, resultCount, 1 do
    local injection = "healthVals" .. tostring(i)
    writeBytes(injection, 0xF3, 0x0F, 0x10, 0xBF, 0x94, 0x03, 0x00, 0x00, 0x0F, 0x28, 0xF7, 0x0F, 0xB6, 0xA9, 0x76, 0x01, 0x00, 0x00)
    unregisterSymbol(injection)
end

unregisterSymbol("test") --NEW
unregisterSymbol("newmem")
deAlloc(mem, 0x1000)

I got to say, I have no idea how this works since every thing should be returning to the same spot (which ever is the last to be injected and assembled). You'd have to actually check the assembled memory to see what's it's actually doing. But you can try using "allocateSharedMemory" instead of "allocateMemory".

allocateSharedMemory(name, size):
Creates a shared memory object in the attached process of the given size if it doesn't exist yet. If size is not given and there is no shared region with this name then the default size of 4096 is used
It then maps this shared memory block into the currently targeted process. It returns the address of this mapped region in the target process. Keep in mind that a process can map the same block multiple times, so keep track of your assignments

[miraikolus]

@Fruitpunch Did you check my reply on the return addr? Also ... you do need jmp far newmem but jmp return is ok? And imo still use errorchecks regardless if it would work now, it could change on updates.

Now, this way won't work in CE, simple example:

Code: Select all

test123 = 456
print(test123)
registerSymbol("test123",test123)
print(getAddressSafe("test123"))
-- you will get 2x 456 because referencing the value returns content, not addr

Not sure why exactly? @Tim? I mean s.t. like that wont work too: [Link]

Anyway, what you can do is remove the value stuff and change the aascript to

Code: Select all

label(return)
label(baseptr)
registersymbol(baseptr)

newmem:
  mov [baseptr],rdi  //Note - if you don't use addr in script at best use registers when handling x64 (mov rax,baseptr / mov [rax],rdi)
  movss xmm7,[rdi+00000394]
  movaps xmm6,xmm7
  movzx ebp,byte ptr [rcx+00000176]
  jmp return //jmp far? 
  
baseptr:
  dq 0 //damn this multiple writes to same addr, leave that out

%s:
  jmp far newmem
  nop 4
return: //will be the return of the script#resultCount after all has been assambled]]

EDIT: If you don't want multiple registers (which btw. is no problem, may except you rly change the addr on highly frequently called instructions) you could also do 2 scripts. 1st you set the value and register (before the loop). 2nd you add the code you want to add. (f.e. you could also add the ptr at the beginning or simply no "ptr" but jmp far newmem+8. at newmem: dq 0 nothing simply "newmem+8: mov ...") This reminds me how a symbol called newmem is just so bad design wise but do your thing.

Other stuff that wont help here but might be of interest:
[Link]
[Link]
[Link]

[UltimatePoto42]

...
Not sure why exactly? @Tim? I mean s.t. like that wont work too: [Link]
...

That's Lua, auto assembler works a lot different. If you assemble an AA script with a "jmp return" it will be a jump with a hard coded address (i.e. jmp DEADBEEF), thus all the injection points will jump to the hook then they all will jump back to the last injection point and not the place they started at. I actually think they need to be using a "call" and "ret" for it to work the way they want it to, and this would actually work the way a lua function call and return works.

[Fruitpunch]

EDIT: If you don't want multiple registers (which btw. is no problem, may except you rly change the addr on highly frequently called instructions) you could also do 2 scripts. 1st you set the value and register (before the loop). 2nd you add the code you want to add. (f.e. you could also add the ptr at the beginning or simply no "ptr" but jmp far newmem+8. at newmem: dq 0 nothing simply "newmem+8: mov ...") This reminds me how a symbol called newmem is just so bad design wise but do your thing.

Yeah dude, you just basically wrote the same thing I had in my first post and it was specifically stated that the aim is to allocate only once, but thanks anyway.

...
Not sure why exactly? @Tim? I mean s.t. like that wont work too: [Link]
...

That's Lua, auto assembler works a lot different. If you assemble an AA script with a "jmp return" it will be a jump with a hard coded address (i.e. jmp DEADBEEF), thus all the injection points will jump to the hook then they all will jump back to the last injection point and not the place they started at. I actually think they need to be using a "call" and "ret" for it to work the way they want it to, and this would actually work the way a lua function call and return works.

Perfect! Too bad I didn't think of that myself. All I needed was to change the asm to a function. Now it works exactly like it's supposed to. Before I made the change the script was working but for some weird reason I got an Access violation. I wish there was a deallocSharedMemory though.