| View previous topic :: View next topic |
| Author |
Message |
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
 Posted: Fri Feb 27, 2015 10:57 pm Post subject: JMP Always crashes this game ... |
 |
|
So I'm tryna use a codecave to edit a register that resets the amount of bombs you have in a game.
So I set a breakpoint on the following instruction:
according to the debugger, eax = 2
(and in the game, it resets the amount of bombs you have to 2)
I tried using a codecave to increase the value of eax then move it into my bombs... so let's say
01E345AB is the address of the 'mov [esp+4C], eax" instruction--
why wouldn't the following code work?
| Code: |
alloc(newmem,1024)
newmem:
mov eax, 45
mov [esp+4C], eax
01E345AB:
jmp newmem
|
I don't see what's wrong with it. When I try it in the game, it crashes...
Also, I'm now learning how to use JMP.. so dont b rood pls |
|
| Back to top |
|
 |
Kyokyonos
Newbie cheater
![]() Reputation: 0
Joined: 14 Apr 2009
Posts: 19
|
| Posted: Fri Feb 27, 2015 11:13 pm Post subject: |
|
|
I can't remember much... but... it seems like your code is incomplete if that's not just a snippet. Can't remember whether or not what you have would produce an infinite loop-- if it's running from top to bottom, the JMP would probably always make it go back up to the top (where newmem begins) thus causing a crash? Who knows.
Anyways, select/highlight the instruction in memory viewer that you want to modify.
Then Tools -> Auto Assemble
From there Template - > Cheat Table Framework. Then once again, Template -> Code Injection.
The address of the instruction you selected at the beginning should automatically appear there, so press OK or whatever it says. (Alternatively, I think you could just do Template -> AOB injection which would probably be better/easier)
You should be able to see the instruction filled in with other auto-filled fields like labels and symbols. Find your instruction and add the modification immediately above it.
Once done, you should be able to go to File -> Assign to Cheat Table and enable it there. |
|
| Back to top |
|
|
unknown_k
Expert Cheater
![]() Reputation: 5
Joined: 24 May 2011
Posts: 211
|
| Posted: Sat Feb 28, 2015 1:19 am Post subject: Re: JMP Always crashes this game ... |
|
|
mov [esp+4C],eax = 3 bytes.
jmp newmem = 5 bytes.
Do the math. |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sat Feb 28, 2015 1:41 am Post subject: Re: JMP Always crashes this game ... |
|
|
| unknown_k wrote: | mov [esp+4C],eax = 3 bytes.
jmp newmem = 5 bytes.
Do the math. |
how do i determine how many bytes instructions are? |
|
| Back to top |
|
|
unknown_k
Expert Cheater
![]() Reputation: 5
Joined: 24 May 2011
Posts: 211
|
| Posted: Sat Feb 28, 2015 2:28 am Post subject: Re: JMP Always crashes this game ... |
|
|
| Doctor Death wrote: | | unknown_k wrote: | mov [esp+4C],eax = 3 bytes.
jmp newmem = 5 bytes.
Do the math. |
how do i determine how many bytes instructions are? |
In CE's Memory View. Of course.
This is what jmp newmem actually look like (image is just an example though)
and this is your opcode (again, example, different look same size)
EDIT: And I think you should follow Kyokyonos' wisdom. because Ctrl+Alt+T and Ctrl+I is awesome. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Sat Feb 28, 2015 6:29 am Post subject: |
|
|
you're not jumping back to after the jmp newmem, and you're not saving enough instruction
easiest solution is let ce do this for you using the code injection template
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sat Feb 28, 2015 8:06 pm Post subject: Re: JMP Always crashes this game ... |
|
|
| Dark Byte wrote: | you're not jumping back to after the jmp newmem, and you're not saving enough instruction
easiest solution is let ce do this for you using the code injection template |
Wow! It worked!
So let me break this down so I fully understand it. I have 2 questions about this, if you don't mind.
The original code to increase the bombs was:
Which means, moving ebx into the memory contents at eax+4C (which is the value of my bombs).
So what I did was, I wanted to change ebx's value to "1337", then move ebx into my bombs, using a codecave, of course. Just not to mess up any of the surrounding code. So I made this using the template:
| Code: |
alloc(newmem,2048) // modded code
label(returnhere) // where to return to after it jumps
label(originalcode) // original code
label(exit) // the thing that jumps to return so it can end properly
newmem:
mov ebx, #1337 // Move 1337 into ebx
originalcode:
mov [eax+4C],ebx // Move ebx into my bombs
lea ecx,[ecx+00002080] // load the calculated address of ecx+00002080 and put it into ecx. Idek why it's included in the generated template, but it was right after the one above it.
exit:
jmp returnhere // jump to return here
096BF274:
jmp newmem // the address that increases my bombs. (moves ebx into eax+4C)
nop
nop
nop
nop
returnhere: // blah where to return to after the jump
|
Some questions:
a) How do you know how many nops to add after it jumps to the new memory?
b) The lea ecx, [ecx+00002080] part was after the part that incremented my bombs (mov [eax+4C],ebx) why was it included in the original code if I only selected the (mov [eax+4C],ebx) part for the code injection?
Last edited by Doctor Death on Sat Feb 28, 2015 10:21 pm; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Sat Feb 28, 2015 9:02 pm Post subject: |
|
|
a: it's not so much nops, but more a way to set the address of returnhere properly
returnhere must point to the location after the instruction(s) you replaced
a jmp is 5 bytes, so you need to save at least 5 bytes.
but since mov [eax+4C],ebx is only 3 you need at least 2 more, and since incomplete instructions are a bad idea, the whole next instruction (6 bytes big) needs to be replaced as well (so 9 bytes)
so, the number of nops is 9-jumpsize=9-5=4
b: see answer a
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
 Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Sat Feb 28, 2015 9:08 pm Post subject: |
 |
|
Look at the memory viewer.
| Code: | 096BF274 - 89 58 4C - mov [rax+4C],ebx
096BF277 - 8D 89 80200000 - lea ecx,[rcx+00002080] |
| Code: | | 096BF274 - 89 58 4C - mov [rax+4C],ebx |
This is only 3 bytes long. To jump to a codecave, you need 5 byte.
That means the first 2 bytes of the next instruction will be overwritten.
| Code: | | 096BF277 - -->8D 89<-- 80200000 - lea ecx,[rcx+00002080] |
The remaining bytes are nopped (80 20 00 00)
DB beat me to it..
What he said. I typed it out so maybe you can visualise it.
_________________
|
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sat Feb 28, 2015 10:21 pm Post subject: |
|
|
| Dark Byte wrote: | a: it's not so much nops, but more a way to set the address of returnhere properly
returnhere must point to the location after the instruction(s) you replaced
a jmp is 5 bytes, so you need to save at least 5 bytes.
but since mov [eax+4C],ebx is only 3 you need at least 2 more, and since incomplete instructions are a bad idea, the whole next instruction (6 bytes big) needs to be replaced as well (so 9 bytes)
so, the number of nops is 9-jumpsize=9-5=4
b: see answer a |
o
ok
But do you know exactly why something like "2C" would be one byte? or why instructions take up a certain amount of bytes?
I've messed with instructions, done aobscan, changed bytes and a whole bunch of other stuff, but I want to completely understand it. |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
