CoSMOS Gamehacking Tool

So, I figured I'd give CoSMOS a try because I was getting annoyed with how CoSMOS is set up with multiple windows that like to hide away. I'm trying to mess with Phasmophobia: Specifically, I'm using all mono editing, so unless they obfuscate it later it should keep working for updates.

With CoSMOS, I had a few options working already: Preventing the fusebox from tripping with too many lights, making it so the ghost can't kill you, setting money and XP, flicking the fusebox (On and off) remotely, and I was trying to set up a remote "Turn on all the lights" option before I started really running into issues with CoSMOS's lua api blowing up at me (Not being able to read from an array kind of sucks). I'm not even really playing the game: I'm just having fun hacking it up. (I tried and failed to set up a regular status thing for the ghost: Was hoping to have a section where it showed the type, name, age, favorite room, current room, state, and activity level of the ghost... But CoSMOS also gets confused about structs. Yay.)

After some quick messing around, it turns out that (Despite the hilariously outdated documentation: Link only shows mono_invoke_method) that for the most part, I can just copy paste the scripts in just fine. The problem is that they don't seem to actually work, so I'm not sure if they are just placeholder functions or if they are actually working but there are changes. (If they are placeholders... Maybe test shouldn't report it's OK?)

Specifically, one of the first lines has an issue: mono_findClass seems to always return 0.

So, is there an up-to-date documentation somewhere? I can't even really check the mono API itself because unlike CoSMOS it seems to be embedded into CoSMOS itself.

The documentation is missing a lot of LUA apis that's right. Thats because I didnt find the time to write it. The big difference on mono between CE and Cosmos is the way how they accept class and namespaces. In CE you often see something like this:

Namespace:Class:Method

while in Cosmos its

Namespace.Class:Method

So please check your scripts. Regarding mono_findClass it takes 2 parameters. Namespace and class. Exactly like CE. You need to be attached to the game and mono functions must be active. Otherwise please post the script here.

These are all integrated mono APIs

LaunchMonoDataCollector();
mono_compileMethod(long);
mono_enumDomains() => LuaTable;
mono_findClass(string, string) => long;
mono_findMethod(string, string, string) => long;
mono_findMethodBySignature(string, string, string) => long
mono_findMethodBySignature(string, string, string, string) => long
mono_findMethods(string, string, string) => LuaTable
mono_findAOBInMethods(string, string, string, string, int) => long
mono_method_getClass(long) => long
mono_method_getSignature(long) => string;
mono_invoke_method(long, long, long, LuaTable) => object
mono_class_getStaticFieldAddress(long) => long
mono_class_getStaticFieldAddress(long, long) => long

Well, looks like I won't be able to use it anyways, since I use mono_class_enumFields, but at least the first line should work (And doesn't).

mono_findClass('Assembly-CSharp', 'MainManager') returns a 0, which isn't valid for example. Unless findClass works slightly differently with Namespace, classname arguments it should work fine.

Also, since I'm sure later more things will be added, any chance of adding a semi-smart class-to-table reader? Make it so a pointer and classid outputs a LuaTable estimation of the class, where basic value types are interpreted (Enums, Strings, Numbers) and complex classes are LuaTables containing classID, classname, and pointer? Could even include method pointers that autofill things, so if you have a class like LightSwitch, you can just call lightswitch.Use() and it'll call mono_invoke_method with all the needed arguments. Or check lightswitch.isOn and it'll return the actual value.

Also, man, that firewall thing the forum has is terrible. I'd include more code but apparently posting lua in the CoSMOS forum is still considered close enough to hacking that I had to remove bits until it let me even preview the post.

Assembly-CSharp doesn't sound like a namespace but like the assembly. Try and empty string as namespace or make a screenshot in the .NET viewer of Cosmos or dnSpy of this class. (In .NET viewer of Cosmos it shows you the valid path).

About your second part I'm not really sure if I understand. Do you want to see the memory structure of THE class? => Right click on that class in .net viewer and click on "Show structure". Do you want to see the memory structure of A specific class? If you have the base address of that class yo ucan use the dissect structure tool. If you want to call a function you can do this with right click on the class in .net viewer as well.

Yeah, I'm not sure why CoSMOS even works when doing the assembly in place of the namespace: But sure enough, having it stay empty does find the classes.

As for the second part, I mean I use fields to find offsets for classes. I actually reformatted my enable script a bit, so here's a gist: Link.

I use mono_class_enumFields and mono_class_getName in the code to make it easier to figure out everything: And the way I do it works across updates, unless they start to obfuscate the code.

As for what I meant by the last part, it should be possible to use lua metatables to make browsing mono objects in code far easier.

If the metaobject knows the class ID and memory location, it could take that and figure out what each name wants.

Take this example:

mainManager = mono_get_metaobject(domain, classid, instance)
mainManager.localPlayer.TurnBlinkOnOrOff(true)

the object created by mono_get_metaobject would parse the classid (Probably cache it), and see that mainManager.localPlayer is a complex object. It would then return mono_get_metaobject(myDomain, localPlayerClassID, localPlayer).

localPlayer would see that TurnBlinkOnOrOff is a function: So it'd return a function with the same number of arguments as the actual function that prepares the arguments passed to it and calls mono_invoke_method with all the needed arguments and call TurnBlinkOnOrOff through mono.

I'm shocked the 'firewall' didn't catch that for too many brackets, but you get what I mean? It'd allow someone to browse through mono classes and fields as if they were all luatables. And it'd be all dynamic too. Simple values such as strings, floats, and ints could be written to normally as well. Arrays and lists could be exposed as luatables as well, even if just read only at first. It could make using the mono api trivial.

I agree that would be cool but LUA parsing is done by the LUA library. Which means it won't work this way. And in the end your example is only a simplified version of

localPlayer = getAddress('[instance].localPlayer')
local method = mono_findMethod(TurnBlinkOnOrOff)
mono_invoke_method()

FYI I had to remove some stuff otherwise the firewall wouldn't have let me post it.