Last active
June 13, 2022 07:47
-
-
Save robb83/a28b1fd8163180dd4704 to your computer and use it in GitHub Desktop.
Cheat Engine Scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Simple network hook script | |
| addressOfSend = getAddress("WS2_32.send") | |
| addressOfGetStatus1 = getAddress("Kernel32.GetQueuedCompletionStatus") | |
| addressOfGetStatus2 = getAddress("Kernel32.GetQueuedCompletionStatusEx") | |
| addressOfCreateIoCompletionPort = getAddress("Kernel32.CreateIoCompletionPort") | |
| print(string.format("WS2_32.send = %x, Kernel32.GetQueuedCompletionStatus = %x, Kernel32.GetQueuedCompletionStatusEx = %x, Kernel32.CreateIoCompletionPort = %x", addressOfSend, addressOfGetStatus1, addressOfGetStatus2, addressOfCreateIoCompletionPort)) | |
| debug_removeBreakpoint(addressOfSend) | |
| debug_removeBreakpoint(addressOfGetStatus1) | |
| debug_removeBreakpoint(addressOfGetStatus2) | |
| debug_removeBreakpoint(addressOfCreateIoCompletionPort) | |
| function debugger_onBreakpoint() | |
| if (EIP == addressOfSend) then | |
| print("WS2_32.send") | |
| print(string.format(" SOCKET = %x", readInteger(ESP + 4))) | |
| print(string.format(" BUFFER = %x", readInteger(ESP + 8))) | |
| print(string.format(" LENGTH = %x", readInteger(ESP + 12))) | |
| print(string.format(" FLAGS = %x", readInteger(ESP + 16))) | |
| end | |
| if (EIP == addressOfGetStatus1) then | |
| print("Kernel32.GetQueuedCompletionStatus") | |
| print(string.format(" CompletionPort = %x", readInteger(ESP + 4))) | |
| print(string.format(" lpNumberOfBytes = %x", readInteger(ESP + 8))) | |
| print(string.format(" lpCompletionKey = %x", readInteger(ESP + 12))) | |
| print(string.format(" lpOverlapped = %x", readInteger(ESP + 16))) | |
| print(string.format(" dwMilliseconds = %x", readInteger(ESP + 20))) | |
| end | |
| if (EIP == addressOfGetStatus2) then | |
| if (readInteger(readInteger(ESP + 8) + 12) == 0) then | |
| debug_continueFromBreakpoint(0) | |
| return 1 | |
| end | |
| print("Kernel32.GetQueuedCompletionStatusEx") | |
| print(string.format(" CompletionPort = %x", readInteger(ESP + 4))) | |
| print(string.format(" lpCompletionPortEntries = %x", readInteger(ESP + 8))) | |
| print(string.format(" ulCount = %x", readInteger(ESP + 12))) | |
| print(string.format(" ulNumEntriesRemoved = %x", readInteger(ESP + 16))) | |
| print(string.format(" dwMilliseconds = %x", readInteger(ESP + 20))) | |
| print(string.format(" fAlertable = %x", readInteger(ESP + 24))) | |
| end | |
| if (EIP == addressOfCreateIoCompletionPort) then | |
| print("Kernel32.CreateIoCompletionPort") | |
| print(string.format(" FileHandle = %x", readInteger(ESP + 4))) | |
| print(string.format(" ExistingCompletionPort = %x", readInteger(ESP + 8))) | |
| print(string.format(" CompletionKey = %x", readInteger(ESP + 12))) | |
| print(string.format(" NumberOfConcurrentThreads = %x", readInteger(ESP + 16))) | |
| end | |
| print(string.format(" RETURN = %x (%s)", readInteger(ESP), getNameFromAddress(readInteger(ESP)))) | |
| print(string.format(" RETURN = %x (%s)", readInteger(EBP+4), getNameFromAddress(readInteger(EBP+4)))) | |
| preBaseAddress = readInteger(EBP) | |
| for i=1, 4 do | |
| returnAddress = readInteger(preBaseAddress + 4) | |
| print(string.format(" RETURN = %08x (%s)", returnAddress, getNameFromAddress(returnAddress))) | |
| preBaseAddress = readInteger(preBaseAddress) | |
| end | |
| print("") | |
| debug_continueFromBreakpoint(0) | |
| return 1 | |
| end | |
| debug_setBreakpoint(addressOfSend) | |
| debug_setBreakpoint(addressOfGetStatus1) | |
| debug_setBreakpoint(addressOfGetStatus2) | |
| debug_setBreakpoint(addressOfCreateIoCompletionPort) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- WS2_32.send hook script with backtrace | |
| addressOfSend = getAddress("WS2_32.send") | |
| print(string.format("WS2_32.send = %x", addressOfSend)) | |
| function debugger_onBreakpoint() | |
| if (EIP == addressOfSend) then | |
| print(string.format(" RETURN = %x", readInteger(ESP))) | |
| print(string.format(" RETURN = %x", readInteger(EBP+4))) | |
| preBaseAddress = readInteger(EBP) | |
| for i=1, 9 do | |
| returnAddress = readInteger(preBaseAddress + 4) | |
| print(string.format(" RETURN = %08x (%s)", returnAddress, getNameFromAddress(returnAddress))) | |
| preBaseAddress = readInteger(preBaseAddress) | |
| end | |
| print(string.format(" SOCKET = %x", readInteger(ESP + 4))) | |
| print(string.format(" BUFFER = %x", readInteger(ESP + 8))) | |
| print(string.format(" LENGTH = %x", readInteger(ESP + 12))) | |
| print(string.format(" FLAGS = %x", readInteger(ESP + 16))) | |
| debug_continueFromBreakpoint(0) | |
| end | |
| return 1 | |
| end | |
| debug_removeBreakpoint(addressOfSend) | |
| debug_setBreakpoint(addressOfSend) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- One hit cpu state for tracing (toggle breakpoint in memory viewer and wait for break) | |
| function debugger_onBreakpoint() | |
| print(string.format("EIP = %08x (%s) RETURN = %08x (%s)", EIP, getNameFromAddress(EIP), readInteger(EBP+4), getNameFromAddress(readInteger(EBP+4)))) | |
| print(string.format(" EAX = %08x EBX = %08x ECX = %08x EDX = %08x", EAX, EBX, ECX, EDX)) | |
| print(string.format(" EDI = %08x ESI = %08x EBP = %08x ESP = %08x", EDI, ESI, EBP, ESP)) | |
| print(string.format(" P01 = %08x P02 = %08x P03 = %08x P04 = %08x", readInteger(EBP + 8), readInteger(EBP + 12), readInteger(EBP + 16), readInteger(EBP + 20))) | |
| print(string.format(" EFLAGS = %08x", EFLAGS)) | |
| debug_removeBreakpoint(EIP) | |
| debug_continueFromBreakpoint(0) | |
| return 1 | |
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Collect WS2_32.send parameters and save to file | |
| addressOfSend = getAddress("WS2_32.send") | |
| sockets = {} | |
| function pushBackTrace(backtrace, address) | |
| local name = getNameFromAddress(address) | |
| backtrace.addresses[backtrace.count] = { } | |
| backtrace.addresses[backtrace.count].name = name | |
| backtrace.addresses[backtrace.count].address = address | |
| backtrace.count = backtrace.count + 1 | |
| end | |
| function setBacktrace(target, level) | |
| pushBackTrace(target, readInteger(ESP)) | |
| pushBackTrace(target, readInteger(EBP+4)) | |
| local preBaseAddress = readInteger(EBP) | |
| for i= 0, level - 1 do | |
| local returnAddress = readInteger(preBaseAddress + 4) | |
| pushBackTrace(target, returnAddress) | |
| preBaseAddress = readInteger(preBaseAddress) | |
| end | |
| end | |
| function appendToPackets(obj) | |
| local file = io.open("d:\\packets.txt", "a") | |
| file:write(obj.socket) | |
| file:write("\t") | |
| file:write(string.format("%08x", obj.buffer)) | |
| file:write("\t") | |
| file:write(obj.length) | |
| file:write("\t") | |
| local bt = obj.backtrace | |
| if (bt ~= nil) then | |
| for bi = 0, bt.count - 1 do | |
| local a = bt.addresses[bi] | |
| if (a ~= nil) then | |
| file:write(string.format("%08x", a.address)) | |
| file:write("\t") | |
| file:write(a.name) | |
| file:write("\t") | |
| end | |
| end | |
| end | |
| file:write("\n") | |
| file:close() | |
| end | |
| function compare(packet1, packet2) | |
| if (packet1.buffer == packet2.buffer) then | |
| local a = packet1.backtrace.addresses | |
| local ai = packet1.backtrace.count | |
| local b = packet2.backtrace.addresses | |
| local bi = packet1.backtrace.count | |
| if (bi == ai) then | |
| local m = true | |
| for i = 0, ai - 1 do | |
| if (a[i].address ~= b[i].address) then | |
| m = false | |
| break | |
| end | |
| end | |
| return m | |
| end | |
| end | |
| return false | |
| end | |
| function debugger_onBreakpoint() | |
| if (EIP == addressOfSend) then | |
| local socket = readInteger(ESP + 4) | |
| local buffer = readInteger(ESP + 8) | |
| local length = readInteger(ESP + 12) | |
| local packet = { socket = socket, buffer = buffer, length = length, backtrace = { count = 0, addresses = {} } } | |
| setBacktrace(packet.backtrace, 7) | |
| local append = true | |
| if (sockets[socket] == nil) then | |
| sockets[socket] = { socket = socket, count = 0, hits = 0, packets = {} } | |
| else | |
| local c = sockets[socket].count | |
| for i = 0, c - 1 do | |
| if (compare(packet, sockets[socket].packets[i]) == true) then | |
| append = false | |
| break | |
| end | |
| end | |
| end | |
| sockets[socket].hits = sockets[socket].hits + 1 | |
| if (append == true) then | |
| local c = sockets[socket].count | |
| sockets[socket].packets[c] = packet | |
| sockets[socket].count = c + 1 | |
| appendToPackets(packet) | |
| end | |
| debug_continueFromBreakpoint(0) | |
| else | |
| print(string.format("EIP = %08x (%s) RETURN = %08x (%s)", EIP, getNameFromAddress(EIP), readInteger(EBP+4), getNameFromAddress(readInteger(EBP+4)))) | |
| print(string.format(" EAX = %08x EBX = %08x ECX = %08x EDX = %08x", EAX, EBX, ECX, EDX)) | |
| print(string.format(" EDI = %08x ESI = %08x EBP = %08x ESP = %08x", EDI, ESI, EBP, ESP)) | |
| print(string.format(" P01 = %08x P02 = %08x P03 = %08x P04 = %08x", readInteger(EBP + 8), readInteger(EBP + 12), readInteger(EBP + 16), readInteger(EBP + 20))) | |
| print(string.format(" EFLAGS = %08x", EFLAGS)) | |
| debug_removeBreakpoint(EIP) | |
| end | |
| return 1 | |
| end | |
| print(string.format("WS2_32.send = %x", addressOfSend)) | |
| debug_removeBreakpoint(addressOfSend) | |
| debug_setBreakpoint(addressOfSend) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment