0

I would like to know how it's possible to get the address of Lua_State from program which uses Lua. Im not really expieranced with Assembler but I know C++ pretty well.

This is how source should look like:

#pragma comment(lib, "lua51.lib")
#pragma comment(lib, "lua5.1.lib")

extern "C" {
#include <lua.h>
#include <lauxlib.h>
}

lua_State* L; // I want to get address of it but I haven't got source for remote program.
              // So I could use this state in my DLL injected to remote program.

int main()
{
     L = lua_open();
     //////loops here and functions registers.

     lua_close(L);
     return 1;
}

I tried on my own in IDA but didn't really know how to find it. In IDA it looks like this

   .text:00401000 ; =============== S U B R O U T I N E =======================================
.text:00401000
.text:00401000
.text:00401000 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401000 _main           proc near               ; CODE XREF: __tmainCRTStartup+10Ap
.text:00401000
.text:00401000 argc            = dword ptr  4
.text:00401000 argv            = dword ptr  8
.text:00401000 envp            = dword ptr  0Ch
.text:00401000
.text:00401000                 push    esi
.text:00401001                 call    _luaL_newstate
.text:00401006                 mov     esi, ds:__imp__Sleep@4 ; Sleep(x)
.text:0040100C                 mov     ?L@@3PAUlua_State@@A, eax ; lua_State * L
.text:00401011
.text:00401011 loc_401011:                             ; CODE XREF: _main+15j
.text:00401011                 push    64h             ; dwMilliseconds
.text:00401013                 call    esi ; Sleep(x)  ; Sleep(x)
.text:00401015                 jmp     short loc_401011
.text:00401015 _main           endp
.text:00401015
.text:00401015 ; ---------------------------------------------------------------------------
.text:00401017                 align 4


.text:00401018 ; =============== S U B R O U T I N E =======================================
.text:00401018
.text:00401018 ; Attributes: thunk
.text:00401018
.text:00401018 _luaL_newstate  proc near               ; CODE XREF: _main+1p
.text:00401018                 jmp     ds:__imp__luaL_newstate
.text:00401018 _luaL_newstate  endp
.text:00401018
.text:0040101E
Nicol Bolas
  • 449,505
  • 63
  • 781
  • 982
deepspace
  • 771
  • 3
  • 11
  • 25
  • 1
    On what operating system? Each OS assigns memory differently, and they have very different levels of protection. These protections exist to *stop* people from doing exactly what you're trying to do: fetch memory from some random process. – Nicol Bolas Apr 15 '13 at 12:45

1 Answers1

0

If you double-click or hover your mouse over ?L@@3PAUlua_State@@A, you should get the address of L. You know that this memory location is L because ?L@@3PAUlua_State@@A is the mangled name for struct lua_State * L.

In the example above, it's easy to find L in this way because you have symbols. If you were to analyze a binary for which you don't have symbols, you would have to rely on context. In general, this requires more understanding of assembly, because you may need to be able to do things like trace the usage of function arguments and identify structures. Having FLIRT signatures for Lua would greatly simplify this process, assuming you could find or create them.

Community
  • 1
  • 1
user1354557
  • 2,413
  • 19
  • 29