Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Obtaining a base address for use in cheat table?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
ThatBenderGuy
Newbie cheater
Reputation: 0

Joined: 28 Aug 2013
Posts: 24

PostPosted: Tue Aug 02, 2016 12:06 am    Post subject: Obtaining a base address for use in cheat table? Reply with quote

Okay so I am trying to to get a player's base address in a game and I found an update instruction to the player's health. Now I want to move the adjusted offset to a custom variable and I think I have the right script but what I have causes the game to crash. Here is my script

Code:

define(playerUpdate, starbound.Star::StatSet::update+6B2)
globalalloc(playerBase,250)

[ENABLE]
assert(playerUpdate,F3 0F 11 83 84 00 00 00)
alloc(newmem,$1000)
label(code)
label(return)

newmem:
code:
  movss [rbx+00000084],xmm0
  mov [playerBase],rbx
  jmp return

playerUpdate:
  jmp code
  nop
  nop
  nop
  nop
  nop
return:

[DISABLE]
playerUpdate:
  db F3 0F 11 83 84 00 00 00


How many opcodes does "jmp code" take up? I'm assuming because I don't have enough nop's in there is why it's crashing but if I could get some insight on this it would be nice.

EDIT:
Okay so looks like the jmp instruction is actually too long and overwrites 5-7 instructions within the update instruction area. Is it possible for me to shorten the instruction somehow?

_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing!
Back to top
View user's profile Send private message
predprey
Master Cheater
Reputation: 24

Joined: 08 Oct 2015
Posts: 486

PostPosted: Tue Aug 02, 2016 2:48 am    Post subject: Reply with quote

for 32 bit applications, full jmp machine code takes up 5 bytes. CE template should automatically nop the correct amount when you generate it over an instruction. overwriting 5-7 instructions seems too much for a single jmp. are you perhaps reusing a template generated from another instruction and not changing the number of nops appropriately?

TLDR byte code for movss [rbx+00000084],xmm0 is F3 0F 11 83 84, just enough for a jmp instruction. remove all the nops below playerUpdate:
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Aug 02, 2016 9:04 am    Post subject: Reply with quote

predprey: That's correct for a 32-bit application. This is a 64-bit application (rbx implies 64-bit addressing).

OP: http://forum.cheatengine.org/viewtopic.php?p=5678286#5678286 (not exactly the same, but you should get the point)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Aug 02, 2016 5:25 pm    Post subject: Reply with quote

You should just use CE's AOB Injection template and let it handle that magic.
Afterwards, you can replace the aobscan() with your define().
Back to top
View user's profile Send private message
ThatBenderGuy
Newbie cheater
Reputation: 0

Joined: 28 Aug 2013
Posts: 24

PostPosted: Tue Aug 02, 2016 6:05 pm    Post subject: Reply with quote

Zanzer wrote:
You should just use CE's AOB Injection template and let it handle that magic.
Afterwards, you can replace the aobscan() with your define().


I have tried that and it does work fine but the second I add my globalalloc it does the same thing and overwrites later instructions

predprey wrote:
for 32 bit applications, full jmp machine code takes up 5 bytes. CE template should automatically nop the correct amount when you generate it over an instruction. overwriting 5-7 instructions seems too much for a single jmp. are you perhaps reusing a template generated from another instruction and not changing the number of nops appropriately?

TLDR byte code for movss [rbx+00000084],xmm0 is F3 0F 11 83 84, just enough for a jmp instruction. remove all the nops below playerUpdate:


Well I've tried removing all the nop's but it still (for whatever reason) is creating a bunch of add instructions

I've tried revising my script but even this one still causes crashes. I moved down a few instructions as the other ones get jumped to at some point and this new instruction does not appear to have any jumps directly to it or the following instruction

Code:

[ENABLE]
globalalloc(playerBase,512)
aobscanmodule(playerUpdate,starbound.exe,48 8D 4C 24 40 48 3B CE) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  lea rcx,[rsp+40]
  mov [playerBase],rbx
  jmp return

playerUpdate:
  jmp code
return:
registersymbol(playerUpdate)

[DISABLE]

playerUpdate:
  db 48 8D 4C 24 40

unregistersymbol(playerUpdate)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "starbound.exe"+493666

