[英]Why is jumping to the same address working with “technique” A but not with B?
I have here a few lines of a hack that I wrote: 我在这里写了几行黑客文:
Here is the definition of a makro luaL_openlib
which is actually a function pointer to 0x0090DE00
: 这是makro luaL_openlib
的定义,它实际上是指向0x0090DE00
的函数指针:
/*
Type definitions for function signatures
*/
typedef int (luaL__openlib) (lua_State *L, const char *libname, const luaL_reg *l, int nup);
/*
Intercepting macros for function calls.
*/
#define luaL_openlib(L, libname, l, nup) ((luaL__openlib*) 0x0090DE00)(L, libname, l, nup)
This is how I am calling it: 这就是我所说的:
static int luaAi_helloworld(lua_State *L)
{
MessageBox(NULL, L"Hello World", L"", MB_OK);
return 1;
}
static const luaL_reg ai_funcs[] = {
{ "helloworld", luaAi_helloworld },
{ NULL, NULL }
};
void open_ailib(lua_State *L)
{
luaL_openlib(L, "ai", ai_funcs, 0);
}
The code above gets compiled into a DLL. 上面的代码被编译成DLL。 The DLL gets loaded by my target process which .exe file I hacked a bit in order to do so. DLL是由我的目标进程加载的,我对此做了一点破解。
However: This works! 但是: 这有效!
The result is me being able to call ai.helloworld()
in a script of a computer game in order to show the "Hello World" message box. 结果是我可以在计算机游戏的脚本中调用ai.helloworld()
来显示“ Hello World”消息框。
Now, the code looks a bit messier but it is doing the exact same thing: 现在,代码看起来有点混乱,但是它做的是完全相同的事情:
static int scse_helloworld (lua_State *L)
{
MessageBox(NULL, L"Hello World", L"", MB_OK);
return 1;
}
static luaL_reg scselib[] = {
{"helloworld", scse_helloworld},
{NULL, NULL}
};
/*
Type definitions for function signatures
*/
typedef int (luaL__openlib)(lua_State *L, const char *libname, const luaL_reg *l, int nup);
/*
Intercepting macros for function calls.
*/
#define luaL_openlib2(L, libname, l, nup) ((luaL__openlib*) 0x0090de00)(L, libname, l, nup)
SCSE_API int luaopen_scse(lua_State *L)
{
SIZE_T numBytes;
const int num_bytes = 16;
unsigned char hook[num_bytes];
HANDLE process = GetCurrentProcess();
ReadProcessMemory(process, (LPVOID)(0x0090de00), &hook, sizeof(hook), &numBytes);
LOGGER.LogMessage("Memory at 0x0090de00 is:\n\n");
for (int i = 0; i < num_bytes; i++) {
LOGGER.LogMessage("%2X ", hook[i]);
}
// Link lua linker functions with Supreme Commander lua functions
if(LuaLinker::Link())
{
LOGGER.LogMessage("Lua linker functions successefully linked with Supreme Commander Lua functions.\n");
LOGGER.LogMessage("luaL_openlib2()");
luaL_openlib2(L, "scse", scselib, 0);
// Spoiler: This is never reached
LOGGER.LogMessage("SCSE library successefully opened.\n");
}
else {
LOGGER.LogMessage("ERROR: Couldn't link lua linker functions with Supreme Commander Lua functions!\n");
}
return 1;
}
What comes additionally is me reading out the memory at 0x0090de00
. 另外,我还读取了0x0090de00
处的内存。 I can give you the result beforehand: 我可以事先给你结果:
Memory at 0x0090de00 is:
53 8B 5C 24 14 55 56 8B 74 24 10 57 8B 7C 24 18
which is correct as we can see with OllyDbg - although I already knew that: 正如我们在OllyDbg中看到的那样,这是正确的-尽管我已经知道:
So, why are you here? 那么,你为什么在这里?
The problem is, any maybe you saw the spoiler comment above, that the log message after luaL_openlib2
is never printed. 问题是,可能您在上面看到的任何luaL_openlib2
都没有显示luaL_openlib2
之后的日志消息。 In my logfile all I see is: 在我的日志文件中,我看到的是:
Lua linker functions successefully linked with Supreme Commander Lua functions.
luaL_openlib2()
The game loads the start screen but stops functioning. 游戏加载开始屏幕,但停止运行。 Buttons are not displayed etc. It does not crash but it is dead basically. 不显示按钮等。它不会崩溃,但是基本上已经死了。 As I close it, all I get is this one last cry for help: 当我关闭它时,我所得到的只是最后的求助:
I am looking for an explanation - I don't understand why this is not working. 我正在寻找一种解释-我不明白为什么这不起作用。 All I have is a guess: 我只有一个猜测:
The DLL I am loading is not loaded by me. 我正在加载的DLL 不是由我加载的。 It is actually loaded by the script engine of the game. 它实际上是由游戏的脚本引擎加载的。 Actually, it should not be possible to load a DLL from within the game. 实际上,应该不可能从游戏中加载DLL。 However, since the code above is executed, the DLL is loaded. 但是,由于执行了上述代码,因此将加载DLL。 So if the DLL is loaded, maybe the memory got messed up? 因此,如果加载了DLL,则可能是内存混乱了? No, at least not the first 16 bytes of the function I am targeting so I assume, that the rest will be fine too, besides that, what should actually change that - nothing can. 不,至少不是我要定位的函数的前16个字节,因此我认为其余的也可以,除此之外,实际上应该更改的内容-什么也不能做。
I am not sure if anybody can help me here but this seems like a tough question to me. 我不确定是否有人可以在这里帮助我,但这对我来说似乎是一个难题。
Anybody? 有人吗
Btw: Sorry for the title - feel free to make a suggestion and if you didn't try Supreme Commander yet, just get it! 顺便说一句:抱歉,标题-请随时提出建议,如果您还没有尝试使用Supreme Commander ,那就赶快行动吧!
If the game application loaded the DLL, the DLL is running in the separate process. 如果游戏应用程序加载了DLL,则DLL在单独的进程中运行。 Your application is running in the different process. 您的应用程序正在不同的进程中运行。 In the first case the DLL and your application were running in the same process. 在第一种情况下,DLL和您的应用程序在同一进程中运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.