|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Wed Nov 12, 2014 7:10 pm Post subject: |
|
|
hudakj wrote: | I can get cheat engine to work with my cracked version (3DM v4). Then again, I only used it briefly for things like more money. |
Yet another example of how DRM and similar measures only get in the way of people who actually bought the game instead of pirating it.
Also, what's the point of anti-cheat in co-op? Who are you gaining an unfair advantage over? The AI enemies?
|
|
Back to top |
|
|
jim2point0 Master Cheater Reputation: 4
Joined: 05 Oct 2012 Posts: 336
|
Posted: Wed Nov 12, 2014 7:43 pm Post subject: |
|
|
The primary motivation for them using anti-cheat measures is to keep people from giving themselves free money, therefore circumventing the microtransactions.
Unfortunately it's getting in the way of me doing a free camera hack which I SO DESPERATELY want to do in this game
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Nov 12, 2014 8:02 pm Post subject: |
|
|
Get the cracked version (Really, any game with DRM like this I always suggest getting the cracked version. Not only will it make cheating easier, it often makes the game a lot faster/more playable)
Also, the cracked version might still have the integrity check, but debugging might be easier, so you might then be able to apply that on the release
Anyhow, regarding debugging. Have you done all the tests and checks ?
While the game is running debug the tutorial
Does the game close ?
If it does, you might need an undetected CE (go get the ce sourcecode and start editing)
If not, restart cheat engine and the game (you can not reuse a ce after it has used the debugger even if it was a different target, and the target can not be reused if veh has been tried before)
make sure VEH debug is enabled in settings (also make sure it's NOT set to int3 breakpoints. hardware breakpoints for now)
Do NOT open the target process
Go to memoryview->view->debug events
keep that windows open and go to the processlist, select the process, and click on "Attach debugger to process"
Did the game crash ?
If yes, perhaps the event log may contain why
If no, it's detecting the way you set breakpoints
In memoryview go to view->threadlist and expand the first few thread
Do the DR# fields have a number set besides 00000000 ?
If yes, disable "override existing breakpoints when setting breakpoints"
If after that it doesn't crash, but it won't find anything either, then that means all debug registers are used up.
If it did crash or no results, then restart both ce and the game and change the prefered breakpoint to page exception
Again, attach the debugger using the processlist and wait till it has cooled down a bit (check the debug event log)
If it crashes, check the debug event log, it may show why
Just wondering, are you one of the few rare people that can use DBVM? If so, you may have a bit of luck with global debug (although if all debug registers are used up that won't help much, i might be assed to add some priority to page exceptions in dbvm, or even implement the non-readable execute only physical memory regions making a hardware level stealthedit)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Wed Nov 12, 2014 9:02 pm; edited 2 times in total |
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Wed Nov 12, 2014 8:12 pm Post subject: |
|
|
jim2point0 wrote: | The primary motivation for them using anti-cheat measures is to keep people from giving themselves free money, therefore circumventing the microtransactions.
Unfortunately it's getting in the way of me doing a free camera hack which I SO DESPERATELY want to do in this game |
...You're kidding me. A 60 DOLLAR game, and it has microtransactions? I wouldn't be as surprised if it was something like what EA does (as is typical of EA) with The Sims and SimCity, where it's basically just a large amount of DLC. But I googled it, and apparently this is for actual in-game upgrades. Like the kinds of things you would get by leveling up or something, and simply do things like increase the amount of damage you can do. Seriously Ubisoft? Seriously?
(Also, the name of the microtransaction currency is blasphemy. Our Lord would never approve of this. )
|
|
Back to top |
|
|
jim2point0 Master Cheater Reputation: 4
Joined: 05 Oct 2012 Posts: 336
|
Posted: Wed Nov 12, 2014 11:16 pm Post subject: |
|
|
No crash when I debug the tutorial.
When I attach the debugger to ACU.exe, Cheat Engine actually freezes. The game continues running though. I have to force close Cheat Engine.
The threadlist looks like this.
I was actually able to attach a debugger this time. When a create a script that hooks into an opcode and executes the same original code, it still crashes.
It is apparent to me that I have no idea what I'm doing when it comes to debugging this kind of thing
I did try a cracked version. I'm getting the same results though.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Nov 13, 2014 12:53 am Post subject: |
|
|
++METHOS wrote: | Does the stealthedit plugin not work for 64bit targets? I haven't used it on any new releases. | -Just confirmed this myself. It seems that the Stealthedit plugin is not currently supported for 64bit targets in CE 6.4.
Any idea if it will be?
Thanks.
|
|
Back to top |
|
|
omoe Grandmaster Cheater Reputation: 8
Joined: 11 Jun 2013 Posts: 547
|
Posted: Thu Nov 13, 2014 4:43 am Post subject: |
|
|
The game sure use a lot of scanners , I managed to bypass all of the scanners ,It wasn't that hard to do, Here are some addresses if anyone is interested to get you started .
V1,1
"ACU.exe"+54159C5
"ACU.exe"+5417472
"ACU.exe"+26EBF8E
"ACU.exe"+5414089
"ACU.exe"+2821F23
"ACU.exe"+5418E9D
"ACU.exe"+5432761
"ACU.exe"+5418D0D
"ACU.exe"+5418842
"ACU.exe"+540D240
_________________
Hey! , Rep++ . |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Thu Nov 13, 2014 6:13 am Post subject: |
|
|
Jim2point, yeah, debugging shouldn't be a big issue (dr=0) but before you can do a code injection you must first do another code injection that turns off all scanners at the same time(perhaps someday someone will post a table with such a bypass somewhere)
Alternatively, as i mentioned before, a change register on breakpoint could suffice
omoe wrote: |
The game sure use a lot of scanners , I managed to bypass all of the scanners ,It wasn't that hard to do
|
Thanks omoe, that will help some people (no wonder people complain it's slow)
To "some people" that want to mess with this: make a copy of the exe so you won't have to race the next patch comes out(that'll give you time to look up aob's)
++METHOS wrote: | ++METHOS wrote: | Does the stealthedit plugin not work for 64bit targets? I haven't used it on any new releases. | -Just confirmed this myself. It seems that the Stealthedit plugin is not currently supported for 64bit targets in CE 6.4.
Any idea if it will be?
Thanks. |
The problem with 64-bit is the relative rip based addressing.
In 32 bit a copied memory region will have it's static addresses point to the original memory. So if the copy nulls out a pointer on a static address it nulls the original.
But in 64 bit that would null the copy, leaving it intact in the original causing a crash
For 64 bit to work you'd need to reassemble the whole game first and adjust the rip relative distance (and make sure the copy is near the original as a relative distance can only be 31 bits (signed)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Nov 13, 2014 6:24 am; edited 1 time in total |
|
Back to top |
|
|
omoe Grandmaster Cheater Reputation: 8
Joined: 11 Jun 2013 Posts: 547
|
Posted: Thu Nov 13, 2014 6:24 am Post subject: |
|
|
No prob , I would also suggest you guys pause the game before injecting the scripts because the game uses 3 threads to scan itself like others have mentioned and it will crash 90% of the time if you don't pause it .
_________________
Hey! , Rep++ . |
|
Back to top |
|
|
jim2point0 Master Cheater Reputation: 4
Joined: 05 Oct 2012 Posts: 336
|
Posted: Thu Nov 13, 2014 10:47 am Post subject: |
|
|
omoe wrote: | The game sure use a lot of scanners , I managed to bypass all of the scanners ,It wasn't that hard to do, Here are some addresses if anyone is interested to get you started .
V1,1
"ACU.exe"+54159C5
"ACU.exe"+5417472
"ACU.exe"+26EBF8E
"ACU.exe"+5414089
"ACU.exe"+2821F23
"ACU.exe"+5418E9D
"ACU.exe"+5432761
"ACU.exe"+5418D0D
"ACU.exe"+5418842
"ACU.exe"+540D240 |
This seems promising. How do you bypass them?
Dark Byte wrote: | Jim2point, yeah, debugging shouldn't be a big issue (dr=0) but before you can do a code injection you must first do another code injection that turns off all scanners at the same time(perhaps someday someone will post a table with such a bypass somewhere) |
I would do that if I knew how. Still learning. Is it just as simple as NOPing them?
omoe wrote: | No prob , I would also suggest you guys pause the game before injecting the scripts because the game uses 3 threads to scan itself like others have mentioned and it will crash 90% of the time if you don't pause it . |
Do you mean pausing with Cheat Engine?
|
|
Back to top |
|
|
omoe Grandmaster Cheater Reputation: 8
Joined: 11 Jun 2013 Posts: 547
|
Posted: Thu Nov 13, 2014 11:02 am Post subject: |
|
|
jim2point0 wrote: | omoe wrote: | The game sure use a lot of scanners , I managed to bypass all of the scanners ,It wasn't that hard to do, Here are some addresses if anyone is interested to get you started .
V1,1
"ACU.exe"+54159C5
"ACU.exe"+5417472
"ACU.exe"+26EBF8E
"ACU.exe"+5414089
"ACU.exe"+2821F23
"ACU.exe"+5418E9D
"ACU.exe"+5432761
"ACU.exe"+5418D0D
"ACU.exe"+5418842
"ACU.exe"+540D240 |
This seems promising. How do you bypass them?
Dark Byte wrote: | Jim2point, yeah, debugging shouldn't be a big issue (dr=0) but before you can do a code injection you must first do another code injection that turns off all scanners at the same time(perhaps someday someone will post a table with such a bypass somewhere) |
I would do that if I knew how. Still learning. Is it just as simple as NOPing them?
omoe wrote: | No prob , I would also suggest you guys pause the game before injecting the scripts because the game uses 3 threads to scan itself like others have mentioned and it will crash 90% of the time if you don't pause it . |
Do you mean pausing with Cheat Engine? |
If you nop the scanner it would crash the game ,
this is a scanner instruction mov eax,[rax]
to bypass it you must make a loop to copy the module memory then do the following
cmp rax,ACU.exe // Make sure the scanner is scanning the current module
jl exit
cmp rax,ACU.exe+55159C5 // Make sure the scanner is scanning the current module
jnl exit
push rbx // save rbx
mov rbx,ACU.exe // mov the start of the module to rbx
sub rax,rbx // get rax offset to the module
mov rbx,ModuleCopy // get module copy
add rax,rbx // add copy base to the offset
pop rbx // reset rbx
exit:
//back to game code
///
To copy game memory you could use readmem(ACU.exe,SizeToCopy)
_________________
Hey! , Rep++ . |
|
Back to top |
|
|
Xblade Of Heaven Master Cheater Reputation: 0
Joined: 16 Oct 2005 Posts: 394 Location: DEAD
|
Posted: Thu Nov 13, 2014 6:41 pm Post subject: |
|
|
ce dont work very good in x64 targets, you use kernelmode?, kernelmode alloc in x64 proccess are bugged, the code injected is corrupt, try disabling
and look in memory viewer when you enable a script, the code some time no is correct.
regards
_________________
Welcome to the Hell.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Thu Nov 13, 2014 6:52 pm Post subject: |
|
|
report instructions that are wrong.
Anyhow, the important thing is that you use the 3th parameter of alloc to specify that the range is within 32-bit (and disable kernelmode read/write process memory), or deal with the fact that jmp has a chance of being 14 bytes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
DarkIceCore Expert Cheater Reputation: 0
Joined: 10 Jun 2012 Posts: 102 Location: Moscow
|
Posted: Thu Nov 13, 2014 7:23 pm Post subject: |
|
|
using "hardware breakpoints", all works. mby wrong?
with "int3 instr." only on access other making crash's.
with "page exceptions" just nothing.
I can make an injection on "end" of code,
somewhere like "ACU.exe"+5A46FA4 and etc, for push something or read from memory, but all my decisions have no success.
many times saw some "protection" parts, but not sure how to "loop" them all.
now know about some functions/instructions for getting right addresses for all inventory, money, points. stuck how to use it without injection in protected parts, just how to read them from there.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Thu Nov 13, 2014 8:42 pm Post subject: |
|
|
Quote: |
now know about some functions/instructions for getting right addresses for all inventory, money, points. stuck how to use it without injection in protected parts, just how to read them from there.
|
Do a code injection like you always do, but skip the part where you write a jmp to your code .
Change the script so it jumps back to the instruction after the instruction you wish to enter from (adjust the original code part as well)
inject the script and note down the address of newmem(or what you named it)
Now rightclick the original unchanged address in memoryview and choose "Change register at breakpoint" , fill in the EIP field the address of newmem(or however you call it) and click ok
Now when that address executes, execution will continue from your code cave. Again, make sure it doesn't return to the original address, but behind it (else you'll loop)
Quote: |
many times saw some "protection" parts, but not sure how to "loop" them all.
|
Make a copy of the original memory(save and load it at a different location using files, or using a simple rep movsd loop) and change the read pointer so it points to the relative location of the copy
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|