Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to use AOBScan AA to do more than nop?
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Thu Apr 09, 2015 8:31 pm    Post subject: Reply with quote

Fresco wrote:
add edx not eax!!!
don't comment the sub eax , 4

My mistake I always learnt that the edx or ebx is the register holder and you want to store it in the second one. I'm guessing because it's a sub register?
Code:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
add edx,100

originalcode:
sub eax,04
mov [eax],edx

exit:
jmp returnhere

"Fahrenheit.exe"+15190C:
jmp newmem
returnhere:


This code crashes as well, think it's a lost cause.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Thu Apr 09, 2015 9:27 pm    Post subject: Reply with quote

The register inside brackets is the one with the address.
The other register holds the value.

Was that the original code you found and are trying to replace?

Code:
sub eax,04
mov [eax],edx


If so, then your latest code looks correct. It's possible more addresses than you think are using that instruction.

Right-click the instruction and select Find out what addresses this instruction accesses.

If it's more than your address, then you may need to find a different instruction.
Back to top
View user's profile Send private message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Thu Apr 09, 2015 10:41 pm    Post subject: Reply with quote

Zanzer wrote:
The register inside brackets is the one with the address.
The other register holds the value.

Was that the original code you found and are trying to replace?

Code:
sub eax,04
mov [eax],edx


If so, then your latest code looks correct. It's possible more addresses than you think are using that instruction.

Right-click the instruction and select Find out what addresses this instruction accesses.

If it's more than your address, then you may need to find a different instruction.

That's what's accessing it as I was told to try that
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 4

Joined: 07 Nov 2010
Posts: 600

PostPosted: Fri Apr 10, 2015 9:22 am    Post subject: Reply with quote

Code:
sub eax,04
mov [eax],edx

Maybe it's doing a pointer thing where the value at address eax is an address as well. That may be the cause of the crash, however without the original instruction(s) we can't tell.
Maybe post a snippet of the original code, a few line before sub eax,04 and a few after it.

To copy code, just click the Memory View button then browse the address at which you could find mov [eax],edx, ( the address should be: "Fahrenheit.exe"+15190C ) by right clicking anywhere in the code and selecting Go to address.
Then scroll up a few ( like 10 or so ) lines of code and then start selecting code by holding the shift key while repeatedly pressing the down arrow key. Now right click one of the selected lines of code -> Copy to clipboard -> Bytes+Opcodes

Then paste here.

_________________
... Fresco
Back to top
View user's profile Send private message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Fri Apr 10, 2015 10:44 am    Post subject: Reply with quote

Fresco wrote:
Code:
sub eax,04
mov [eax],edx

Maybe it's doing a pointer thing where the value at address eax is an address as well. That may be the cause of the crash, however without the original instruction(s) we can't tell.
Maybe post a snippet of the original code, a few line before sub eax,04 and a few after it.

To copy code, just click the Memory View button then browse the address at which you could find mov [eax],edx, ( the address should be: "Fahrenheit.exe"+15190C ) by right clicking anywhere in the code and selecting Go to address.
Then scroll up a few ( like 10 or so ) lines of code and then start selecting code by holding the shift key while repeatedly pressing the down arrow key. Now right click one of the selected lines of code -> Copy to clipboard -> Bytes+Opcodes

Then paste here.

True, this is the instruction without finding the what writes to it:
Code:
Fahrenheit.exe+15C0D1 - 5F                    - pop edi
Fahrenheit.exe+15C0D2 - 5E                    - pop esi
Fahrenheit.exe+15C0D3 - 89 45 00              - mov [ebp+00],eax


This is what writes to it:
Code:
Fahrenheit.exe+15C0D1 - 5F                    - pop edi
Fahrenheit.exe+15C0D2 - 5E                    - pop esi
Fahrenheit.exe+15C0D3 - 89 45 00              - mov [ebp+00],eax


As you can see the same, this is the sub with 2 ops before it, the rest
Code:
Fahrenheit.exe+15C85D - 7E 06                 - jle Fahrenheit.exe+15C865
Fahrenheit.exe+15C85F - 89 0D A85B9800        - mov [Fahrenheit.exe+585BA8],ecx
Fahrenheit.exe+15C865 - 8B 40 3C              - mov eax,[eax+3C]
Fahrenheit.exe+15C868 - 8B 08                 - mov ecx,[eax]
Fahrenheit.exe+15C86A - 8B 01                 - mov eax,[ecx]
Fahrenheit.exe+15C86C - 2B 06                 - sub eax,[esi]


The jle is part of an instruction (I think not hot on asm obv) as it follows the code until the second mov, the one with 8B 40 3C. Then the other 2 movs and sub is the what is accessed but the original instruction. Not what writes to it as it does seem whenever I follow what writes to it. It's the same thing, pointing to pointers or pointing to itself?

