Want to Join Us ?

you'll be able to discuss, share and send private messages.

Replacing an embede lua with my own ?

Discussion in 'Reverse engineering' started by charles42, Apr 13, 2016.

Share This Page

  1. charles42

    New Member

    Hi guys

    I'm playing this game 'factorio' which uses lua as its script engine (single exe file, lua statically linked I think)
    Unfortunately, this is bare bones lua. For example the "io" and "os" modules are disabled.

    I managed to re-enable those modules by NOPing the calls to the functions that disable them, so at least there is that.

    The second thing I would like to do is to be able to extend the lua interepreter with a better one. For example, I just compiled one with sockets support (lua.sockets) and another one which brings python inside lua, with a shared state (crazy).

    How would someone do to achieve that in a smart way ?

    idea 1 :
    1) inject my lua dll at runtime
    2) hook all the lua functions of factorio.exe to my own functions that will call the recently injected dll

    idea 2:
    I don't have another idea :) which is yours ?

    Thanks guys !
     
  2. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    lua with python sounds very interesting since i am a python guy.

    lua aint my field ,however idea 1 option 2 sounds like the best way.If you can control your own functions via callback.what more do you want :)
     
  3. charles42

    New Member

    how would I achieve this kind of hooking ?
    I never did that. Only thing I know to do is to use python with winappdbg, and have pre and post hooks, but it seems I'll need to do that in C (it's ok for me too).
    Or maybe I can do that in python with ctypes ? this would be fun. Having a pyhon script hooking factorio executable with winappdbg, and this python script would also load my own lua dll with ctypes. Do you think it would be possible to do that ?

    However, I do not know how to "replace" a function. Those pre and post hooks available through winappdbg, as far as I know, can't have a "detour" hook functionality, where I would completeley bypass the original functions... not sure where to go from there. Does someone have some literature about that ?

    Thanks !
     
  4. CryptX0r

    Member

    What you should look at doing is see if you can hook the functions externally and then write a passthrough to your own interpreter.
    Basically what you want to do is try to inject your own function which will pass through to your LUA interpreter (or python/whatever).

    For austerity sake the function you are trying to hook is "loadMessageOne" in "app.dll" which is loaded from "app.exe". You want to hook "loadMessageOne" and replace it with "loadMessageTwo".
    There are a few things you can do to achieve that.
    1.) Code Injection (Replace "loadMessageOne" with a jump to "loadMessageTwo", and create "loadMessageTwo" in an alignment block or similar)
    2.) Depending on the complexity of "app.dll" you could just extract the exports and recode it with your own functions
    3.) Attempt to hijack "loadMessageOne" using a dll hijack (which is what most "script hooks" do as it is often the only way)

    Just be aware the above is just theory and actual application is not as easy as the theory heh...
     
    Rip Cord likes this.
Top