 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
hashtag2
How do I cheat?
![]() Reputation: 0
Joined: 06 Feb 2017
Posts: 3
|
 Posted: Mon Feb 06, 2017 10:28 am Post subject: cheat engine -> ollydbg? (help with norecoil) |
 |
|
hello guys. will try to be clear:
what do i want?
i have a game and i want to disable recoil once and for all.
where did i go?
so with CE i am able to find a memory address that is responsible for the recoil, for example these two bytes i have marked bold:
| Quote: | | 062278D0 | 00 00 00 00 00 00 00 00 |
every time i run a game this address is different and it takes me a lot of time to figure it out.
with CE i am able to check the opcode which writes to the address above. this is how it looks:
| Quote: | | 4BD47ACF - 89 83 40EB2006 - mov [ebx+0620EB40], eax << |
what now?
so i have all this stuff and when i attach a game into ollydbg, i got something like this:
| Quote: | | ollydbg screen w/ attached game :] |
i would like to find out which instruction increases recoil (like i did it in CE), jump/ disable it and save a new .exe file.
the problem is that all adressess in ollydbg are other than these in CE, moreover doing search for | Code: | | mov [ebx+0620EB40], eax |
gives no results obviously; seraching just for
gives a lot of results, so i'm stuck.
any tips how could i move forward with this?
ps.i have had 3 nice screenshots (in place of above quotes) to make my point more clear, but cannot post urls, sorry 
|
|
| Back to top |
|
 |
mgostIH
Expert Cheater
 Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Feb 06, 2017 10:51 am Post subject: |
|
|
Try searching for the byte sequence for the opcode you found instead ( 89 83 40EB2006 ), otherwise you can just use the address of the code you found (This would work only if the game doesn't have Address Space Layout Randomization enabled, if it does, you also have to get the .exe base address).
_________________
|
|
| Back to top |
|
|
SunBeam
I post too much
 Reputation: 65
Joined: 25 Feb 2005
Posts: 4022
Location: Romania
|
| Posted: Mon Feb 06, 2017 11:30 am Post subject: |
|
|
"4BD47ACF" <- just from this I can tell the game has some sort of protection, as the alignment of code is scrambled (should end in parity most of the time). And the opcode that accesses recoil is again a replacement instruction for something like "mov [ptr],eax" (where 'ebx' is the base static).
These are just assumptions, but based on them, you won't be able to just find out where to NOP code out and save the .exe as you might hit a "File corrupted" error. That is if this piece of code of yours is in file space and not allocated memory 
Provide more details, please.
BR,
Sun
P.S.: You can use PM me.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Feb 06, 2017 1:19 pm Post subject: |
|
|
| I'm curious about why you're wanting to hard patch the target? As mgostIH has pointed out, just us an AOB signature for finding your injection location, then, use a memory patch at run-time. And why are you using Olly for a basic no-recoil? As SunBeam says, please provide more details.
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Feb 06, 2017 1:49 pm Post subject: |
|
|
| SunBeam wrote: | "4BD47ACF" <- just from this I can tell the game has some sort of protection, as the alignment of code is scrambled (should end in parity most of the time). And the opcode that accesses recoil is again a replacement instruction for something like "mov [ptr],eax" (where 'ebx' is the base static).
These are just assumptions, but based on them, you won't be able to just find out where to NOP code out and save the .exe as you might hit a "File corrupted" error. That is if this piece of code of yours is in file space and not allocated memory :)
Provide more details, please.
BR,
Sun
P.S.: You can use PM me. |
It may very well be ASLR or dynamic functions caused by high level language abstraction, if there were an actual anticheat measure, doubt he'd be able to use any debugger.
_________________
|
|
| Back to top |
|
|
hashtag2
How do I cheat?
![]() Reputation: 0
Joined: 06 Feb 2017
Posts: 3
|
| Posted: Mon Feb 06, 2017 3:18 pm Post subject: |
|
|
wow, thanks for replies guys, didn't expect this forum is so alive <3
@mgostIH in CE address for recoil is variable, every time i get different, now for example it is (always 4th and 5th byte):
| Quote: | | 062F78D0 | 00 00 00 00 00 00 00 00 |
and the opcode that is writing to these bytes is
| Quote: | | 4D2B7ACF - 89 83 40EB2D06 - mov [ebx+062DEB40], eax |
so searching for this instruction (or its binary sequence) w/ ollydbg seems pointless since it's slightly changing (for ex. ebx+0620EB40 - > ebx+062DEB40). moreover, syntaxes like ebx+062DEB40 will not be found in olly.
i think this opcode is the key for me since it's the only one which is called when firing (there are 2 more instructions accessing my 'recoill bytes', but they are in infinite loop). when i highligh it, i got some more details in bottom window:
| Quote: | 4D2B7ACA - 8B 07 - mov eax,[edi]
4D2B7ACC - 8B 5F FC - mov ebx,[edi-04]
4D2B7ACF - 89 83 40EB2D06 - mov [ebx+062DEB40],eax <<
4D2B7AD5 - 83 EF 04 - sub edi,04
4D2B7AD8 - BB C4554408 - mov ebx,084455C4 |
mabe this will shed some more light on a case.
i prefer to create an .exe in ollydbg since i've already changed some locked cvars and everything went fine (no corrupted file errors etc). well, i would just like to modify a game for my needs once forever :]
cheers, ht2.
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Feb 06, 2017 3:33 pm Post subject: |
|
|
| hashtag2 wrote: | wow, thanks for replies guys, didn't expect this forum is so alive <3
@mgostIH in CE address for recoil is variable, every time i get different, now for example it is (always 4th and 5th byte):
| Quote: | | 062F78D0 | 00 00 00 00 00 00 00 00 |
and the opcode that is writing to these bytes is
| Quote: | | 4D2B7ACF - 89 83 40EB2D06 - mov [ebx+062DEB40], eax |
so searching for this instruction (or its binary sequence) w/ ollydbg seems pointless since it's slightly changing (for ex. ebx+0620EB40 - > ebx+062DEB40). moreover, syntaxes like ebx+062DEB40 will not be found in olly.
i think this opcode is the key for me since it's the only one which is called when firing (there are 2 more instructions accessing my 'recoill bytes', but they are in infinite loop). when i highligh it, i got some more details in bottom window:
| Quote: | 4D2B7ACA - 8B 07 - mov eax,[edi]
4D2B7ACC - 8B 5F FC - mov ebx,[edi-04]
4D2B7ACF - 89 83 40EB2D06 - mov [ebx+062DEB40],eax <<
4D2B7AD5 - 83 EF 04 - sub edi,04
4D2B7AD8 - BB C4554408 - mov ebx,084455C4 |
mabe this will shed some more light on a case.
i prefer to create an .exe in ollydbg since i've already changed some locked cvars and everything went fine (no corrupted file errors etc). well, i would just like to modify a game for my needs once forever :]
cheers, ht2. |
If the code actually changes when you restart, you should be searching for different parts of code.
For example, the previous instructions you provided
| Code: | 4D2B7ACA - 8B 07 - mov eax,[edi]
4D2B7ACC - 8B 5F FC - mov ebx,[edi-04] |
are always the same? If not, how do they change?
I don't know what values the recoil variable is supposed to have, but if you want those to be always 0, you could modify mov eax,[edi] to -> xor eax,eax
In this way, when the instruction that writes to the address will access its dynamic variable, it will always write eax, so 0.
( xor register,register sets the register to 0 ).
If there's NO code that stays the same, you'll have to give us more details, otherwise we can't help you.
_________________
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 42
Joined: 09 Nov 2005
Posts: 2672
|
| Posted: Mon Feb 06, 2017 8:18 pm Post subject: |
|
|
4D2B7ACA - 8B 07 - mov eax,[edi]
4D2B7ACC - 8B 5F FC - mov ebx,[edi-04]
4D2B7ACF - 89 83 40EB2D06 - mov [ebx+062DEB40],eax <<
4D2B7AD5 - 83 EF 04 - sub edi,04
4D2B7AD8 - BB C4554408 - mov ebx,084455C4
>>
8B 07 8B 5F FC 89 83 ???????? 83 EF 04 BB
^Search for that in CE, is it unique? no..add more bytes until your sig becomes unique. Then search it in olly.
What i don't understand is why you can't just enter the address you see in CE to ollydbg? allocated or not, Olly should still be able to access the address.
Also you can't patch mov [ebx+062DEB40],eax but you can do what mgostIH said - xor eax, eax etc
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Feb 06, 2017 9:32 pm Post subject: |
|
|
| hashtag2 wrote: | CE address for recoil is variable, every time i get different, now for example it is (always 4th and 5th byte):
| Quote: | | 062F78D0 | 00 00 00 00 00 00 00 00 |
|
-You can shift your AOB signature however much you need, then just include the appropriate offset to reach your injection location. The bytes for the instruction that you are wanting to manipulate do not have to be included in the AOB signature. Alternatively, as already suggested, you can incorporate wildcard variables inside your AOB signature for bytes that are dynamic.
| hashtag2 wrote: | | i prefer to create an .exe in ollydbg since i've already changed some locked cvars and everything went fine (no corrupted file errors etc). well, i would just like to modify a game for my needs once forever :] |
-Why do you keep saying a game, as if you're trying to be discreet about something? Anyway, you can bring over your changes to CE and still write a memory patch in the form of a loader that you can use to launch the target. It's better than a hard patch because you can apply it to future versions, easily make revisions without compromising the target and reduce file sizes for easy distribution. Additionally, I find CE to be much more convenient with regard to code manipulation and script writing.
Last edited by ++METHOS on Mon Feb 06, 2017 10:45 pm; edited 1 time in total |
|
| Back to top |
|
|
SunBeam
I post too much
Reputation: 65
Joined: 25 Feb 2005
Posts: 4022
Location: Romania
|
| Posted: Mon Feb 06, 2017 10:45 pm Post subject: |
|
|
| ..because it's an online game, d'oh.. that's why he's trying not to be that transparent
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Feb 06, 2017 10:50 pm Post subject: |
|
|
Rhetorical. 
|
|
| Back to top |
|
|
hashtag2
How do I cheat?
![]() Reputation: 0
Joined: 06 Feb 2017
Posts: 3
|
| Posted: Thu Feb 09, 2017 11:04 am Post subject: |
|
|
hello guys. spend my last nighs on learning and trying different things. i've found this whole stuff more enjoyable than playing itself. didn't even run a game once (to play) since i'm so absorbed with olly 
| ++METHOS wrote: | | -Why do you keep saying a game, as if you're trying to be discreet about something? |
lol i'm pretty sure in one thread i saw a warning to not post game names on this forum. mabe it was other forum then... anyway, i liked that kind of anti-spam idea and will stick with it. @SunBeam yes, it's SP/ MP 
| STN wrote: | | What i don't understand is why you can't just enter the address you see in CE to ollydbg? allocated or not, Olly should still be able to access the address. |
cuz i'm so silly and all the time i was looking for this "recoil instruction" that i've found in CE in the main module (dissasembled code of executable), meanwhile it's stored in remote areas of memory. NOW when i pop up memory map and look at adresses section, i can find the dump that contains it at the bottom.
as i said before, address of this "recoil instruction" is variable, but i still hope to find something in the main module that will do the job. and save modified executable.
well, i did some progress and have found 2 instructions that may be useful: one is the first which is executed when LMB is pressed and 2nd one on LMB release. logically, somewhere in the middle should be the recoil thing, but it's still a huuuge amount od code (and many hops between different modules).
| Code: | Address Hex dump Command
0040F0DE 66:90 NOP
0040F0E0 / 83EC 1C .SUB ESP,1C <-- LMB PRESSED
0040F0E3 | C70424 010000 .MOV DWORD PTR SS:[LOCAL.6],1
0040F0EA | E8 31A50200 .CALL 00439620
0040F0EF | BA FFFFFFFF .MOV EDX,-1 |
i set a breakpoint at 0040F0E0 (LMB pressed) and the 2nd one at memory address of "recoil instruction" (after disassembling), and started a trace. as i said, the "recoil instruction" is always in different place (also in contains variable component mov [ebx+062?????,eax]). this time it looked like this:
| Code: | [u]Dump - 4BAC0000..4BD02FFF[/u]
Address Hex dump Command
4BB27A05 8107 C4000000 ADD DWORD PTR DS:[EDI],0C4
4BB27A0B 8B1F MOV EBX,DWORD PTR DS:[EDI]
4BB27A0D 8B83 C0F32C06 MOV EAX,DWORD PTR DS:[EBX+62CF3C0] <--- RECOIL
4BB27A13 8B5F FC MOV EBX,DWORD PTR DS:[EDI-4]
4BB27A16 8983 C0F32C06 MOV DWORD PTR DS:[EBX+62CF3C0],EAX |
such action with trace into gave me ~220000 traces :]
btw. changing MOV EAX,DWORD PTR DS:[EBX+62CF3C0] to XOR EAX, EAX works fine. thanks @mgostIH for this protip.
mabe any of you will get an idea what could i change in main module (004xxxxx addresses - constant) to make the "recoil instruction" thinks that gun hasn't fired. here are last operations that have happened till recoil increased. i cut off few opcodes that are taking place in a variable dump memory (4xxxxxxx addresses - different every time) and focused on the last ones that were running in main module.
| Code: | main 4BB0DF5C MOV DWORD PTR DS:[ESI+62CF3C0],1D44A [0A2CF008]=00000138 (decimal 312.)
