 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
 Posted: Sat Apr 20, 2024 9:20 am Post subject: need help with injection copy!! |
 |
|
okay so for the most part i kind of know what im doing, I've done injection copies for a lot of games but recently I came across this issue and i desperately want to learn how to fix it. so doing a normal injection copy looks something like this:
--------
globalalloc(nightvision2,
newmem:
code:
mov rax,rsi
mov [nightvision2],rax
movss [rsi+00001324],xmm12
jmp return
---------
so i would simply move rax into my allocated memory which works nice but the issue i came across looks like this:
--------
globalalloc(INJECT2,
newmem:
code:
movss xmm0,[r8+rax*4+0000123C]
jmp return
---------
what exactly do i move into my allocated memory? i tried rax i tried just r8 but i do know xmm0 is holding my value i want to move into the allocated memory so i tried "movss [INJECT2],xmm0" but that doesn't work it says that the addresses are too far so is there a way to fix this? i would love some help if anyone would, OH and what would i use as the offset? just "123C"??, thank you
|
|
| Back to top |
|
 |
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sat Apr 20, 2024 9:43 am Post subject: |
|
|
Those complex addresses are somehow better to deal with since they would probably give you the identifier to separate it from other addresses.
To know for sure what to get for you injection copy:
1. You should select the instruction, right click and select "what addresses this instruction access"
2. In the window you get check the address if R8 is consistent throughout all the addresses.
3. If R8 is consistent then find the address you are interested in making injection copy of and check what RAX was.
4. You could either write your code like:
| Code: | push rax
push rdx
mov [nightvision2],R8
mov rax,[THE VALUE YOU FOUND RAX HOLDING]
mov rdx,4
mul rax
add [nightvision2],rax
add [nightvision2],123C
pop rdx
pop rax
|
4. Or you can do this:
| Code: | mov [nightvision2],R8
|
and when you add the [nightvision2] to the cheat table you add the other values manually like so (assuming RAX was holding 10):
[nightvision2]+40+123C
|
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sat Apr 20, 2024 10:30 am Post subject: |
|
|
| Game Hacking Dojo wrote: | Those complex addresses are somehow better to deal with since they would probably give you the identifier to separate it from other addresses.
To know for sure what to get for you injection copy:
1. You should select the instruction, right click and select "what addresses this instruction access"
2. In the window you get check the address if R8 is consistent throughout all the addresses.
3. If R8 is consistent then find the address you are interested in making injection copy of and check what RAX was.
4. You could either write your code like:
| Code: | push rax
push rdx
mov [nightvision2],R8
mov rax,[THE VALUE YOU FOUND RAX HOLDING]
mov rdx,4
mul rax
add [nightvision2],rax
add [nightvision2],123C
pop rdx
pop rax
|
4. Or you can do this:
| Code: | mov [nightvision2],R8
|
and when you add the [nightvision2] to the cheat table you add the other values manually like so (assuming RAX was holding 10):
[nightvision2]+40+123C |
i tried both ways especially "mov [nightvision2],R8" and it gives me the error "This instruction can not be assembled because the distance between the current address and addressed address is too big. Try placing the address in a register first and use that" any other ways or ideas???
|
|
| Back to top |
|
|
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sat Apr 20, 2024 10:43 am Post subject: |
|
|
Don't use globlealloc
use this:
| Code: | [enable]
alloc(nightvision2,8)
registersymbol(nightvision2)
//Your code
[disable]
dealloc(nightvision2)
unregistersymbol(nightvision2) |
it's also possible to use * to dealloc or to unregistersymbols like this:
| Code: | dealloc(*)
unregistersymbol(*) |
I also suggest you don't use globlealloc at all
|
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sat Apr 20, 2024 11:02 am Post subject: |
|
|
| Game Hacking Dojo wrote: | Don't use globlealloc
use this:
| Code: | [enable]
alloc(nightvision2,8)
registersymbol(nightvision2)
//Your code
[disable]
dealloc(nightvision2)
unregistersymbol(nightvision2) |
it's also possible to use * to dealloc or to unregistersymbols like this:
| Code: | dealloc(*)
unregistersymbol(*) |
I also suggest you don't use globlealloc at all |
okay so some progress your tip did in fact let me enable the script, so no more error so thank you so much for that i really appreciate it, but i made the pointer by just adding address manually then clicking pointer then typing in "nightvision2" and setting 123C as the offset and it doesnt point to anything it just has question marks, would you know why? and sorry if this is getting annoying but im really enjoying the help and feed back!!
|
|
| Back to top |
|
|
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sat Apr 20, 2024 11:22 am Post subject: |
|
|
When you add the address [TheAddress] don't check the pointer checkbox and add the values like this [TheAddress]+bla+bla+bla (keep the brackets)
It's fine I like helping you could also watch some YouTube to learn more. Cheat The Game channel has a few tutorials on injection copies. I also make YouTube videos to help so I enjoy it.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4317
|
| Posted: Sat Apr 20, 2024 1:09 pm Post subject: |
|
|
| xenowyaa wrote: | | Code: | globalalloc(INJECT2,8)
newmem:
code:
movss xmm0,[r8+rax*4+0000123C]
jmp return |
what exactly do i move into my allocated memory? |
| Code: | [ENABLE]
aobscan(whateverInjectionPoint,xx xx xx)
alloc(newmem,4096,whateverInjectionPoint)
globalalloc(specialAddress,8,whateverInjectionPoint)
label(return)
newmem:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx
// original code
movss xmm0,[r8+rax*4+0000123C]
jmp return
whateverInjectionPoint:
jmp newmem
nop ...
return:
[DISABLE]
... |
Add a new memory record, check the "pointer" checkbox, base address is specialAddress, only offset is 0. This code accounts for the offset of rax*4+123C, so leave the offset as 0.
Also, as with all code injections, you should make sure that instruction is only accessing the address you want. Right click it in the disassembler and select "Find out what addresses this instruction accesses". If there's more than the one you want, see step 9 of the CE tutorial.
| xenowyaa wrote: | | i tried both ways especially "mov [nightvision2],R8" and it gives me the error "This instruction can not be assembled because the distance between the current address and addressed address is too big. Try placing the address in a register first and use that" any other ways or ideas??? |
| Cheat Engine wrote: | | Try placing the address in a register first and use that |
| Code: | mov [address],rcx // bad
push rbx
mov rbx,address
mov [rbx],rcx // good
pop rbx |
You could also just use the third parameter to (global)alloc and it'll get allocated near the specified address. e.g. my code:
| Code: | | globalalloc(specialAddress,8,whateverInjectionPoint) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sat Apr 20, 2024 10:34 pm Post subject: |
|
|
| ParkourPenguin wrote: | | xenowyaa wrote: | | Code: | globalalloc(INJECT2,8)
newmem:
code:
movss xmm0,[r8+rax*4+0000123C]
jmp return |
what exactly do i move into my allocated memory? |
| Code: | [ENABLE]
aobscan(whateverInjectionPoint,xx xx xx)
alloc(newmem,4096,whateverInjectionPoint)
globalalloc(specialAddress,8,whateverInjectionPoint)
label(return)
newmem:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx
// original code
movss xmm0,[r8+rax*4+0000123C]
jmp return
whateverInjectionPoint:
jmp newmem
nop ...
return:
[DISABLE]
... |
Add a new memory record, check the "pointer" checkbox, base address is specialAddress, only offset is 0. This code accounts for the offset of rax*4+123C, so leave the offset as 0.
Also, as with all code injections, you should make sure that instruction is only accessing the address you want. Right click it in the disassembler and select "Find out what addresses this instruction accesses". If there's more than the one you want, see step 9 of the CE tutorial.
| xenowyaa wrote: | | i tried both ways especially "mov [nightvision2],R8" and it gives me the error "This instruction can not be assembled because the distance between the current address and addressed address is too big. Try placing the address in a register first and use that" any other ways or ideas??? |
| Cheat Engine wrote: | | Try placing the address in a register first and use that |
| Code: | mov [address],rcx // bad
push rbx
mov rbx,address
mov [rbx],rcx // good
pop rbx |
You could also just use the third parameter to (global)alloc and it'll get allocated near the specified address. e.g. my code:
| Code: | | globalalloc(specialAddress,8,whateverInjectionPoint) |
|
i tried this and this is when the script doesnt activate and says the addresses are too far and to put them in a new register or something like that, any work around? thanks
|
|
| Back to top |
|
|
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sun Apr 21, 2024 3:56 am Post subject: |
|
|
| Post the result of an "AOB injection" template at the address you want. So we could see where the problem is.
|
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sun Apr 21, 2024 4:42 am Post subject: |
|
|
| Game Hacking Dojo wrote: | When you add the address [TheAddress] don't check the pointer checkbox and add the values like this [TheAddress]+bla+bla+bla (keep the brackets)
It's fine I like helping you could also watch some YouTube to learn more. Cheat The Game channel has a few tutorials on injection copies. I also make YouTube videos to help so I enjoy it. |
okay more progress, it kind of worked the script activates which is good but 2 problems
1.there is multiple addresses accessing that same instruction so I made wrote some code that will compare out the ones that aren't the value I want and give me the value I want but it only gives me one value that isn't the one I want and there is no other instruction that only has the value I want.
2.I understood what you meant when you said not to check the point box and to just put it in the address box manually so what I typed was "[nightvision2]+123C" and it read it just fine but what about code like this "[rbx+rax*4]" with no offset what do I put after the +. looking forward to your response thanks again!!!
|
|
| Back to top |
|
|
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sun Apr 21, 2024 5:40 am Post subject: |
|
|
complex addresses consist of multiple registers e.g. [rbx+rax*4+offset].
Those registers usually hold the following:
- The base address, holding the biggest value. rbx in this example.
- The identifier holding a small value that will point to another address in the table. rax in this example.
How did I know rbx (in this example) is holding the base address?
I know rbx is holding the biggest value because is not being multiplied by anything otherwise the memory address can't hold that massive number generated by multiplying a base address by 4 (it could be any even number)
| Code: | push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx |
let's pretend that the sum of r8+rax*4+123C = 1859A2085C0
If we add this to the cheat table and as an address (without checking the pointer box) then we will get another address as a value held by our address.
So in this case we need to check the pointer box to get the value held by the pointed-at address.
Similarly, we could surround the address by square brackets without checking the pointer box and we will get the same effect.
How do we separate or filter out those addresses we are not interested in?
Simply, as I said earlier "rax*4" is obviously the identifier in this case because would be holding a small number that is mostly likely to be unique to the address you're interested in.
So first you check what addresses accessing the instructions right-click the address you want and select "Show Registers" or "Ctrl+R". Then you check was rax was at that point. Also, check whether it's really unique to your address or not by checking the other address in the same fashion.
Let's assume rax was 2C and was unique to your address:
| Code: |
cmp rax,2C
jne OriginalCode
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx
// original code
OriginalCode:
movss xmm0,[r8+rax*4+0000123C]
jmp return
|
This way you will get the sum of the values held by those registers 1859A2085C0 (As we pretended).
Now you add "specialAddress" (without quotes nor brackets) to the cheat table and check the pointer check box.
If you have a problem post the entire script.
|
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sun Apr 21, 2024 12:05 pm Post subject: |
|
|
| Game Hacking Dojo wrote: | complex addresses consist of multiple registers e.g. [rbx+rax*4+offset].
Those registers usually hold the following:
- The base address, holding the biggest value. rbx in this example.
- The identifier holding a small value that will point to another address in the table. rax in this example.
How did I know rbx (in this example) is holding the base address?
I know rbx is holding the biggest value because is not being multiplied by anything otherwise the memory address can't hold that massive number generated by multiplying a base address by 4 (it could be any even number)
| Code: | push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx |
let's pretend that the sum of r8+rax*4+123C = 1859A2085C0
If we add this to the cheat table and as an address (without checking the pointer box) then we will get another address as a value held by our address.
So in this case we need to check the pointer box to get the value held by the pointed-at address.
Similarly, we could surround the address by square brackets without checking the pointer box and we will get the same effect.
How do we separate or filter out those addresses we are not interested in?
Simply, as I said earlier "rax*4" is obviously the identifier in this case because would be holding a small number that is mostly likely to be unique to the address you're interested in.
So first you check what addresses accessing the instructions right-click the address you want and select "Show Registers" or "Ctrl+R". Then you check was rax was at that point. Also, check whether it's really unique to your address or not by checking the other address in the same fashion.
Let's assume rax was 2C and was unique to your address:
| Code: |
cmp rax,2C
jne OriginalCode
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [specialAddress],rcx
pop rcx
// original code
OriginalCode:
movss xmm0,[r8+rax*4+0000123C]
jmp return
|
This way you will get the sum of the values held by those registers 1859A2085C0 (As we pretended).
Now you add "specialAddress" (without quotes nor brackets) to the cheat table and check the pointer check box.
If you have a problem post the entire script. |
BROO!!!!! IT WORKED THANK YOU but one more thing I hope its not too much work but those other addresses in that same instruction that i filtered out I kind of need those to continue my cheat table so i tried making a new AOB injection on the same address but for a different value this this time but i noticed i can only have one activated at a time, so I tried a script like this
| Code: | [ENABLE]
aobscanmodule(goop,SummerCamp.exe,F3 41 0F 10 84 80 3C 12 00 00) // should be unique
alloc(newmem,$1000,goop)
alloc(goop2,8)
alloc(test1)
label(code)
label(return)
label(test1)
registersymbol(goop2)
registersymbol(test1)
newmem:
cmp rax,3
jne code
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop2],rcx
pop rcx
code:
movss xmm0,[r8+rax*4+0000123C]
jmp return
test1:
cmp rax,9
jne code
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [test1],rcx
pop rcx
goop:
jmp newmem
nop 5
return:
registersymbol(goop)
[DISABLE]
goop:
db F3 41 0F 10 84 80 3C 12 00 00
unregistersymbol(goop)
unregistersymbol(goop2)
unregistersymbol(test1)
dealloc(newmem)
dealloc(goop2)
dealloc(test1)
|
as you see this is the same script but i allocated a new specialaddress "test1", so my vision was I could use one script that will load the other values I wanted that accessed that same instruction, so I allocated memory and registered a new symbol and added a label and when I declared it I wrote the same push pop code thinking it would just move the new value in that specialaddress but it didnt work any reason why?
|
|
| Back to top |
|
|
Game Hacking Dojo
Advanced Cheater
![]() Reputation: 0
Joined: 17 Sep 2023
Posts: 57
|
| Posted: Sun Apr 21, 2024 1:03 pm Post subject: |
|
|
Scripts work by replacing a potentially executable code with a jump to a code
made by the user. If we want to make a script in the same location it either has to be merged with the first one or we need to find enough space for the new jump we want to place, either before or after the first jump we made, can't be in the same location. If we try to put them on top of each other one only will take the place.
This script is meant to look neater.
| Code: | [ENABLE]
aobscanmodule(goop,SummerCamp.exe,F3 41 0F 10 84 80 3C 12 00 00) // should be unique
alloc(newmem,$1000,goop)
alloc(goop2,8,goop) //Find a better naming convention to make your life easier
registersymbol(goop2)
alloc(goop3,8,goop)
registersymbol(goop3)
alloc(goop4,8,goop)
registersymbol(goop4)
//label(code)
//label(return)
//label(test1)
newmem: //Second to be excuted
cmp rax,3
je item1
cmp rax,4
je item2
cmp rax,5
je item3
//Continue here in the same fashion if there's more you want to add
jmp code //Don't forget to add this or else anything that isn't filtered top will go to first label
item1:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop2],rcx
pop rcx
jmp code
item2:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop3],rcx
pop rcx
jmp code
item3:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop4],rcx
pop rcx
jmp code
//Continue here in the same fashion if there's more you want to add
code: //Third to be excuted
movss xmm0,[r8+rax*4+0000123C]
jmp return
//You can't write anything hear and it will most likely crash the process
goop: //First to be excuted
jmp newmem
nop 5
return: //Fourth to be excuted
registersymbol(goop)
[DISABLE]
goop: //last to be excuted, when script gets disabled
db F3 41 0F 10 84 80 3C 12 00 00
dealloc(*) //By using * we dealloc everything allocated in this script
unregistersymbol(*) //By using * we unregister all symbol everything registered in this script
//unregistersymbol(goop)
//unregistersymbol(goop2)
//unregistersymbol(test1)
//dealloc(newmem)
//dealloc(goop2)
//dealloc(test1) |
|
|
| Back to top |
|
|
xenowyaa
Newbie cheater
![]() Reputation: 0
Joined: 13 Feb 2024
Posts: 16
|
| Posted: Sun Apr 21, 2024 10:12 pm Post subject: |
|
|
| Game Hacking Dojo wrote: | Scripts work by replacing a potentially executable code with a jump to a code
made by the user. If we want to make a script in the same location it either has to be merged with the first one or we need to find enough space for the new jump we want to place, either before or after the first jump we made, can't be in the same location. If we try to put them on top of each other one only will take the place.
This script is meant to look neater.
| Code: | [ENABLE]
aobscanmodule(goop,SummerCamp.exe,F3 41 0F 10 84 80 3C 12 00 00) // should be unique
alloc(newmem,$1000,goop)
alloc(goop2,8,goop) //Find a better naming convention to make your life easier
registersymbol(goop2)
alloc(goop3,8,goop)
registersymbol(goop3)
alloc(goop4,8,goop)
registersymbol(goop4)
//label(code)
//label(return)
//label(test1)
newmem: //Second to be excuted
cmp rax,3
je item1
cmp rax,4
je item2
cmp rax,5
je item3
//Continue here in the same fashion if there's more you want to add
jmp code //Don't forget to add this or else anything that isn't filtered top will go to first label
item1:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop2],rcx
pop rcx
jmp code
item2:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop3],rcx
pop rcx
jmp code
item3:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop4],rcx
pop rcx
jmp code
//Continue here in the same fashion if there's more you want to add
code: //Third to be excuted
movss xmm0,[r8+rax*4+0000123C]
jmp return
//You can't write anything hear and it will most likely crash the process
goop: //First to be excuted
jmp newmem
nop 5
return: //Fourth to be excuted
registersymbol(goop)
[DISABLE]
goop: //last to be excuted, when script gets disabled
db F3 41 0F 10 84 80 3C 12 00 00
dealloc(*) //By using * we dealloc everything allocated in this script
unregistersymbol(*) //By using * we unregister all symbol everything registered in this script
//unregistersymbol(goop)
//unregistersymbol(goop2)
//unregistersymbol(test1)
//dealloc(newmem)
//dealloc(goop2)
//dealloc(test1) |
|
I tried my best to go off your script and it crashes my game, I definitly feel like I got something wrong here i just dont know what it is, like you had the labels "item1" "item2" "item3" so i just replaced them with goop1 goop2 goop3 and aren't I supposed to make labels for those? take a look here is the code
| Code: | [ENABLE]
aobscanmodule(goop,SummerCamp.exe,F3 41 0F 10 84 80 3C 12 00 00) // should be unique
alloc(newmem,$1000,goop)
alloc(goop2,8)
registersymbol(goop2)
alloc(goop3,8)
registersymbol(goop3)
alloc(goop4,8)
registersymbol(goop4)
label(code)
label(return)
newmem:
cmp rax,3
je goop2
cmp rax,6
je goop3
cmp rax,9
je goop4
jmp code
goop2:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop2],rcx
pop rcx
jmp code
goop3:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop3],rcx
pop rcx
jmp code
goop4:
push rcx
lea rcx,[r8+rax*4+0000123C]
mov [goop4],rcx
pop rcx
jmp code
code:
movss xmm0,[r8+rax*4+0000123C]
jmp return
goop:
jmp newmem
nop 5
return:
registersymbol(goop)
[DISABLE]
goop:
db F3 41 0F 10 84 80 3C 12 00 00
dealloc(*)
unregistersymbol(*)
unregistersymbol(goop)
unregistersymbol(goop2)
dealloc(newmem)
dealloc(goop2)
|
I probably got something wrong, btw I'm really appreciative of your taking the time out your day to help im really thankful and im learning alot.
update***
i pasted your exact script with no changed and it doesnt crash the game but it only gives me the value of goop2 only the rest are just question marks
update number 2*****
IM STUPID, I FIGURED IT OUTTTT HEEHEHHH THANKSSSSSS SO MUCHHHH
your such a freaking genius I would have never figured this out without you man THANK YOUU
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
