Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Confused How This Works - Please Help Me Learn This

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Wed Sep 14, 2016 4:28 pm    Post subject: Confused How This Works - Please Help Me Learn This Reply with quote

Hey fellow table makers, I'm in a bit of a pickle. I've been having great success lately at getting most memory address I've encountered in any game I've tried to load up and display in CE 6.5.1 thanks to the AOB injection feature. It sure saves a lot of time not having to search for a whole bunch of addresses every time I start these games!

The method I've been using is taking the address from whichever register it is loading from and global-allocating it to a custom variable so that the table can load the relevant addresses right after the script is activated. Confusing to explain - my terminology and understanding of it is probably embarrassing just to read, I apologize for that. Here's an example of one of my scripts to give an idea.
Code:
[ENABLE]
aobscan(INJECT,D9 9E 30 02 00 00)
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_ts,4)

newmem:

code:
  mov [_ts],esi
  fstp dword ptr [esi+00000230]
  jmp return

INJECT:
  jmp code
  nop
return:
registersymbol(INJECT)

[DISABLE]
INJECT:
  db D9 9E 30 02 00 00

unregistersymbol(INJECT)
dealloc(newmem)


globalalloc(_ts,4)

mov [_ts],esi

I add the lines in red and in the address it just uses _ts plus whatever offsets the address(es) may be using. This works very well almost every time.

Now for the problem. This particular structure in the game doesn't load the address into one of the registers, as far as I can tell. None of those is the address or even close to the address 00145464.

Code:
EAX=00000006
EBX=00001B60
ECX=00000064
EDX=00000032
ESI=000007D0
EDI=0025EE44
ESP=0025EE00
EBP=0025EE54
EIP=0D477C07


i97(dot)servimg(dot)com/u/f97/17/03/54/84/learni10(dot)png

( Please accept my apology for censoring the link, it would not let me post the image without doing that. )

For reference of the AOB injection from the same AOB as their script:

Code:
[ENABLE]

aobscan(INJECT,83 05 64 54 14 00 0A A1 64 54 14 00 8D)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  add dword ptr [00145464],0A
  jmp return

INJECT:
  jmp code
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 83 05 64 54 14 00 0A

unregistersymbol(INJECT)
dealloc(newmem)


The problem as seen in the above image is that I don't have a register to handle the address like I've been using in my scripts. As far as I can tell I won't be able to use my usual method to get this address into a script for ease of access loading later on.

So the script on the bottom of that image, done by someone else. I have found the bytes they aobscan for in the memory viewer myself but I don't understand how that script works. I get the array of bytes part, but what purposes are the clock+2: and clock_ptr: lines serving? What are they doing exactly? Then it disables with clock+6: and db 0A. Needless to say, when their script is activated it shows the address pointer perfectly fine with the correct value and address.

I mean sure, I can just copy the script but most of the reason I'm doing these tables is for the fun and challenge of learning to make them myself and I would really appreciate if anyone could help me understand this new method I've stumbled upon.

Thanks for your time everyone!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Sep 14, 2016 5:07 pm    Post subject: Reply with quote

That other script isn't doing any kind of an AoB injection. Since that instruction specifies an address only by a displacement, there is no register to copy the address from.

Instead of an AoB injection, just get the address from the machine code. The address is encoded into the instruction itself. If you can find the instruction through an AoB scan, you've already found the address.

More specifically, this is the instruction you want to get the address from:
Code:
mov esi,[00145464]  -  8B 35 64 54 14 00

Notice that the address is encoded in little endian starting at the third byte of the instruction. Thus, if an AoB scan has the right signature for that instruction, it's possible to register a symbol at INJECT+2 that will effectively be a pointer to the desired address.

The signature may be harder to create than normal. With this particular kind of addressing mode (i.e. a displacement to a non-static address), the address will usually change when the process is restarted. In that case, it's necessary to replace that part of the instruction with wildcards. This could invalidate the signature generated by CE, so you should scan for the AoB pattern yourself to make sure it's unique. Make sure to search through all memory (not just writable).

With regards to that other person's script, a lot of that seems unnecessary. A simplified version of your script would look something like this:
Code:
[ENABLE]
aobscan(temp,8B 35 ** ** ** ** E8 B9)   // make sure this is unique
label(myAddress)                        // label to store the address in
registersymbol(myAddress)               // registers it as a symbol for use in the address list

temp+2:         // all instructions and labels after this are relative to the address temp+2
myAddress:      // gives the myAddress label the same address as temp+2

[DISABLE]
unregistersymbol(myAddress)   // unregisters the symbol (cleanup)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Wed Sep 14, 2016 5:20 pm    Post subject: Reply with quote

By AOB Injection I mean the feature in auto-assemble from the Template menu, the function itself. I was aware that my raw injection was doing absolutely nothing, it was more or less code ready to be modified or extended.

That said, I have to hand it to you, you're excellent at explaining things in simple to understand format. Thanks so much, I actually get it now! I had no idea the address itself was actually a part of the array.. gosh that makes me feel silly. It actually makes a lot of sense! I had not noticed until you pointed that out. Explaining the logic of scan+x: and myLabel: is really awesome of you too!

Is clock+6: db 0A even necessary?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Sep 14, 2016 5:25 pm    Post subject: Reply with quote

The byte at the address clock+6 was already 0A in the signature for the AoB scan, so unless the game is changing its own code, that is unnecessary.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Fri Sep 16, 2016 5:41 am    Post subject: Reply with quote

That's what I figured based on my understanding of this. Entirely useless since it's already 0A. Thanks for your time, friend.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites