 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
jgrochoski
How do I cheat?
![]() Reputation: 0
Joined: 04 Nov 2009
Posts: 9
|
 Posted: Mon Mar 03, 2014 12:53 pm Post subject: Help with "Not all code is injectable" and pointer |
 |
|
I'm getting a "Not all code is injectable" error trying to compile this script for Settlers7. The error is with this line (mov eax,[pPlayerStruct1+23c]) where I try to use the contents of offset 23c from the aobscan as a pointer to another structure elsewhere in the memory. Any advice on what I'm doing wrong?
I want pStoreHouse1 to point at the memory location referenced at pPlayerStruct1+23c.
| Code: | REGISTERSYMBOL(pPlayerStruct1)
REGISTERSYMBOL(pStoreHouse1)
AOBScan(pPlayerStruct1,2c cb f3 00 04 01 00 00 01 00 00 00 00 00 80 3f * * * * 18 00 00 00 16 00 00 00 * * * * 02 00 00 00)
push eax
mov eax,[pPlayerStruct1+23c]
mov [pStoreHouse1],eax
pop eax
//lea pStoreHouse1,[pPlayerStruct1+23c]
|
|
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Mar 03, 2014 2:39 pm Post subject: |
|
|
Post full script which you are using.
_________________
|
|
| Back to top |
|
|
jgrochoski
How do I cheat?
![]() Reputation: 0
Joined: 04 Nov 2009
Posts: 9
|
| Posted: Mon Mar 03, 2014 2:44 pm Post subject: Full script |
|
|
Here is my full script (or most of it anyway, it just goes on with entries after this), and I have some of my attempts at fixing it via trial and error commented out:
| Code: | <?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="16">
<CheatEntries>
<CheatEntry>
<ID>999</ID>
<Description>"Enable"</Description>
<Color>80000008</Color>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>[ENABLE]
REGISTERSYMBOL(pPlayerStruct1)
REGISTERSYMBOL(pStoreHouse1)
alloc(newmem, 2048)
//alloc(pPlayerStruct1, 4)
//alloc(pStoreHouse1, 4)
//label(returnhere)
//label(originalcode)
//label(exit)
//returnhere:
newmem:
pPlayerStruct1:
dd 0
pStoreHouse1:
dd 0
AOBScan(pPlayerStruct1,2c cb f3 00 04 01 00 00 01 00 00 00 00 00 80 3f * * * * 18 00 00 00 16 00 00 00 * * * * 02 00 00 00)
push eax
mov eax,[pPlayerStruct1+23c]
mov [pStoreHouse1],eax
pop eax
//lea [pStoreHouse1],[pPlayerStruct1+23c]
[DISABLE]
UNREGISTERSYMBOL(pPlayerStruct1)
UNREGISTERSYMBOL(pStoreHouse1)
dealloc(newmem)
dealloc(pPlayerStruct1)
dealloc(pStoreHouse1)
</AssemblerScript>
</CheatEntry>
<CheatEntry>
<ID>0</ID>
<Description>"item 1"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>pStoreHouse1+04</Address>
</CheatEntry> |
Thanks for any help.[/code]
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Mar 03, 2014 2:56 pm Post subject: |
|
|
Do you want to inject this code or execute as thread? My bet is: inject code.
Better use build-in templates. Click "Memory View"
in "Memory Viewer" highlight hackpoint (the place you want to inject your code)
press Ctrl+A, them Ctrl+Alt+T, then Ctrl+I, then click OK.
Paste script (the one you received by the above method).
Then I will show how to modify AA script.
EDIT:
never mind, you want it as thread. Give me few minutes.
_________________
|
|
| Back to top |
|
|
jgrochoski
How do I cheat?
![]() Reputation: 0
Joined: 04 Nov 2009
Posts: 9
|
| Posted: Mon Mar 03, 2014 3:05 pm Post subject: |
|
|
I don't care which; I'm not trying to overwrite existing code, just use this method to generate a table of warehouse values that I can edit manually. I want to be able to add just a few items rather than set them all to 500 or have them never decrement.
