Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Game Maker Studio Script Help - Valdis Story

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Wed Nov 22, 2017 4:43 am    Post subject: Game Maker Studio Script Help - Valdis Story Reply with quote

Hi all,

I tried to write a script for the above game and ran into a lot of difficulties till I realized it was a Game Maker Studio game. I've been through the tutorial by h3x1c. The script is below.

Code:
[ENABLE]

aobscanmodule(PlayerStatus,Valdis_Story_AC.exe,DD 5E 08 5E 5D C3 CC CC 56) // should be unique
alloc(newmem,$1000)
alloc(health,4)
alloc(MP,4)
alloc(abillity,4)
alloc(skills,4)

label(code)
label(originalcode)
label(return)
label(playerHealth)
label(playerAbillity)
label(playerSkills)
label(playerMP)

health:
  dq (double)9999

abillity:
  dq (double)999

skills:
  dq (double)999

MP:
  dq (double)999

newmem:

code:
  push ebx
  mov ebx,[ebp-4074]
  pushf
  cmp ebx,2CF9FF50
  je playerHealth
  cmp ebx,1CF25C20
  je playerAbillity
  cmp ebx,1CF25950
  je playerSkills
  mov ebx,[ebp-4078]
  cmp ebx,2CF9F7F8
  je playerMP
  jmp originalcode

playerHealth:
  fstp st(0)
  fld qword ptr [health]
  jmp originalcode

playerAbillity:
  fstp st(0)
  fld qword ptr [abillity]
  jmp originalcode

playerSkills:
  fstp st(0)
  fld qword ptr [skills]
  jmp originalcode

playerMP:
  fstp st(0)
  fld qword ptr [MP]
  jmp originalcode


originalcode:
  fstp qword ptr [esi+08]
  pop esi
  pop ebp
  jmp return

PlayerStatus:
  jmp newmem
return:
registersymbol(PlayerStatus)

[DISABLE]

PlayerStatus:
  db DD 5E 08 5E 5D

unregistersymbol(PlayerStatus)
dealloc(newmem)
dealloc(health)
dealloc(abillity)
dealloc(skills)
dealloc(MP)


The game crashes upon activation of the script.

I am not sure what I'm doing wrong.

I've attached a screen grab of the stacks for the addresses.

Below is a list of the opcodes that are different
Health
EBX=2CF9FF50
EDX=0017D50C
EDI=00018EE1
ESP=0017948C
EBP=0017D50C

MP
EBX=2CF9F7F8
EDX=0018F910
EDI=0001959F
ESP=0018B88C
EBP=0018F910

Ability
EBX=1CF25C20
EDX=0018B010
EDI=00018EFE
ESP=00186F90
EBP=0018B010

Skills
EBX=1CF25950
EDX=00181E10
EDI=00018EFF
ESP=0017DD90
EBP=00181E10



Untitled-1.jpg
 Description:
 Filesize:  363.53 KB
 Viewed:  6214 Time(s)

Untitled-1.jpg


Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Nov 22, 2017 6:13 am    Post subject: Reply with quote

You push the flags with pushf but you don't call popf anywhere... possible you handle it in another way but crashes tend to be caused by the simpler problems you overlooked (or a pointer occasionally being 0), especially once you feel confident enough to try these more complex scripts Very Happy

BTW, using esp instead of ebp would make the offsets much simpler in this case (right click in the stack view and you can change how CE shows them, some programs don't use a base pointer at all so you have to use esp).
Back to top
View user's profile Send private message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Wed Nov 22, 2017 6:57 am    Post subject: Reply with quote

FreeER wrote:
You push the flags with pushf but you don't call popf anywhere... possible you handle it in another way but crashes tend to be caused by the simpler problems you overlooked (or a pointer occasionally being 0), especially once you feel confident enough to try these more complex scripts Very Happy

BTW, using esp instead of ebp would make the offsets much simpler in this case (right click in the stack view and you can change how CE shows them, some programs don't use a base pointer at all so you have to use esp).


Ahh Very Happy . Where would I have to insert popf after all the cmp commands?
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Nov 22, 2017 7:25 am    Post subject: Reply with quote

It'd have to come after the conditional jump (je) since it uses the flags to decide whether to jump, since all paths end up in originalcode I'd place it at the start there.

Though it really doesn't look as if you needed to push the flags in the first place, you really only need to save the flags if you're hooking somewhere inbetween the game setting the flags and using them (like inbetween a cmp and a conditional jump)... so you may be able to just remove the pushf.
Back to top
View user's profile Send private message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Wed Nov 22, 2017 8:30 am    Post subject: Reply with quote

FreeER wrote:
It'd have to come after the conditional jump (je) since it uses the flags to decide whether to jump, since all paths end up in originalcode I'd place it at the start there.

Though it really doesn't look as if you needed to push the flags in the first place, you really only need to save the flags if you're hooking somewhere inbetween the game setting the flags and using them (like inbetween a cmp and a conditional jump)... so you may be able to just remove the pushf.


Removing pushf caused the game to crash so I'll insert the popf after the last conditional jump.

EDIT:

This is the script I've come up with. I was able to find an offset value that was constant across the ebx values;

Code:
[ENABLE]

aobscanmodule(Playestatus,Valdis_Story_AC.exe,DD 5E 08 5E 5D C3 CC CC 56) // should be unique
alloc(newmem,$100)
alloc(health,4)
alloc(abillity,4)
alloc(skills,4)
alloc(MP,4)

label(code)
label(originalcode)
label(return)
label(playerHealth)
label(playerAbillity)
label(playerSkills)
label(playerMP)

health:
  dq (double)9999

abillity:
  dq (double)999

skills:
  dq (double)999

MP:
  dq (double)999

newmem:

code:
  push ebx
  mov ebx,[ebp+20]
  pushf
  cmp ebx,2AAE9C18
  je playerHealth
  cmp ebx,1CB44438
  je playerAbillity
  cmp ebx,1CB44578
  je playerSkills
  cmp ebx,2AAE9A60
  je playerMP
  popf
  jmp originalcode

playerHealth:
  fstp st(0)
  fld qword ptr [health]
  jmp originalcode

playerAbillity:
  fstp st(0)
  fld qword ptr [abillity]
  jmp originalcode

playerSkills:
  fstp st(0)
  fld qword ptr [skills]
  jmp originalcode

playerMP:
  fstp st(0)
  fld qword ptr [MP]
  jmp originalcode

originalcode:
  fstp qword ptr [esi+08]
  pop esi
  pop ebp
  jmp return

Playestatus:
  jmp newmem
return:
registersymbol(Playestatus)

[DISABLE]

Playestatus:
  db DD 5E 08 5E 5D

unregistersymbol(Playestatus)
dealloc(newmem)
dealloc(health)
dealloc(abillity)
dealloc(skills)
dealloc(MP)


Would be grateful for comments before assigning it.

Cheers
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Nov 22, 2017 10:20 am    Post subject: Reply with quote

Rolling Eyes
Quote:
since all paths end up in originalcode I'd place it at the start there.


If you just place it after the je then it only pops the flags if the jump is not taken, when it is taken then it never runs so the pushed flags never get popped so the stack isn't in the same state as before the hook and so the game will almost certainly crash when it's time to return from a function and it tries to read the return address from the stack. If you push something (in order to save and restore the value) you always need to pop it no matter which way the jump goes.
Back to top
View user's profile Send private message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Thu Nov 23, 2017 10:34 am    Post subject: Reply with quote

Thanks for your help. This is my first attempt at a complex script hence my novice Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites