|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sat May 21, 2016 9:03 am Post subject: |
|
|
Does changing one of those values in the address list actually change the number of skill points in-game? If not, then you haven't found the right value.
Regardless, I'd guess those instructions also access other addresses. Read this topic for more information.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
Posted: Sat May 21, 2016 9:14 am Post subject: |
|
|
ParkourPenguin wrote: | Does changing one of those values in the address list actually change the number of skill points in-game? If not, then you haven't found the right value.
Regardless, I'd guess those instructions also access other addresses. Read this topic for more information. |
No it doesn't. And no I don't think so, I did try rightclicking the opcode and checking what addresses change or w/e but it's just the address I found.
Furthermore, if the addresses are wrong, how do I find the right one? All I did was use the traditional method, scanning for all types with the exact value.
_________________
I know you're reading this, Hitler. |
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
Posted: Sat May 21, 2016 9:47 am Post subject: |
|
|
Cake-san wrote: | I thought this game had some kind protection ?
Well, nevermind.
Sorry, I think I can't teach/guide you.
You can just find the pointer like you do in CE tutorial. |
Funny you mention I think I just found that out lol.
.
^By simply replicating the code even it crashes the game, anyone know where I could go from here? Pointers are the only option I see, but is there any workaround the protection or a working script?
EDIT:
HOLY CRAP.
I did it, the game doesn't crash.
And what I did, was use stealthedit, and it went all well!
So on to the final question,
is there a way I can get a script to activate stealth edit and then go on with the instructions?
_________________
I know you're reading this, Hitler. |
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
Posted: Sat May 21, 2016 10:04 am Post subject: |
|
|
Just make a script that disable integrity check,then. -_-
_________________
... |
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
Posted: Sat May 21, 2016 11:28 am Post subject: |
|
|
Ok for some reason now, opening the debugger crashes the game, worked fine earlier...
_________________
I know you're reading this, Hitler. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Sun May 22, 2016 1:13 am Post subject: |
|
|
EDIT:
I mistakenly thought you were referring to a different version of AC. Nonetheless, here is a sample script that you can use as reference:
Code: | //Target: firefox.exe
//Author: ++METHOS
[ENABLE]
{==================== example ====================}
aobscanmodule(aob_example,firefox.exe,8B 4D 08 C6 46 0C 00)
alloc(newmem_example,1024,firefox.exe)
stealtheditex(stealth_example,aob_example,3)
label(originalcode_example)
label(return_example)
label(stealthedit_example)
registersymbol(stealthedit_example)
newmem_example:
originalcode_example:
mov ecx,[ebp+08]
mov byte ptr [esi+0C],00
jmp return_example
stealth_example:
stealthedit_example:
jmp newmem_example
db 90 90
return_example:
[DISABLE]
dealloc(newmem_example)
stealthedit_example:
db 8B 4D 08 C6 46 0C 00
unregistersymbol(stealthedit_example)
|
Be sure that you are running the latest version of CE, as well as the latest version of the SE plugin. Also, make sure that you have the plugin enabled and that you are using the correct version (e.g. x86 or x64).
When working with the SE plugin, you may have to completely close out the target process and CE in order to 'reset' things back to normal if you start experiencing issues. Be sure to check your task manager to ensure that nothing is running in the background.
|
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
Posted: Sun May 22, 2016 6:44 am Post subject: |
|
|
Thanks to ++METHOS, I got stealthedit working in a script and everything works fine, except I need a little help in the actual script.
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealtheditex(stealth,"ACU.exe"+FDA3C4,2)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
registersymbol(test)
label(test)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [rax+28],#200000
movzx eax,byte ptr [rsp+70]
exit:
jmp returnhere
stealth:
test:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70 |
^That code works perfectly for getting me money, but the problem is it gets me everything else too. Things like items get set to 200,000 also. So what could I write in the script to get it to work only for money or only once? Something like to compare if it is 200,000, it will do the normal code, or if it isn't it will go to 200,000?
I know the basics of auto assembly, but I never got how the flow works. After all the labels are assigned, does it go in order and execute every instruction? Or does it go to the first assigned label and go from there?
_________________
I know you're reading this, Hitler. |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Sun May 22, 2016 7:25 am Post subject: |
|
|
^Scroll up and follow ParkourPenguin's advice/link, it explains how you can find an identifier so you can access only one address type (items/money etc). Or find a pointer.
What is auto-assembly? if you mean CE auto-assembler then it assigns all labels/symbols first then injects the instructions according to the labels they're placed in. That is all what AA does, it doesn't execute anything. You can see which order CE does what in the source, i don't remember but i think it takes care of labels first then allocates memory or kind of ran a loop ?
Your injected code is then executed by game when control (EIP) reaches your desired instruction, jumps to your code cave (if you have one) and executes it in the same way assembly language does (i.e imperative or step-by-step execution).
_________________
|
|
Back to top |
|
|
Jiehfeng Expert Cheater Reputation: 0
Joined: 03 Jan 2014 Posts: 107
|
Posted: Sun May 22, 2016 10:12 am Post subject: |
|
|
STN wrote: | ^Scroll up and follow ParkourPenguin's advice/link, it explains how you can find an identifier so you can access only one address type (items/money etc). Or find a pointer.
What is auto-assembly? if you mean CE auto-assembler then it assigns all labels/symbols first then injects the instructions according to the labels they're placed in. That is all what AA does, it doesn't execute anything. You can see which order CE does what in the source, i don't remember but i think it takes care of labels first then allocates memory or kind of ran a loop ?
Your injected code is then executed by game when control (EIP) reaches your desired instruction, jumps to your code cave (if you have one) and executes it in the same way assembly language does (i.e imperative or step-by-step execution). |
I see, thanks.
About the tutorial, Rydian gave 3 methods. The first I cannot do or is the same thing, when I find two instructions that happen all the time, both of them access more than one address or in other words , not only the money address. So using both of them basically does the same thing, all my inventory and money values goes to the set value.
The second method is like the invincibility timer in mario games, so that's a no.
Finally the third is kind of impossible as there are so many "purple" values in the dissect data structure.
_________________
I know you're reading this, Hitler. |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun May 22, 2016 10:15 am Post subject: |
|
|
++METHOS wrote: | There are other things that you can try.
- You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
- You can use pointer trees inside of the data structure to find something viable.
- You can shift the data structure (+ or -) and/or expand its size to find something useful.
- You can use the structure spider to find workable strings and/or for comparative analysis.
- You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
- You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
- Et al.
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Sun May 22, 2016 10:33 am Post subject: |
|
|
What i like to do - and it is very time-consuming - is debug around the function and figure out some sort of identifier that game uses for each value type. Or perhaps the caller is different for when money/items is accessed. Usually, one of the registers will contain an ID e.g 1 for money, 2 for item a, 3 for item b etc.
I don't recommend this until as a last resort because CE offers way easier and quicker methods. I haven't trained this game so i don't know what you can use but have a look around the tables section and see what identifier they used for differentiating ?
The dissect data structure is a good tool, if you can't find a difference, expand the search addresses ? for example select money-100/items-100 as starting address and look 1024 bytes further...something like this
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|