|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
jgoemat Master Cheater Reputation: 22
Joined: 25 Sep 2011 Posts: 252
|
Posted: Sun Jul 14, 2013 8:02 am Post subject: New AA Templates Ready |
|
|
This is frmautoinjectunit.pas renamed so I could upload it.
New procedure: TfrmAutoInject.menuFullInjectionClick
* uses defines for address and hex bytes being replaced
* asserts that the right bytes are there before overwriting them
New procedure TfrmAutoInject.menuAOBInjectionClick
* prompts for symbol name to use
* uses aobscan to find bytes to replace
* does an initial scan of the code being replaced, if there is only 1 match use the hex bytes we got
* if multiple matches, read the memory 20 bytes before and after each match and compare, masking any 4-byte operands over 0000FFFF, expanding until we get a single match
* prefers an extra 5 bytes behind the code in order by avoid using an offset for clarity, but will look behind replaced code and use offset
* if code being replaced is in a module, will use the new aobscanmodule and narrows the search to that module
Both:
* includes 10 lines before and after in comments at the bottom
* includes comment at top with exe name, date, and user automatically populated
Sample AOB script (you can see the aobscan needed three extra bytes to find a unique match), I entered 'ENERGY' for the symbol name:
Code: | { Game : DustAET.exe
Version:
Date : 2013-07-14
Author : jgoemat
This script does blah blah blah
}
[ENABLE]
aobscan(ENERGY,D9 80 90 00 00 00 DB 80 94) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fld dword ptr [eax+00000090]
jmp return
ENERGY:
jmp code
nop
return:
registersymbol(ENERGY)
[DISABLE]
ENERGY:
db D9 80 90 00 00 00
unregistersymbol(ENERGY)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 092FB201
092FB1E1: 00 00 - add [eax],al
092FB1E3: 00 00 - add [eax],al
092FB1E5: 00 00 - add [eax],al
092FB1E7: 00 E8 - add al,ch
092FB1E9: 0D 36090000 - or eax,0936
092FB1EE: 00 00 - add [eax],al
092FB1F0: 00 0E - add [esi],cl
092FB1F2: 36 09 4C D0 19 - or ss:[eax+edx*8+19],ecx
092FB1F7: 05 558BEC50 - add eax,50EC8B55
092FB1FC: A1 18343A03 - mov eax,[033A3418]
// ---------- INJECTING HERE ----------
092FB201: D9 80 90000000 - fld dword ptr [eax+00000090]
// ---------- DONE INJECTING ----------
092FB207: DB 80 94000000 - fild dword ptr [eax+00000094]
092FB20D: D9 5D FC - fstp dword ptr [ebp-04]
092FB210: D9 45 FC - fld dword ptr [ebp-04]
092FB213: DEF9 - fdivp st(1),st(0)
092FB215: D9C0 - fld st(0)
092FB217: D9 05 4C440C00 - fld dword ptr [000C444C]
092FB21D: D9C0 - fld st(0)
092FB21F: D8 05 D0B22F09 - fadd dword ptr [092FB2D0]
092FB225: DFF2 - fcomip st(0),st(2)
092FB227: DDD9 - fstp st(1)
}
|
I was thinking about adding a template to just add a variable to your script and register a symbol, it seems to be something I do a lot for testing especially:
Code: | // in enable, after newmem:
label(VAR_NAME)
VAR_NAME:
dd 0
registersymbol(VAR_NAME)
// in disable section:
unregistersymbol(VAR_NAME)
|
Description: |
Actually frmautoinjectunit.pas |
|
Download |
Filename: |
frmautoinjectunit.cea |
Filesize: |
77.45 KB |
Downloaded: |
694 Time(s) |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Sun Jul 14, 2013 4:52 pm Post subject: |
|
|
Thanks, i'll see about adding this
I think the AOB injection masking isn't working properly.
(Also, I think it might have been a lot easier if you just used the disassembler class and used the LastDisassembleData and used the seperators to pinpoint the wildcard regions
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
jgoemat Master Cheater Reputation: 22
Joined: 25 Sep 2011 Posts: 252
|
Posted: Thu Jul 18, 2013 5:02 pm Post subject: |
|
|
Dark Byte wrote: | Thanks, i'll see about adding this
I think the AOB injection masking isn't working properly.
(Also, I think it might have been a lot easier if you just used the disassembler class and used the LastDisassembleData and used the seperators to pinpoint the wildcard regions |
Can you give an example where the masking isn't working properly? I see that small negative offsets are masked when they needn't be, like '005A18A4 - 8D 8D 24FEFFFF - lea ecx,[ebp-000001DC]' because I was just checking the last 4 of the hex to be '0000' to avoid masking, you could change this line in TDisassemblyLine.GetMaskFlags to check for 'FFFF' also to keep small negative offsets from masking:
Code: | mask := (Length(part) = 8) and (RightStr(part, 4) <> '0000') and (RightStr(part, 4) <> 'FFFF'); |
I've attached a test script that assembles similar code into two places in a test region if you want to fiddle with it to show a problem, try the AOB template at 'test+1d'.
I could change it to use LastDisassembleData instead of splitting up the hex part of the disassembly if you want me to, but I think how it works is ok. Let's say we have a simple call with SeparatorCount=1 and bytes [232, 140, 201, 200, 255]. Right now I basically split the hex string 'E8 8CC9C8FF' by spaces and mask/unmask the number of bytes based on the size and the last 4 hex characters. With LastDisassembleData would you loop through the separators and create a value for each group or just check the last two bytes if there are 4?
Description: |
Sample script with two similar areas |
|
Download |
Filename: |
Test1.cea |
Filesize: |
2.47 KB |
Downloaded: |
706 Time(s) |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Thu Jul 18, 2013 5:21 pm Post subject: |
|
|
yeah, I already tested it and it seems to work ok. I can't get it to generate wildcard aob's but that's probably because of the simple code locations I picked (or it doesn't do that a all, didn't check into it)
and yes, I already figured that adding negative value support could be done by adding the and <> 'FFFF'
I've implemented it in the svn already with some modifications.
About separators, it's an array containing indexes into the byte array (whose index starts at 0)
In the example, it's an array of 1 length, with the only element with value 1
That means that the bytes can be split up into 2 chunks:
232 and 140,201,200,255
sometimes there is a seperator index pointing to the last byte+1 so watch that (of course, since the usual usage it to copy till seperatorindex-1 that doesn't cause an issue)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Jul 19, 2013 9:44 am Post subject: |
|
|
@jgoemat, congrats. Can't +rep you (have to wait)
Looks like I don't have to make "lua script plugin" (autorun Lua script).
_________________
Last edited by mgr.inz.Player on Fri Jul 19, 2013 12:37 pm; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Fri Jul 19, 2013 10:57 am Post subject: |
|
|
If you wish to you still can so people don't have to wait for 6.4
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Fri Jul 19, 2013 12:10 pm Post subject: |
|
|
It's a good thing to have an efficient template, I also have some templates just on my desktop for copy-pasting.
But there is one thing I like in the default template, and it's exactly it's simplicity. If you come up with a final template, consider that most beginners have no idea what is registersymbol, labels and stuff like that. I even had to make a description for aobscan, because so many people could not use it. So if you make a template which is efficient but it has symbols and labels all over the place, it will confuse them like hell.
And if they have to rename some symbols, it will confuse them even more.
At least this is what I see as one of the most common problems with beginner CE users. They have no idea that labels or symbols are global or only local in the script, they have trouble to understand how is aobscan working, it's a point in their learning where most of them needs assistance. (We know that they won't read the help file.)
EDIT: Ah forget the rest, I see you have done everything you could to make this working for noobs, good job.
EDIT 2: And of course my whole post is irrelevant if this template will be for aobscan only, where using symbols is just unavoidable.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Fri Jul 19, 2013 1:40 pm Post subject: |
|
|
since it's slightly related just letting you know I just added a new aa command:
Reassemble(address)
e.g it can be used like this (for the cases you really can not find a proper injection spot)
Code: |
[enable]
aobscan(bla, c6 05 ?? ?? ?? ?? 00 e8 ?? ?? ?? ?? b8 ?? ?? ?? ??)
alloc(newmem, 2048)
alloc(originalbytes, 7)
label(return)
label(originalcode)
registersymbol(originalbytes)
registersymbol(bla)
originalbytes:
readmem(bla,7) //store the original bytes
newmem:
mov [ecx+12],0 //do your stuff
originalcode:
reassemble(bla) //assemble the relocation affected code
jmp return
bla:
jmp newmem
nop
nop
return:
[disable]
bla:
readmem(originalbytes, 7) //restore the memory
dealloc(newmem)
dealloc(originalbytes)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Jul 19, 2013 3:17 pm Post subject: |
|
|
Nice. Previously I used:
- labels, if offsets are changing (after game update)
Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(bulletscode)
registersymbol(bulletscode)
label(changingOffset)
registersymbol(changingOffset)
aobscan(bulletscodeAOB, 89 4C 86 xx 5E C2)
[bulletscodeAOB+3]:
changingOffset:
bulletscodeAOB:
bulletscode:
jmp newmem
returnhere:
newmem:
//mov [esi+eax*4+40],ecx
db 89 4C 86 changingOffset
//cmp [esi+eax*4+40],5
db 80 7C 86 changingOffset 05
jge +5
//mov byte ptr [esi+eax*4+40],5
db C6 44 86 changingOffset 05
pop esi
jmp returnhere
[DISABLE]
bulletscode:
//Alt: mov [esi+eax*4+40],ecx
//Alt: pop esi
db 89 4C 86 changingOffset
db 5E C2
dealloc(newmem)
unregistersymbol(bulletscode)
unregistersymbol(changingOffset) |
- or AA+LuaCall+Lua Function (LINK beta section)
EDIT:
hmm, still doesn't look good:
Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(bulletscode)
registersymbol(bulletscode)
alloc(originalbyte,1)
registersymbol(originalbyte)
aobscan(bulletscodeAOB, 89 4C 86 xx 5E C2)
originalbyte:
readmem(bulletscodeAOB+3,1)
bulletscodeAOB:
bulletscode:
jmp newmem
returnhere:
newmem:
//mov [esi+eax*4+40],ecx
db 89 4C 86
readmem(originalbyte,1)
//cmp [esi+eax*4+40],5
db 80 7C 86
readmem(originalbyte,1)
db 05
jge +5
//mov byte ptr [esi+eax*4+40],5
db C6 44 86
readmem(originalbyte,1)
db 05
pop esi
jmp returnhere
[DISABLE]
bulletscode:
//Alt: mov [esi+eax*4+40],ecx
//Alt: pop esi
db 89 4C 86
readmem(originalbyte,1)
db 5E C2
dealloc(newmem)
unregistersymbol(bulletscode)
unregistersymbol(changingOffset)
unregistersymbol(originalbyte) |
Looks like reassemble will be helpful only for relocation affected code ("call XXXXXXXX" or "mov dword ptr [XXXXXXXX],00", and similar)
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Sat Jul 20, 2013 3:14 am Post subject: |
|
|
yes, it's mainly useful if the instruction you are interested in isn't affected by relocation but the instruction before and after it are.
e.g:
Code: |
call 00402000
mov [ecx],eax
je 00813014
|
since mov [ecx],eax is only 2 bytes long you MUST take either that call or je as part of the overwritten code. And with dynamically loaded modules the jump and call destination will be different so can't be hardcoded. So they need to be reassembled (Readmem won't work as they are eip relative instructions)
(also, your example isn't a relocation but a patch, in which case you REALLY can not use it as most likely other offsets of important structures have changed as well or the aob you found is that of another function.
E.g if that +40 part in your example changes, it might just as well be another getXXX property function)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sat Jul 20, 2013 8:09 am Post subject: |
|
|
"89 4C 86 xx 5E C2" - only one address. So, no problems with "another getXXX"
Anyway, yeah it's bad example.... (good for readmem, not good for reassemble)
Just to be sure, we can use it like this:
reassemble(something+1A) - we can add offset (or subtract). I tested it, it works. Is it correct?
reassemble(registeredsymbol) - so, it should work in another AA script too? (main AA script with aobscan's and registersymbol's, and empty [disable], and other 'child' AA script where we do the rest: reassemble, alloc, etc )
reassemble(defineZ) - defined. tested, works.
reassemble(label) - gives "label could not be found".
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Sat Jul 20, 2013 9:04 am Post subject: |
|
|
Offsets (+xxx) work yes.
Labels don't work right now and not sure i want to add support for that. (Labels tend to be in self written locations)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Sat Jul 20, 2013 10:26 am Post subject: |
|
|
Dark Byte wrote: | yes, it's mainly useful if the instruction you are interested in isn't affected by relocation but the instruction before and after it are.
e.g:
Code: |
call 00402000
mov [ecx],eax
je 00813014
|
since mov [ecx],eax is only 2 bytes long you MUST take either that call or je as part of the overwritten code. And with dynamically loaded modules the jump and call destination will be different so can't be hardcoded. So they need to be reassembled (Readmem won't work as they are eip relative instructions)
(also, your example isn't a relocation but a patch, in which case you REALLY can not use it as most likely other offsets of important structures have changed as well or the aob you found is that of another function.
E.g if that +40 part in your example changes, it might just as well be another getXXX property function) |
Does this mean that CE will automatically convert a short jump into a long jump to the correct address based on original code? Because the original jump is probably a short jump a few bytes forward (that is more common).
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Sat Jul 20, 2013 10:56 am Post subject: |
|
|
yes, it reassembles it based on the new position.
basically, it just replaces the "reassemble()" line with the line it disassembled as assembler text, so when the assembler goes over it, it assembles it based on the current position. (So a long jump)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Sun Jul 21, 2013 1:08 am Post subject: |
|
|
Very nice feature. This will greatly increase the effectiveness of aobscan. I have used
je aobscanname+14
to solve the problem with short jumps and aobscan, but that is working only as long as the jump distance is the same. Which often changes unfortunately. But with this instruction, that problem will be also solved.
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|