 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Qvintus
Cheater
![]() Reputation: 0
Joined: 07 Nov 2013
Posts: 32
|
 Posted: Thu May 28, 2015 3:06 am Post subject: Crash upon injection |
 |
|
When I try to inject my script the game simply crashes.
I've been trying to get my hands on the base address using this method
| Code: |
aobscan(base,F3 0F 7E 46 50 66 0F)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(var)
registersymbol(var)
registersymbol(base)
newmem: //this is allocated memory, you have read,write,execute access
push eax
cmp byte [esi],224
jne originalcode
mov eax,[esi+50]
mov [var],esi
pop eax
originalcode:
movq xmm0,[esi+50]
exit:
jmp returnhere
base:
jmp newmem
returnhere:
var:
dd 0
|
I've done something similar before, but this time it crashes.
Another method I've been trying is using the alloc() functionality like so:
| Code: |
aobscan(base,F3 0F 7E 46 50 66 0F)
alloc(newmem,2048)
alloc(var,4)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(var)
registersymbol(base)
newmem: //this is allocated memory, you have read,write,execute access
push eax
cmp byte [esi],224
jne originalcode
mov eax,[esi+50]
mov [var],esi
pop eax
originalcode:
movq xmm0,[esi+50]
exit:
jmp returnhere
base:
jmp newmem
returnhere:
|
This method however only seems to store the value of the address I want.
While what I want is the actual address stored in esi.
I'm horrible at assembly and tbh I don't understand much other than I can move addresses using the mov command.
I hope someone can enlighten me on why it would crash.
Original output for reference
| Code: |
//07E53783 - 85 F6 - test esi,esi
//07E53785 - 0F84 F6020000 - je 07E53A81
//07E5378B - F3 0F7E 46 50 - movq xmm0,[esi+50] <<
//07E53790 - 66 0FD6 85 58FFFFFF - movq [ebp-000000A8],xmm0
//07E53798 - 8B B1 28010000 - mov esi,[ecx+00000128]
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Thu May 28, 2015 4:41 am Post subject: |
|
|
the line
makes it skip the pop eax
i recommend putting the push eax after the jne line
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Qvintus
Cheater
![]() Reputation: 0
Joined: 07 Nov 2013
Posts: 32
|
| Posted: Thu May 28, 2015 4:59 am Post subject: |
|
|
Sadly that didn't fix it.
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(base,F3 0F 7E 46 50 66 0F)
alloc(newmem, 2048)
label(returnhere)
label(originalcode)
label(var)
label(exit)
registersymbol(var)
registersymbol(base)
newmem: //this is allocated memory, you have read,write,execute access
cmp byte [esi],224
jne originalcode
push eax
mov eax,[esi+50]
mov [var],esi
pop eax
originalcode:
movq xmm0,[esi+50]
exit:
jmp returnhere
base:
jmp newmem
returnhere:
var:
dd 0
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
base:
movq xmm0,[esi+50]
unregistersymbol(var)
unregistersymbol(base)
//Alt: db F3 0F 7E 46 50 66 0F
//07E53783 - 85 F6 - test esi,esi
//07E53785 - 0F84 F6020000 - je 07E53A81
//07E5378B - F3 0F7E 46 50 - movq xmm0,[esi+50] <<
//07E53790 - 66 0FD6 85 58FFFFFF - movq [ebp-000000A8],xmm0
//07E53798 - 8B B1 28010000 - mov esi,[ecx+00000128]
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Thu May 28, 2015 5:18 am Post subject: |
|
|
still a crash or the wrong value?
you're sure the aob you've picked is unique?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Qvintus
Cheater
![]() Reputation: 0
Joined: 07 Nov 2013
Posts: 32
|
| Posted: Thu May 28, 2015 6:02 am Post subject: |
|
|
Hmm ok after some testing, it seems I might not have had a unique byte array to scan for, now that it doesn't crash I've realized though that cmp byte doesn't work as intended.
From what I can see there it compares ESI with 24 and not 224 as I ask?
| Code: |
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(base,0F 84 ?? ?? ?? ?? F3 0F 7E 46 50 66 0F D6 85)
alloc(newmem, 2048)
label(returnhere)
label(originalcode)
label(var)
label(exit)
label(codec)
registersymbol(var)
registersymbol(base)
newmem: //this is allocated memory, you have read,write,execute access
codec:
cmp byte [esi],224
jne originalcode
push eax
mov eax,[esi+50]
mov [var],esi
pop eax
var:
dd 0
originalcode:
movq xmm0,[esi+50]
exit:
jmp returnhere
base+6:
jmp codec
returnhere: |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Thu May 28, 2015 6:32 am Post subject: |
 |
|
is 224 a decimal or hex value?
if decimal use #224, if hexadecimal, then use cmp word [esi],224
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Qvintus
Cheater
![]() Reputation: 0
Joined: 07 Nov 2013
Posts: 32
|
| Posted: Thu May 28, 2015 7:11 am Post subject: |
|
|
Alright so I ended up changing the 224 to E0 and also tried with #224.
However the address I'm ending out with has a value of 248 for some reason.
In the disassemble view the code seem to have changed a lot too.
Just going to assume it's the method I'm using that is flawed.
edit
Forgot I have to use the address as a pointer. This works great!
| Code: |
aobscan(base,F3 0F 7E 46 50 66 0F D6 85 58 FF FF FF)
alloc(newmem, 2048)
label(returnhere)
label(originalcode)
label(var)
label(exit)
label(overwrite)
label(codec)
registersymbol(var)
registersymbol(base)
newmem: //this is allocated memory, you have read,write,execute access
codec:
cmp byte [esi],#224
jne originalcode
je overwrite
overwrite:
cmp [var],0
jne originalcode
push eax
mov eax,esi
mov dword [var], eax
pop eax
originalcode:
movq xmm0,[esi+50]
exit:
jmp returnhere
var:
dd 0
base:
jmp codec
returnhere: |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