I'll post the code you asked for in a moment. Thanks again.
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
call Settlers7R.exe+7AF83E
exit:
jmp returnhere
"Settlers7R.exe"+7AEE5B:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Settlers7R.exe"+7AEE5B:
call Settlers7R.exe+7AF83E
//Alt: db E8 DE 09 00 00 |
This is essentially "on load" of a new mission.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Mar 03, 2014 3:23 pm Post subject: |
|
|
| Code: | [ENABLE]
alloc(newmem, 2048)
label(pStoreHouse1)
registersymbol(pStoreHouse1)
label(PlayerStruct)
aobscan(PlayerStruct_aob,2c cb f3 00 04 01 00 00 01 00 00 00 00 00 80 3f * * * * 18 00 00 00 16 00 00 00 * * * * 02 00 00 00)
PlayerStruct_aob: // this weird construction will do
PlayerStruct: // PlayerStruct:= PlayerStruct_aob
newmem:
push ebp
mov ebp,esp
mov eax,[PlayerStruct+23c]
mov [pStoreHouse1],eax
leave
ret
pStoreHouse1:
dd 0
createthread(newmem)
[DISABLE]
unregistersymbol(pStoreHouse1)
dealloc(newmem)
|
| Description: |
|
Download |
| Filename: |
for jgrochoski.ct |
| Filesize: |
1.37 KB |
| Downloaded: |
1469 Time(s) |
_________________
|
|
| Back to top |
|
|
jgrochoski
How do I cheat?
![]() Reputation: 0
Joined: 04 Nov 2009
Posts: 9
|
| Posted: Mon Mar 03, 2014 4:06 pm Post subject: |
|
|
Thanks so much! When I insert this approach into my original code it works as well. I don't understand it though, so a few quick questions if you don't mind:
1. Why is PlayerStruct_aob not dereferenceable - is it not a pointer? Moving it into your new PlayerStruct makes it usable as a pointer?
2. You don't have to register your PlayerStruct as a symbol? I didn't realize labels could be references. I thought they were just a way to move around in your code...
3. Why push ebp then mov ebp,esp? And then you don't pop it at the end? I was pushing and popping eax because I was using it for another purpose but didn't want that to override its original usage - is that wrong?
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Mar 03, 2014 4:37 pm Post subject: |
|
|
alloc( label1 , size )
label( label2 )
aobscan( label3 , 11 22 33 44 ....)
label1, label2, label3 - those are labels. But, they are handled differently.
All of them can be used as an address.
alloc labels (label1) - will be defined automatically.
label2 - must be defined by you.
aobscan labels (label3) - those labels are special. From Cheat Engine Help:
(mainly, those are used to instruct CE at what place inject the code)
| Quote: | AOBSCAN(name, array of byte) : Will scan the memory for the given array of byte (Wildcards are supported) and replaces all tokens with the specified name with the address the array of byte was found. If it's not found, the auto assemble script will not execute
|
2. you must treat labels as (findWhat, replaceWith) pairs. More or less. Example:
alloc(newmem,2048) will allocate memory, e.g. at 03C60000. Then all "newmem" tokens will be replaced with "03C60000"
The labels you want to use outside the script (or in DISABLE section). You must register them.
3.
http://www.jaist.ac.jp/iscenter-new/mpc/altix/altixdata/opt/intel/vtune/doc/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc151.htm
"leave" == "mov esp,ebp; pop ebp"
_________________
|
|
| Back to top |
|
|
jgrochoski
How do I cheat?
![]() Reputation: 0
Joined: 04 Nov 2009
Posts: 9
|
| Posted: Tue Mar 04, 2014 5:22 pm Post subject: |
|
|
I'm now trying to rewrite the table as a LUA script and I'm getting weird results with readBytes. When I look in the memory viewer the memory block I'm looking at says 2C CB F3 00 but when I readBytes that I get back 112, 135, 105, 0 or 0x70, 0x87, 0x69, 0x00
Here is the entire LUA - it's a bit messy because I've been trying stuff out but I'm stuck:
| Code: | function GetDesc(index)
return lookupTable[index]
end
function DEC_HEX(IN)
if IN<=0 then
return '0'
end
local B,K,OUT,I,D=16,"0123456789ABCDEF","",0
while IN>0 do
I=I+1
IN,D=math.floor(IN/B),math.mod(IN,B)+1
OUT=string.sub(K,D,D)..OUT
end
return OUT
end
function HexDumpBytes(IN)
for _,String in pairs(IN) do --> for each entry and entry in the table IN do..
local Hex = DEC_HEX(String) --> convert each byte and byte that stored in the IN Table
if Hex:len()==1 then
Hex = '0' .. Hex --> Just incase, making the bytes 2 character length
end
IN[_] = '0x' .. Hex --> Making it writeable
end
return IN
end
function CreateRecord(index, address)
local List=getAddressList()
local NewRec=List.createMemoryRecord()
local baseOffset = index*8
local valueOffset = baseOffset+4
local baseAddress = "00"
baseAddress = address
NewRec.setAddress(address)
NewRec.setOffsetCount(1)
NewRec.setOffset(0, valueOffset)
local lookupAddress = '[' .. baseAddress .. ']+' .. baseOffset
lookupVal=readInteger(lookupAddress)
NewRec.setDescription(getDesc(lookupVal))
NewRec.Type=vtDWord
end
function BuildList()
local PlayerStruct=AOBScan("2c cb f3 00 04 01 00 00 01 * * * 00 00 80 3f * * * * 18 00 00 00 16 00 00 00 * * * * 02 00 00 00", "*X-C+W")
local PlayerAddress=PlayerStruct[0]
local StoreHouseStartAddress='[' .. PlayerAddress .. ']'-->+23c' -->572
local StoreHouseEndAddress='[' .. PlayerAddress .. ']+240' -->576
print(StoreHouseStartAddress)
print(StoreHouseEndAddress)
pStoreHouse1Start=readBytes(StoreHouseStartAddress,4,true)
pStoreHouse1End=readBytes(StoreHouseEndAddress,4,true)
print(pStoreHouse1Start[1]..' '..pStoreHouse1Start[2]..' '..pStoreHouse1Start[3]..' '..pStoreHouse1Start[4])
print(pStoreHouse1End[1]..' '..pStoreHouse1End[2]..' '..pStoreHouse1End[3]..' '..pStoreHouse1End[4])
-->local iStoreHouse1Start=tonumber(pStoreHouse1Start,16)
local iStoreHouse1Start=HexDumpBytes(pStoreHouse1Start)
-->local iStoreHouse1End=tonumber(pStoreHouse1End,16)
local iStoreHouse1End=HexDumpBytes(pStoreHouse1End)
print(iStoreHouse1Start[1]..' '..iStoreHouse1Start[2]..' '..iStoreHouse1Start[3]..' '..iStoreHouse1Start[4])
print(iStoreHouse1End[1]..' '..iStoreHouse1End[2]..' '..iStoreHouse1End[3]..' '..iStoreHouse1End[4])
size=0-0
itemCount=size/8
print(size)
print(itemCount)
--> for tempCount=1,itemCount do
--> CreateRecord(tempCount-1, pStoreHouse1Start)
--> end
object_destroy(PlayerStruct)
return 1
end
lookupTable = {"a", "b", "c", "d", "animal", "beer", "book", "bread", "cloth", "coal", "coin", "fish", "flour", "garment", "gold", "grain", "horse", "iron", "ironore", "jewelry", "meat", "paper", "plank", "stone", "tools", "water", "weapon", "wheel", "wood", "wool"};
BuildList() |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
