Labyrnth
Moderator
 Reputation: 9
Joined: 28 Nov 2006
Posts: 6285
|
 Posted: Tue Jan 18, 2011 5:40 pm Post subject: |
 |
|
This is a very old post, but read it over because after showing how a few scripts look. There is a walk through on doing a script with code cave using CE.
-------------------------------------------------------------------------------------
There has been numerous questions of how can i write scripts using CE.
But people dont realize that you can write them several ways. And do not know where to start to get one written.
1. Allocated Toggleable Scripts = Toggleable scripts used within CE.
2. Allocated Code Injection = Normal perminite injection during game play.
3. Manual/Non Allocated Code cave injected toggleable script *used for trainer options.
4. Also another script used to write bytes. Just like you would with TMK or VB trainers.
5. All of the above can be rewritten just a bit to handle code shifting and i will show this also.
Im going to show each one and explain a few things about each so you can get a basic grasp on when and why i would use them.
Needed:
Cheat Engine 5.3
MineSweeper.exe
--------------------------------------------------------------------------------------
Allocated Toggleable Script:
Here we have a basic code injection from CE that uses allocated caves.
You assign it to the cheat list and just toggle it from CE.
This script will not work on a trainer generated by CE.
These are good for making a release of a CT to pass out for people to use.
What it does:
This is the flags for minesweeper,you start with 10. The script makes you have 99.
This script moves hexadecimal 63 into EAX. The value of EAX is 99 in decimal. Use your windows calculator to find out 63 is 99 in decimal.
The end of this script when untoggled will write the original instructions back to the game so it will be normal again.
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,63
originalcode:
add [01005194],eax
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
0100346E:
add [01005194],eax |
Next we have a regular code injection:
This one is perminite while the game is up. It does the same thing as the above script but this one does not have a toggle to undo the changes.
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,63
originalcode:
add [01005194],eax
exit:
jmp returnhere |
Next is a script you can use for trainers or a CT. It can be toggled just the same as the first script. But the difference is, this one has a manually found codecave and we are not using alloc/allocated memory for it. This script will work in trainers generated by CE.
*I will show how to look for caves later in this thread. It does the same as the above scripts.
| Code: | [ENABLE]
label back
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
[DISABLE]
0100346E:
add [01005194],eax |
Now for DB script, This script will also work for trainers. But you need a good understanding of hexadecimal and decimal to use this one.
It is basically just like TMK's "Poke" or writing to an address in VB.
DB does the same. Eg:
TMK | Code: | | Poke 0100346E 01 05 94 51 00 01 63 90 90 90 90 |
VB | Code: | Private Sub Command1_Click()
Call LAB(&H0100346E, &H01)
Call LAB(&H0100346F, &H05)
Call LAB(&H01003470, &H94)
Call LAB(&H01003471, &H51)
Call LAB(&H01003472, &H00)
Call LAB(&H01003473, &H01)
Call LAB(&H01003474, &H63)
Call LAB(&H01003475, &H90)
Call LAB(&H01003476, &H90)
Call LAB(&H01003477, &H90)
Call LAB(&H01003478, &H90)
End Sub |
These alter the bytes of memory representing the assembly instructions. OpCodes is another word for what they change.
| Code: | *This script will crash Minesweeper, But it is just an example to show how it is used anyway. Also see the animated image. To see what it does.
[ENABLE]
0100346E:
db 01 05 94 51 00 01 63 90 90 90 90
[DISABLE]
0100346E:
db 01 05 94 51 00 01 E8 88 F3 FF FF |
Now we have examples of all these scripts shown and basic usage kind of explained. Now i will do some brief explaining about looking for a cave. And doing a script for code shifting. Also for you TMK users you can use memory view to look at the OpCodes and address's so you can use it in TMK. Writing down the address and the OpCodes for Cave,Jumps,and Injected code.
--------------------------------------------------------------------------------------
How to look for a code cave and use it.:
In the script here we have a non allocated injection.
The reason for this is so we can use it to make a trainer with Cheat Engine. Simple work around because we cant use alloc in a trainer by CE.
| Code: | [ENABLE]
label back
010002EC: <---- This is the code cave
mov eax,63 <--- This is our code we wrote to the cave
add [01005194],eax <--- Written to the cave as well
jmp back <---- Jump back to the original game code from the cave
0100346E: <------ original address found from "Find what writes to it"
jmp 010002EC <--- jump to the cave when address V hits in the game code.
nop <-- Cleaning up left over bytes
back: <--- putting a return location. so we have somewhere to jump back to. After the cave has done it's work.
[DISABLE]
0100346E: <--- original address
add [01005194],eax <---- replaces removed code to original. |
So we need the address we found in both views of memory.
This way we can see the base address and the module we are in.
To look for a cave you can use any code caver, But CE has one built in so we will use that.
Now we know what the base address by looking in memory view.
So we start our scan at that address, 256 in size should be plenty large enough.
Once it is finished we can choose one it found.
As you can see the cave is nothing but 0's This is empty space within the module we are scanning in. We can use this to inject any code we want.
Now, we want the flags to be 99.
1. So we write our first part of the script.
2. We need a label for the jumps.
| Code: |
[ENABLE]
label(back)
|
3. Now we put the cave address we found.
| Code: |
[ENABLE]
label(back)
010002EC:
|
4. Next we put the code we want/ this is written to our cave.
* If you use your windows calculator you can see that 63 is hexadecimal for 99 in decimal. This will give us 99 flags in minesweeper.
also we include the original instruction we had and we use the label to jump back to the game code "jmp back".
| Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
|
5. Next we add our original address. This will make the script jump to our code cave when it hits jmp 010002EC. Then it will execute mov eax,63 and then add [01005194],eax then, jmp back to the game code so the game doesnt crash. The trailing nop needs to be there to clean up any left over bytes that will cause problems. And back: is how it knows where to jump back to so the game code can continue.
| Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
|
6. Last we will add [DISABLE] and the original instruction so it can undo the changes we made and turn off the cheat.
| Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
[DISABLE]
0100346E:
add [01005194],eax
|
Thats all there is to it, to manually use a code cave and to complete a script to use in the Cheat Engine Trainer Builder.
--------------------------------------------------------------------------------------
_________________
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