"starbound.exe"+493629: 80 7C 24 44 00           -  cmp byte ptr [rsp+44],00
"starbound.exe"+49362E: 0F 84 48 01 00 00        -  je starbound.exe+49377C
"starbound.exe"+493634: 48 8D 8B 88 00 00 00     -  lea rcx,[rbx+00000088]
"starbound.exe"+49363B: E8 50 F9 C1 FF           -  call starbound.exe+B2F90
"starbound.exe"+493640: F3 0F 10 44 24 40        -  movss xmm0,[rsp+40]
"starbound.exe"+493646: F3 0F 5E 00              -  divss xmm0,[rax]
"starbound.exe"+49364A: F3 0F 59 83 84 00 00 00  -  mulss xmm0,[rbx+00000084]
"starbound.exe"+493652: F3 0F 11 83 84 00 00 00  -  movss [rbx+00000084],xmm0 <--------- Original instruction that I tried scanning for
"starbound.exe"+49365A: 0F B6 44 24 44           -  movzx eax,byte ptr [rsp+44]
"starbound.exe"+49365F: 48 8D B3 88 00 00 00     -  lea rsi,[rbx+00000088]
// ---------- INJECTING HERE ----------
"starbound.exe"+493666: 48 8D 4C 24 40           -  lea rcx,[rsp+40]
// ---------- DONE INJECTING  ----------
"starbound.exe"+49366B: 48 3B CE                 -  cmp rcx,rsi
"starbound.exe"+49366E: 74 30                    -  je starbound.exe+4936A0
"starbound.exe"+493670: 84 C0                    -  test al,al
"starbound.exe"+493672: 74 22                    -  je starbound.exe+493696
"starbound.exe"+493674: 48 8D 4C 24 40           -  lea rcx,[rsp+40]
"starbound.exe"+493679: E8 12 F9 C1 FF           -  call starbound.exe+B2F90
"starbound.exe"+49367E: F3 0F 10 00              -  movss xmm0,[rax]
"starbound.exe"+493682: 80 7E 04 00              -  cmp byte ptr [rsi+04],00
"starbound.exe"+493686: 74 04                    -  je starbound.exe+49368C
"starbound.exe"+493688: C6 46 04 00              -  mov byte ptr [rsi+04],00
}

_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing!


Last edited by ThatBenderGuy on Tue Aug 02, 2016 6:16 pm; edited 1 time in total
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Aug 02, 2016 6:15 pm    Post subject: Reply with quote

Oh, that's probably because you're allocating memory and it's likely no where near the injection point.
That is causing the jump to be 14 bytes long, as detailed in ParkourPenguin's link.
Use this version of alloc() to tell CE where to allocate the memory near:
Code:
alloc(newmem,$1000,playerUpdate)
Back to top
View user's profile Send private message
ThatBenderGuy
Newbie cheater
Reputation: 0

Joined: 28 Aug 2013
Posts: 24

PostPosted: Tue Aug 02, 2016 10:49 pm    Post subject: Reply with quote

Okay so I got the injection to work and here is my script

Code:

[ENABLE]
define(thePlayerUpdate,starbound.Star::StatSet::update+6B2)
alloc(newmem,$1000,thePlayerUpdate)

label(code)
label(return)

newmem:

code:
  movss [rbx+00000084],xmm0
  jmp return

thePlayerUpdate:
  jmp code
  nop
  nop
  nop
return:
registersymbol(thePlayerUpdate)

[DISABLE]

thePlayerUpdate:
  db F3 0F 11 83 84 00 00 00

unregistersymbol(thePlayerUpdate)
dealloc(newmem)


now my only problem is when I add the instruction: globalalloc(playerBase,250) and the instruction mov [playerBase],rbx to my script then the script no longer activates

_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing!
Back to top
View user's profile Send private message
ThatBenderGuy
Newbie cheater
Reputation: 0

Joined: 28 Aug 2013
Posts: 24

PostPosted: Thu Aug 04, 2016 1:20 am    Post subject: Reply with quote

So here is my refined script:

Code:

define(thePlayerUpdate,starbound.Star::StatSet::update+6B2)
globalalloc(playerBase,250)

[ENABLE]
alloc(newmem,$1000,thePlayerUpdate)
label(code)
label(return)

newmem:

code:
  movss [rbx+00000084],xmm0
  cmp [rbx+138],0
  jne return
  //mov [playerBase],rbx
  jmp return

thePlayerUpdate:
  jmp code
  nop
  nop
  nop
return:
registersymbol(thePlayerUpdate)

[DISABLE]

thePlayerUpdate:
  db F3 0F 11 83 84 00 00 00

unregistersymbol(playerBase)
unregistersymbol(thePlayerUpdate)
dealloc(newmem)
dealloc(playerBase)


but whenever I uncomment mov [playerBase],rbx the script no longer activates. Is there a way to find out why just adding this 1 instruction makes it not activate?

_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing!
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Thu Aug 04, 2016 6:07 am    Post subject: Reply with quote

Code:
code:
  movss [rbx+00000084],xmm0
  cmp [rbx+138],0
  jne return
  push rax
  mov rax,playerBase
  mov [rax],rbx
  pop rax
  jmp return
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites