 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Jiehfeng
Expert Cheater
 Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
 Posted: Thu May 26, 2016 11:58 am Post subject: Need just a little more help with AOBs with register copying |
 |
|
Just wanna clarify I only know the most basics about AOBs and the shared opcode solutions, or even some of the basics, so please go easy on me. 
I somehow learnt to do "Injection Copies" if that's what you call it (comparing a shared opcode with stuff and copying the base value to a globally allocated symbol so I can find addresses more easily). However, it only works when each value is changed. This is the code that I succeeded with:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealtheditex(itembase,"ACU.exe"+FDA3C4,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048)
registersymbol(newmem)
globalalloc(money,5)
globalalloc(creed,5)
globalalloc(smoke,5)
globalalloc(stun,5)
label(dumpmoney)
label(dumpcreed)
label(dumpsmoke)
label(dumpstun)
label(tstmon)
label(tstcrd)
label(tstsmk)
label(tststn)
label(returnhere)
label(originalcode)
label(exit)
newmem:
tstmon:
cmp rbx,1
je dumpmoney
tstcrd:
cmp rbx,3B
je dumpcreed
tstsmk:
cmp rbx,5
je dumpsmoke
tststn:
cmp rbx,B
je dumpstun
jmp originalcode
originalcode:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
exit:
jmp returnhere
dumpmoney:
mov [money],rax
jmp tstcrd
dumpcreed:
mov [creed],rax
jmp tstsmk
dumpsmoke:
mov [smoke],rax
jmp tststn
dumpstun:
mov [stun],rax
jmp originalcode
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
|
So that works with the addresses I used to work with this script:
(ignore the question marks, it does work, just that I didn't open the game yet xD)
Now I want to learn how to get these addresses copied to the table without modifying each value for each address to get. Or at least modifying one value and everything else pops up (all these addresses use one register plus offset which is [rax+28].
So I believe AOB's is the way to do this? If so, this is what I did, and it doesn't work ofc:
| Code: |
[ENABLE]
aobscan(arno,A0 5A F3 42 01 00 00 00 ?? 00 00 00 ?? ?? ?? ?? F5 7F 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00)
alloc(newmem,2048)
registersymbol(newmem)
globalalloc(money,5)
globalalloc(creed,5)
globalalloc(smoke,5)
globalalloc(stun,5)
label(dumpmoney)
label(dumpcreed)
label(dumpsmoke)
label(dumpstun)
label(tstmon)
label(tstcrd)
label(tstsmk)
label(tststn)
label(returnhere)
arno:
newmem:
tstmon:
cmp rbx,1
je dumpmoney
tstcrd:
cmp rbx,3B
je dumpcreed
tstsmk:
cmp rbx,5
je dumpsmoke
tststn:
cmp rbx,B
je dumpstun
//
dumpmoney:
mov [money],rax
jmp tstcrd
dumpcreed:
mov [creed],rax
jmp tstsmk
dumpsmoke:
mov [smoke],rax
jmp tststn
dumpstun:
mov [stun],rax
returnhere:
[DISABLE]
dealloc(newmem)
unregistersymbol(newmem)
dealloc(money,5)
dealloc(creed,5)
dealloc(smoke,5)
dealloc(stun,5)
|
What should I do? Any kind of help appreciated. 
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu May 26, 2016 4:26 pm Post subject: Re: Need just a little more help with AOBs with register cop |
|
|
You are doing a lot of things unnecessarily.
| Jiehfeng wrote: | | However, it only works when each value is changed. |
-Have you tried injecting at an instruction that 'accesses' these values instead of 'writes' to them?
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Thu May 26, 2016 9:01 pm Post subject: Re: Need just a little more help with AOBs with register cop |
|
|
| ++METHOS wrote: | You are doing a lot of things unnecessarily.
| Jiehfeng wrote: | | However, it only works when each value is changed. |
-Have you tried injecting at an instruction that 'accesses' these values instead of 'writes' to them? |
Oh, like what?
And yeah, but the game crashes (I use the same script which worked but replaced the address and originalcode Opcode's.
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Thu May 26, 2016 9:27 pm Post subject: |
|
|
you cant use the same script because when an address accesses, instead of writes, the code is backwards.
Writes:
mov [address], value
accesses:
mov register, [address]
if you change the code to be correct, it will work on an accesses
Also, make sure you edit the value before it is accessed so that the code alters the value (whereas you edit the address after the writes to work).
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Thu May 26, 2016 9:51 pm Post subject: |
|
|
| cooleko wrote: | you cant use the same script because when an address accesses, instead of writes, the code is backwards.
Writes:
mov [address], value
accesses:
mov register, [address]
if you change the code to be correct, it will work on an accesses
Also, make sure you edit the value before it is accessed so that the code alters the value (whereas you edit the address after the writes to work). |
I'm sorry I don't fully understand.
Which one could I use?
The first one doesn't do what you said, it's cmp [address],register value
That's the one I tried the script with and it crashed.
The other I used this script:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealtheditex(itembase,"ACU.exe"+1B7BB60,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048)
registersymbol(newmem)
globalalloc(money,5)
globalalloc(creed,5)
globalalloc(smoke,5)
globalalloc(stun,5)
label(dumpmoney)
label(dumpcreed)
label(dumpsmoke)
label(dumpstun)
label(tstmon)
label(tstcrd)
label(tstsmk)
label(tststn)
label(returnhere)
label(originalcode)
label(exit)
newmem:
tstmon:
cmp rbx,1
je dumpmoney
tstcrd:
cmp rbx,3B
je dumpcreed
tstsmk:
cmp rbx,5
je dumpsmoke
tststn:
cmp rbx,B
je dumpstun
jmp originalcode
originalcode:
mov eax,[rcx+28]
ret
int 3
exit:
jmp returnhere
dumpmoney:
mov [money],rax
jmp tstcrd
dumpcreed:
mov [creed],rax
jmp tstsmk
dumpsmoke:
mov [smoke],rax
jmp tststn
dumpstun:
mov [stun],rax
jmp originalcode
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
|
No crashes, but none of the 4 addresses were copied, maybe RAX is not the same here?
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu May 26, 2016 9:56 pm Post subject: Re: Need just a little more help with AOBs with register cop |
 |
|
| Jiehfeng wrote: | | And yeah, but the game crashes (I use the same script which worked but replaced the address and originalcode Opcode's. |
-Instead of doing that, let CE recreate the script properly, using one of the other injection points. You have to consider the possibility that the other instructions are not accessing the same values, however, as well as the register values not being the same, so you'll want to do everything from scratch, anyway. But injecting using an 'access' instruction in lieu of a 'write' instruction (if possible) has several advantages...such as instant update of values (in most cases).
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Thu May 26, 2016 9:59 pm Post subject: Re: Need just a little more help with AOBs with register cop |
|
|
| ++METHOS wrote: | | Jiehfeng wrote: | | And yeah, but the game crashes (I use the same script which worked but replaced the address and originalcode Opcode's. |
-Instead of doing that, let CE recreate the script properly, using one of the other injection points. You have to consider the possibility that the other instructions are not accessing the same values, however, as well as the register values not being the same, so you'll want to do everything from scratch, anyway. But injecting using an 'access' instruction in lieu of a 'write' instruction (if possible) has several advantages...such as instant update of values (in most cases). |
I see, I'll do the whole thing from scratch with another address and get back to you.
EDIT:
Done, it works. The thing is I forgot that the register values are different between the addresses even if the addresses access the same opcode, silly me.
Thanks again so much!
