-
Notifications
You must be signed in to change notification settings - Fork 4
Technical Details
The loader IEex.exe
will inject the IEex.dll
into the Infinity Engine (IE) game.
The IEex.dll
loads the lua52.dll
and fetches the addresses of specific Lua functions. The IEexLuaInit
function located within IEex.dll
is called which initializes a new Lua state, registers some internal Lua functions and loads an M__IEex.lua
file found in the override folder and executes it.
The IEexLuaInit
function registers the Lua IEex_Init
function with the Lua state and sets it to globally visible.
The Lua IEexInit
function in turn registers and sets global visibility to other Lua functions defined in IEex.dll
. These Lua functions are then available for usage from within IEex Lua files and game script files. The M__IEex.lua
file initially calls the Lua IEexInit
function.
- Check game executable exists
- Verify game executable
- Check other files exists
- Launch game executable
- Inject IEex.dll
IEex.exe
is the loader. It loads the game executable and injects the IEex.dll
. It can be ran from a command console or by double clicking on the IEex.exe
file.
IEex.exe
checks if a known Infinity Engine (IE) game executable can be located in the current directory. It looks for one of the following: BGMain.exe
, IDMain.exe
, IWD2.exe
or Torment.exe
. If none are found a message is displayed to the user and the program exits.
Once the IE game executable is located, it's Product Version is compared to determine if it is the latest known version. If it is not a message is displayed to the user and the program exits. The Product Version can be viewed by right clicking on the IE game executable, selecting properties and the details tab.
Additional checks are done to verify if IEex.dll
and M__IEex.lua
files exists. If any are not found a message is displayed to the user and the program exits.
The IE game executable that was previously found, is launched using the CreateProcess, but with the dwCreationFlags
parameter set to CREATE_SUSPENDED
.
CREATE_SUSPENDED
- The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.
By creating the IE game process in a suspended state we easily obtain the process handle for the IE game process and prevent it from running until we are finished with it.
A small size of memory is allocated inside the suspended IE game process using VirtualAllocEx - exactly enough is allocated for the length of the full path and filename to the IEex.dll
file. The address of this allocated memory is stored for later use. The full path and filename is written into the IE game process memory (at the location allocated) using WriteProcessMemory. For example: C:\Black Isle\BGII\IEex.dll
The address of the LoadLibraryA function is obtained and stored for later use.
A new remote thread is created to run inside the IE game process using CreateRemoteThread with the lpStartAddress
parameter being set to the address of the LoadLibraryA function and the lpParameter
parameter being set to the address of the full path and filename to the IEex.dll
file (which was allocated and written to the IE game process earlier).
When the remote thread is executed in the IE game process it will allow for the LoadLibraryA function to be called with it's parameter being the address of the full path and filename to the IEex.dll
file. This will then load the IEex.dll
into the IE game process.
ResumeThread is then called to continue the IE game process that was suspended earlier (via CreateProcess with dwCreationFlags
set to CREATE_SUSPENDED
)
The IE game continues as normal, calling the DllMain in IEex.dll
via the LoadLibraryA call created by the CreateRemoteThread
Execution begins once the IE game process calls DllMain in IEex.dll
.
Options are read from the IEex.ini
. If no IEex.ini
file exists a new one is created with default values for the options it contains. The IE game type is detected and the addresses of some exported functions in the IE game are obtained and stored for later. Basic game information is logged to the IEex.log
file.
Some detailed information about the IE game executable is collected and logged (for debugging purposes). Information is also collected relating to the address of and size of the .TEXT
section in the IE game.
IEexLuaInit
is a cdecl
function that is stored in the IEex.dll
and is executed next from within IEex.dll
IEexLuaInit
uses the imported lua52.dll
and its functions to create a new Lua state and saves this to a g_lua
global variable for use in all the other Lua functions. It also opens all the base Lua libraries and registers a custom Lua "print"
function l_log_print
along with a Lua function: IEex_Init
, which are located in IEex.dll
.
The "print"
function that is registered allows IEex to log output to the console and to the IEex.log
file.
The M__IEex.lua
file is then loaded by the luaL_loadfilex
function and is executed with a call to the lua_pcallk
function. These functions are imported functions found in the lua52.dll
file).
When the IE game's Lua state encounters an IEex_Init
function in the M__IEex.lua
file as it is being executed, it will call the IEex_Init
Lua function - which was previously registered and is located in the IEex.dll
IEex_Init
is a cdecl
function that registers additional Lua helper cdecl
functions for the IEex project: IEexExposeToLua
, IEexWriteByte
, IEexCall
and IEex_AddressList
. In addition IEex_Init
also allocates an additional block of memory via VirtualAlloc and returns the address pointing to this block of memory on the Lua stack. This memory is used by the IEex project for various means.