Hi!
Thank you, Charles, for the quick answer - didn't notice it at
first because it went to my spam folder unfortunately.
I've checked the files (dlls and exe) for certain bytes but none
of them except the executable contained strings which come from
Lua e.g. dofile, loadstring, etc. Good news is, I was able to
locate this mapping table for (fnc_name, fnc_address) which I
thought might exist. After looking into the source code and using
OllyDbg I think I was able to locate luaL_openlib inside the
executable. I've looked at lauxlib.c (see [1]) in the Lua 5.0.3
code and it seems that this functions is registering (name,
address) tuples, is that correct? It appears to get called in
base_open() in lbaselib.c (see [2]).
However, these are the last few assembly instructions of
luaL_openlib inside the executable:
luaL_openlib:
; original code
; <smuggle in code>
pop edi
pop esi
pop ebp
pop ebx
retn
I already know that this is getting executed by the main thread
as the program starts so here is my question:
luaL_openlib has 4 parameters which I should be able to find on
the stack inside this function during execution. Since I know the
exact address of luaL_openlib I should be able to place my code in
<smuggle in code> which is just a jmp to a few lines of
assembly code which load "my-lua-extensions.dll" and registers the
Lua functions I prepared in there (only once of course since
luaL_openlib gets called multiple times).
What I need to know here if luaL_openlib will be enough to
register a new set of functions? There is this lua_State struct
that's getting passed through all this functions. I am afraid that
I could mess up the state of this object as I inject my code at
this point somewhere.
I am sorry if that question is a rather big one - any ideas or
thoughts are very welcome! :)
BR; Stefan
[1] https://www.lua.org/source/5.0/lauxlib.c.html
[2] https://www.lua.org/source/5.0/lbaselib.c.html
On 03.12.2016 13:20, Charles Heywood
wrote:
"I can't help but think I saw something like this
on stackexchange"... "OH!"
Anyways, is there a lua.dll or something that is shipped
with the game? If so, try replacing it with a stock lua.dll.
If that works seamlessly, then you can replace lua.dll with
one that has luaL_loadlibs or whatever that function was, with
a custom loading function. Dunno if this helps, to be honest.
:P
Hi!
I am currently trying to find out how I could possibly add new
built-in
functions into a compiled game that uses Lua for certain game
mechanics.
I do not know a lot about Lua except that it's running a VM
basically
that is acting as a interpreter for the actual Lua scripts to
be executed.
Since I am at the very beginning of my "journey" here I hope
to find
answers to a few questions here. First of all the game I am
talking
about is Supreme Commander - some of you might know it. All I
know is
that it's using Lua 5.0 and I think the developers threw some
stuff out
which they didn't want in the game and compiled it. What I
don't know is
whether the Lua part is residing inside the executable or if
it's in a
DLL. My first guess would be the executable because browsing
it with a
hex-editor revealed that all the built-in function names
reside
somewhere in the data section of the executable.
I don't know if anybody can actually help me with this but I
am
currently a bit stuck and I don't really know how Lua is
written into
the executable. What I can imagine is that there must be some
sort of
lookup table for all the built-in functions. As the
interpreter finds
e.g. "dofile" it has to look up the address of the function in
order to
jump to its actual location. Anything that can help me to find
out where
or how I have to look after this would be helpful.
I hope my question is not off-topic and that somebody can give
some
advice or inspire a few things I could try. Feel free to ask
me if
anything I explained is not clear. There is also a question
[1] on
stackexchange from me which you can check out if you want.
Thank you for any help!
BR; Stefan
[1]
http://reverseengineering.stackexchange.com/questions/14091/hacking-lua-introduce-new-functions-into-built-lua
--