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri May 27, 2016 3:25 am Post subject: |
|
|
Good work. I was looking at your table and it doesn't look like your secondary checks are getting executed. I haven't checked this for errors, but you can probably simplify things while also making sure that your secondary checks get executed by doing something like this:
| Code: | [ENABLE]
stealtheditex(itembase,"ACU.exe"+1B7BB60,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048)
globalalloc(money,5)
globalalloc(creed,5)
globalalloc(peestol,5)
globalalloc(smokey,5)
globalalloc(stun,5)
globalalloc(cherry,5)
globalalloc(peasants,5)
label(dumppeasants)
label(dumpcherry)
label(dumpmoney)
label(dumpcreed)
label(dumppistol)
label(dumpsmoke)
label(dumpstun)
label(returnhere)
label(originalcode)
newmem:
cmp rdi,1
je dumpmoney
cmp rdi,3B
je dumpcreed
cmp rdi,337F910
jne @f
cmp rsi,2
je dumppistol
@@:
cmp rdi,337F930
jne @f
cmp rsi,5
je dumpsmoke
@@:
cmp rdi,B
jne @f
cmp rsi,44F991E0
je dumpstun
@@:
cmp rdi,7
jne @f
cmp rbp,12
je dumpcherry
@@:
cmp rdi,8
jne originalcode
cmp rbp,D
je dumppeasants
originalcode:
mov eax,[rcx+28]
ret
int 3
jmp returnhere
dumpmoney:
mov [money],rcx
jmp originalcode
dumpcreed:
mov [creed],rcx
jmp originalcode
dumppistol:
mov [peestol],rcx
jmp originalcode
dumpsmoke:
mov [smokey],rcx
jmp originalcode
dumpstun:
mov [stun],rcx
jmp originalcode
dumpcherry:
mov [cherry],rcx
jmp originalcode
dumppeasants:
mov [peasants],rcx
jmp originalcode
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
unregistersymbol(itemadd) |
Also, if you delete your data structures, your table will be a lot smaller for people to download.
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri May 27, 2016 4:00 am Post subject: |
|
|
They're anonymous labels:
| Quote: | FASM supports labels that use no identifier or label name.
@@: represents an anonymous label. Any number of anonymous labels can be defined.
@b refers to the closest @@ that can be found when looking backwards in source. @r and @b are equivalent.
@f refers to the closest @@ that can be found when looking forwards in source. |
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Fri May 27, 2016 4:05 am Post subject: |
|
|
Somehow found a thread about it, might come in handy but as DB said, it looks crap to use those kinds of labels.
Oh and also, after comparing your script with mine knowing this, I meant for the compares to sometimes not happen. Meaning in this part for example:
| Code: |
tstpst:
cmp rdi,337F910
je dumppistol
cmp rsi,2
je dumppistol
|
I didn't mean for if both the compares are true so I should dump the pistol, no. I wanted it to check if either of them are true, then it would dump the pistol, and it does that. 
edit: ninja'd xD
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri May 27, 2016 4:20 am Post subject: |
|
|
| Jiehfeng wrote: | | I wanted it to check if either of them are true, then it would dump the pistol, and it does that. |
-My mistake. Although, I might question the reliability and uniqueness of the filters in that case.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri May 27, 2016 4:20 am Post subject: |
|
|
| ++METHOS wrote: | @b refers to the closest @@ that can be found when looking backwards in source. @r and @b are equivalent.
@f refers to the closest @@ that can be found when looking forwards in source. |
Nope. In CE, @b @f refers to closest defined label or undefined (anonymous/unlabeled) label. (CE doesn't recognize @r)
Check this simple script:
| Code: | label(xoring)
400500:
jne @f
db 90 90 90 90 90
xoring:
xor al,al
ret
@@:
mov al,01 |
jne @f will jump to xor al,al
_________________
Last edited by mgr.inz.Player on Fri May 27, 2016 4:24 am; edited 1 time in total |
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Fri May 27, 2016 4:22 am Post subject: |
|
|
| ++METHOS wrote: | | Jiehfeng wrote: | | I wanted it to check if either of them are true, then it would dump the pistol, and it does that. |
-My mistake. Although, I might question the reliability and uniqueness of the filters in that case. |
I've ran the program like a hundred times now, the first compare works only in some cases, but the second compare I've noticed has the same value all the time.
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri May 27, 2016 4:23 am Post subject: |
|
|
| mgr.inz.Player wrote: | | wiki wrote: | @b refers to the closest @@ that can be found when looking backwards in source. @r and @b are equivalent.
@f refers to the closest @@ that can be found when looking forwards in source. |
Nope. @b @f refers to closest defined label or undefined (anonymous/unlabeled) label. |
Not my quote...but you can edit the wiki page.
| Jiehfeng wrote: | | the first compare works only in some cases, but the second compare I've noticed has the same value all the time.. |
-Then why have both? You run the risk of grabbing a bad address.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