main 4BB0DF66 CALL DWORD PTR DS:[agame.599270] [00599270]=agame.0054E510 ESP=0022A838
main 0054E510 MOV EAX,DWORD PTR DS:[EDI] [0022A8A4]=00009D23 (decimal 40227.) EAX=00009D23
main 0054E512 SUB EDI,4 EDI=0022A8A0
main 0054E515 TEST EAX,EAX
main 0054E517 JL SHORT 0054E52D
main 0054E519 SHL EAX,2 EAX=0002748C
main 0054E51C ADD EAX,DWORD PTR DS:[0B8B510] [00B8B510]=0A2CF3C0 EAX=0A2F684C
main 0054E522 CALL DWORD PTR DS:[EAX] [0A2F684C]=4BB0D8B9 ESP=0022A834
main 4BB0D8B9 SUB ESI,10 ESI=03FFFC38
main 4BB0D8BF ADD EDI,4 EDI=0022A8A4
(... ~55 operations in dump ...)
main 4BB0DA0C ADD ESI,10 ESI=03FFFC48
main 4BB0DA12 RETN [0022A834]=agame.0054E524 ESP=0022A838
main 0054E524 MOV EAX,DWORD PTR DS:[EDI] [0022A8A4]=00018D24 EAX=00018D24
main 0054E526 AND EAX,DWORD PTR DS:[0B8B50C] [00B8B50C]=03FFFFFF
main 0054E52C RETN [0022A838]=4BB0DF6C ESP=0022A83C
main 4BB0DF6C LEA EAX,[ESI+0C] Address=03FFFC54 EAX=03FFFC54
main 4BB0DF72 MOV DWORD PTR DS:[EDI],EAX [0022A8A4]=00018D24
(... ~180 operations in dump ...)
main 4BB27A03 MOV DWORD PTR DS:[EDI],EAX [0022A8A8]=0
main 4BB27A05 ADD DWORD PTR DS:[EDI],0C4 [0022A8A8]=00018CD0
main 4BB27A0B MOV EBX,DWORD PTR DS:[EDI] [0022A8A8]=00018D94 EBX=00018D94
*** NOW THIS LINE BELOWE RECOIL RAISES: ***
main 4BB27A0D MOV EAX,DWORD PTR DS:[EBX+62CF3C0] [062E8154]=0 EAX=00000000
main 4BB27A13 MOV EBX,DWORD PTR DS:[EDI-4] [0022A8A4]=00018DA4 EBX=00018DA4
main 4BB27A16 MOV DWORD PTR DS:[EBX+62CF3C0],EAX [062E8164]=0
main 4BB27A1C SUB EDI,4 EDI=0022A8A4
(... ~50 operations in dump ...)
main 4BB0E01D ADD ESI,10 ESI=03FFFC58
main 4BB0E023 RETN [0022A83C]=agame.0054E524 ESP=0022A840
main 0054E524 MOV EAX,DWORD PTR DS:[EDI] [0022A8A4]=00018D20 EAX=00018D20
main 0054E526 AND EAX,DWORD PTR DS:[0B8B50C] [00B8B50C]=03FFFFFF
main 0054E52C RETN [0022A840]=4BB26DDD ESP=0022A844
main 4BB26DDD MOV DWORD PTR DS:[EDI],0D31B [0022A8A4]=00018D20
main 4BB26DE3 SUB EDI,4 EDI=0022A8A0
|
regards
|
|
| Back to top |
|
|
pellik
Advanced Cheater
![]() Reputation: 0
Joined: 14 Jun 2013
Posts: 93
|
| Posted: Sun Feb 12, 2017 9:06 pm Post subject: |
|
|
| So you think whatever is calling your recoil function is not in this dynamically allocated code? If so just breakpoint the recoil function and look at the stack for the return address.
|
|
| Back to top |
|
|
SunBeam
I post too much
Reputation: 65
Joined: 25 Feb 2005
Posts: 4022
Location: Romania
|
| Posted: Mon Feb 13, 2017 2:15 am Post subject: |
|
|
Your mouse code is in the game's executable space, while the code that handles recoil is in ALLOCATED memory. You won't be able to patch allocated memory and store it inside the executable (you can, actually, but not for this exercise). Find out where this block of code is allocated, then where it's stored and use that instead.
Example:
push 1000
..
..
call VirtualAlloc
mov [405000],eax <- the result of VirtualAlloc is in eax; store it to 405000
If it's not stored, just hook the instruction after the VirtualAlloc (making sure the code is not executed multiple times, hence multiple allocations, therefore you'd need to filter the result to get only your address) and store it yourself.
Bottom line:
- at 4BB27A0D place a breakpoint
- when it breaks, trace code till you exit the function to a game module address (within executable's memory space)
- figure your way from there, via hooking or pure logic
BR,
Sun
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