Heres another instruction:
Code:
Fahrenheit.exe+151904 - 8B 40 3C              - mov eax,[eax+3C]
Fahrenheit.exe+151907 - 8B 48 FC              - mov ecx,[eax-04]
Fahrenheit.exe+15190A - 8B 11                 - mov edx,[ecx]
Fahrenheit.exe+15190C - 83 E8 04              - sub eax,04


The last mov 8B 11 is what is also accessed by the orignal address, sorry if I'm not using the right terms, new but kean to learn!
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Fri Apr 10, 2015 1:05 pm    Post subject: Reply with quote

No where in all that code do I see the addresses you were trying to hack in your script.
Code:
sub eax,04
mov [eax],edx


Also, I told you to find out what addresses that instruction is accessing.
Not what instructions access that address.

Select the instruction you're trying to hack (mov [ebp+00],eax).
Right-click it and select Find out what addresses this instruction accesses.

If more addresses pop up than just the one you are trying to hack, then you're going to have difficulties.
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 4

Joined: 07 Nov 2010
Posts: 600

PostPosted: Fri Apr 10, 2015 1:15 pm    Post subject: Reply with quote

It crashes because indeed "it's doing a pointer thing" -Fresco

However I asked you to post here about 10 instructions before and after "Fahrenheit.exe"+15190C.
All you gave me so far is 3 instructions before and none after.

To explain it to you better:
eax, ebx, ecx ... consider them as variables ( people usually call them registers )
Just like x is in this equation: 3x=9
A variable is a number that changes. It has no other meaning, other than the meaning you give it.

Fahrenheit.exe+15190C is an address ( also some kind of variable ), but with a defined value which is 0x83
the 0x before the 83 means that the 83 is represented in hexadecimal notation.
Fahrenheit.exe+15190D is an address, it has a value of 0xE8

mov, jmp, je, jle, sub, pop, push, etc... they are opcodes , they modify data or variables or registers or memory or sometimes they just do nothing ( i.e. nop )

0x83 0xE8 0x04 all together they form an instruction which does something.

sub eax,04 means "subtract ( value of 0x04 )" from variable ( register ) eax

So if the value of eax was 5, after the execution of the sub eax, 4 instruction eax would become 1.

mov [eax], 3 => means: go to address eax ( remember eax is a number, and addresses are just numbers ) and change the value of address eax into 3.

When saying address Fahrenheit.exe, Cheat Engine doesn't really means some letters but an actual number like 0x04C03800

Saying Fahrenheit.exe+15C868 means
add 0x15C868 to 0x04C03800 which is: 0x04D60068 (which is a number than can be stored in eax)

so if eax was Fahrenheit.exe+15C868 ( which is a number ), after
mov [eax], 3 the value at address Fahrenheit.exe+15C868 would become 3.

A pointer is when you store an address instead of a value.

_________________
... Fresco
Back to top
View user's profile Send private message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Mon Apr 13, 2015 3:31 am    Post subject: Reply with quote

My mistake, here it is all before sub opcode
Code:
Fahrenheit.exe+15C84C - 8B 11                 - mov edx,[ecx]
Fahrenheit.exe+15C84E - 83 C1 FC              - add ecx,-04
Fahrenheit.exe+15C851 - 89 48 3C              - mov [eax+3C],ecx
Fahrenheit.exe+15C854 - 2B 48 0C              - sub ecx,[eax+0C]
Fahrenheit.exe+15C857 - 3B 0D A85B9800        - cmp ecx,[Fahrenheit.exe+585BA8]
Fahrenheit.exe+15C85D - 7E 06                 - jle Fahrenheit.exe+15C865
Fahrenheit.exe+15C85F - 89 0D A85B9800        - mov [Fahrenheit.exe+585BA8],ecx
Fahrenheit.exe+15C865 - 8B 40 3C              - mov eax,[eax+3C]
Fahrenheit.exe+15C868 - 8B 08                 - mov ecx,[eax]
Fahrenheit.exe+15C86A - 8B 01                 - mov eax,[ecx]
Fahrenheit.exe+15C86C - 2B 06                 - sub eax,[esi]

Attached an image of it as well case I missed anything out again, thank you for being so patient with me Smile
Couldn't find sub eax,04 again, sorry I'll give it another go but this game is doing my head in.

EDIT:

Found the sub eax, 04
Code:
RTSSHooks.dll+151E - 74 61                 - je RTSSHooks.dll+1581
RTSSHooks.dll+1520 - 8B 46 58              - mov eax,[esi+58]
RTSSHooks.dll+1523 - 8B 2E                 - mov ebp,[esi]
RTSSHooks.dll+1525 - 8D 4E 4A              - lea ecx,[esi+4A]
RTSSHooks.dll+1528 - 83 F8 04              - cmp eax,04
RTSSHooks.dll+152B - 72 18                 - jb RTSSHooks.dll+1545
RTSSHooks.dll+152D - 8D 49 00              - lea ecx,[ecx+00]
RTSSHooks.dll+1530 - 8B 55 00              - mov edx,[ebp+00]
RTSSHooks.dll+1533 - 3B 11                 - cmp edx,[ecx]
RTSSHooks.dll+1535 - 75 46                 - jne RTSSHooks.dll+157D
RTSSHooks.dll+1537 - 83 E8 04              - sub eax,04


There are 3 characters in the game, from what I've gathered they shared the same address somewhere/somehow for sanity. Despite it being different for each of them.



sub.png
 Description:
 Filesize:  358.48 KB
 Viewed:  7295 Time(s)

sub.png



LULrZw4.png
 Description:
 Filesize:  397.16 KB
 Viewed:  7315 Time(s)

LULrZw4.png


Back to top
View user's profile Send private message
jgoemat
Master Cheater
Reputation: 22

Joined: 25 Sep 2011
Posts: 252

PostPosted: Mon Apr 13, 2015 7:50 am    Post subject: Reply with quote

Just to add a thought, it is entirely possible that there is code somewhere jumping into the middle of the code you are replacing since it spans multiple instructions, especially near a return:

Code:
// ---------- INJECTING HERE ----------
"Fahrenheit.exe"+15C0D3: 89 45 00              -  mov [ebp+00],eax
"Fahrenheit.exe"+15C0D6: 5D                    -  pop ebp
"Fahrenheit.exe"+15C0D7: 5B                    -  pop ebx
// ---------- DONE INJECTING  ----------


1) It's very possible that some code early in the function checks some condition and if it doesn't want to make any modifications it may jump to the pop ebp. When you replace these 5 bytes with a jmp instruction that could hose it. Have you tried 'dissect code' from the memory viewer?

2) You just change the code to mov[ebp+00],50 because you probably want to move 32 bits (like eax), and that instruction will be more than 3 bytes, overwriting the pops after the mov

3) When you find the code that accesses the address you are looking at, are you sure it isn't on the stack? Inspect the registers (more info) and if ebp is near esp then it probably isn't what you are looking for.

4) Do a 'Find out what addresses this code access' from the memory viewer. It could be that the code is generic and used in many more places than just for sanity. It could be part of some scripting library that is doing a generic operation on an integer script variable for instance.
Back to top
View user's profile Send private message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Mon Apr 13, 2015 8:06 am    Post subject: Reply with quote

The code is generic at at least I found it being used in 2 other places. This game is a big headache for such an old game lol... Wolfenstein: TNO was easier. Funny thing is no trainer (I know this game is old and isn't the best for hacking) out there for sanity only lives. This may be why, it's probaly shared well is as I checked what's accessed.
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 4

Joined: 07 Nov 2010
Posts: 600

PostPosted: Mon Apr 13, 2015 9:19 am    Post subject: Reply with quote

Never check what accesses a value ( unless you want to find a pointer or do some backtracking )

If you want to find the code that modifies an address use only the "find out what writes..." option.

Unless the game is written in flash or it dynamically changes code memory locations you don't need AOB.

You may only need AOB if you update the game frequently enough or you want your cheat table to be compatible with all the versions of the game ever.

1) Go to
Code:
Fahrenheit.exe+15C868 - 8B 08                 - mov ecx,[eax]

2) Tools -> Auto Assemble
3) Template -> Cheat Table framework code
4) Template -> Code injection
5) On what address do you want the jump ? Fahrenheit.exe+15C868 ( just click ok )
6) Copy everything
7) Paste here
8) Make sure you haven't modified anything

As for that sub eax, 4 It doesn't modify any memory!
All it does is subtract value 4 from variable eax

However when you see [ angle brackets ], it does indeed mean that the instruction modifies some value at address ( whatever number is between the angle brackets )

_________________
... Fresco
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Mon Apr 13, 2015 6:42 pm    Post subject: Reply with quote

Does this get you the effect you want?
Code:
[ENABLE]
alloc(newmem,2048,"Fahrenheit.exe"+15C868)
label(returnhere)
label(originalcode)
label(exit)

newmem:

originalcode:
mov ecx,[eax]
mov eax,#100

exit:
jmp returnhere

"Fahrenheit.exe"+15C868:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
"Fahrenheit.exe"+15C868:
mov ecx,[eax]
mov eax,[ecx]
sub eax,[esi]
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 4

Joined: 07 Nov 2010
Posts: 600

PostPosted: Mon Apr 13, 2015 7:10 pm    Post subject: Reply with quote

also try this one

Code:
[ENABLE]
alloc(newmem,2048,"Fahrenheit.exe"+15C868)
label(returnhere)
label(originalcode)
label(exit)

newmem:

mov [esi],#100

originalcode:
mov ecx,[eax]
mov eax,[ecx]
sub eax,[esi]

exit:
jmp returnhere

"Fahrenheit.exe"+15C868:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
"Fahrenheit.exe"+15C868:
mov ecx,[eax]
mov eax,[ecx]
sub eax,[esi]

_________________
... Fresco
Back to top
View user's profile Send private message
GreatUnknown
Cheater
Reputation: 0

Joined: 19 Oct 2014
Posts: 47

PostPosted: Tue Apr 14, 2015 5:00 pm    Post subject: Reply with quote

Sadly not thanks though, just messed up with hours played
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites