 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mohammedfenix1
Cheater
 Reputation: 0
Joined: 08 Feb 2015
Posts: 48
|
 Posted: Sun Feb 08, 2015 11:46 am Post subject: aob scan problem ! help |
 |
|
i made auto Assemble scripts by using aop for assassin's creed 4
the script should stop all the decreases in the ammo
and i make the script by this steps :-
1- finding the value
2- find out what write to this address
3- select an item
4- show disassembler
5- Tools - auto Assemble
6- this is my script
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(exit)
label(sprint)
registersymbol(sprint)
aobscan(aob1, 89 41 0C B0 01)
newmem:
db 90 90 90 B0 01
exit:
jmp returnhere
aob1:
sprint:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
sprint:
db 89 41 0C B0 01
after that when i'm trying to enable the script it crasing the game !
another thing , i want to make the script incresing the ammo to 999999 or somthing like this
and i do not know how to write a script by lau language
sorry about the bad English
| Description: |
| maybe u will need this pic |
|
| Filesize: |
43.37 KB |
| Viewed: |
23296 Time(s) |
|
|
|
| Back to top |
|
 |
TwoSpooky
Cheater
 Reputation: 1
Joined: 03 Feb 2015
Posts: 36
|
| Posted: Sun Feb 08, 2015 12:22 pm Post subject: |
|
|
That's some odd looking stuff you have there.
If you're new to writing AA scripts I would recommend you watch this youtube video.
| Code: | | /watch?v=Ov37X9Ldn44 |
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sun Feb 08, 2015 7:43 pm Post subject: |
|
|
problem is here:
nop
returnhere:
I doubt CE generated that, it would never put an extra nop where it's not needed.
You're nopping the pop ebp instruction, causing it to crash on ret 4.. Since you have unbalanced the stack...
mov "[ecx+0c],eax" and "mov al,1" together are 5 bytes... your "jmp newmem" is also five bytes... It overwrites those two instructions perfectly. adding that extra nop is definitely whats screwing you up!
Besides if you just need to nop "mov [ecx+0c],eax" you don't have to hook it, you can just nop it in place...
_________________
|
|
| Back to top |
|
|
mohammedfenix1
Cheater
Reputation: 0
Joined: 08 Feb 2015
Posts: 48
|
| Posted: Mon Feb 09, 2015 7:01 am Post subject: |
|
|
| TwoSpooky wrote: | That's some odd looking stuff you have there.
If you're new to writing AA scripts I would recommend you watch this youtube video.
| Code: | | /watch?v=Ov37X9Ldn44 |
|
Hi TwoSpooky and thanks about the vid
i just saw it before 1 month and i saw all the videos in youtube
maybe all the videos about CE
| SteveAndrew wrote: | problem is here:
nop
returnhere:
I doubt CE generated that, it would never put an extra nop where it's not needed.
You're nopping the pop ebp instruction, causing it to crash on ret 4.. Since you have unbalanced the stack...
mov "[ecx+0c],eax" and "mov al,1" together are 5 bytes... your "jmp newmem" is also five bytes... It overwrites those two instructions perfectly. adding that extra nop is definitely whats screwing you up!
Besides if you just need to nop "mov [ecx+0c],eax" you don't have to hook it, you can just nop it in place...
|
Hi SteveAndrew and thank you so much it was helpful i just delete the nop and the game did not crash
and u mean replace with code that does nothing and not using auto assemble
if u mean that , i made it so that i can make Trainers
i hope that i have understood u 
can u tell me how can i make the value = 999999 or something like this number i do not want to nop "mov [ecx+0c],eax" i can make it but without aob scan
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Mon Feb 09, 2015 8:21 am Post subject: |
|
|
Maybe something like this will work
| Code: | [Enable]
alloc(Cave,128)
registersymbol(Aob)
aobscan(Aob,89410CB001)
Cave:
mov [ecx+0C],F423F
mov al,01
jmp Aob+5
Aob:
jmp Cave
[Disable]
Aob:
mov [ecx+0C],eax
mov al,01
dealloc(Cave)
unregistersymbol(Aob) |
_________________
|
|
| Back to top |
|
|
mohammedfenix1
Cheater
Reputation: 0
Joined: 08 Feb 2015
Posts: 48
|
| Posted: Mon Feb 09, 2015 10:35 am Post subject: |
|
|
| Pingo wrote: | Maybe something like this will work
| Code: | [Enable]
alloc(Cave,128)
registersymbol(Aob)
aobscan(Aob,89410CB001)
Cave:
mov [ecx+0C],F423F
mov al,01
jmp Aob+5
Aob:
jmp Cave
[Disable]
Aob:
mov [ecx+0C],eax
mov al,01
dealloc(Cave)
unregistersymbol(Aob) |
|
Wow ! it's work thanks Pingo but if i update the game , it will work ?
when i made this script
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
inc [ecx+0C]
originalcode:
//mov [ecx+0C],eax
mov al,01
exit:
jmp returnhere
"AC4BFSP.exe"+157367F:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"AC4BFSP.exe"+157367F:
mov [ecx+0C],eax
mov al,01
//Alt: db 89 41 0C B0 01
and formatted my laptop this address changed "AC4BFSP.exe"+157367F:
i want to ask u if there is other things will change like this
mov [ecx+0C],eax
mov al,01
maybe it is stupid question but i want to know
and another thing can u explain how did u wrote the script ?
and thanks again
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Mon Feb 09, 2015 4:51 pm Post subject: |
|
|
The instruction mov [ecx+0C],eax might change but it looks generic to me.
Good chance it won't change.
The script is simple, just look at the image you posted.
| Code: | Aobscan Address -> AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01
Next Instruction -> AC4BFSP.exe+1566FE4 5D - pop ebp |
The jump requires 5 bytes.
| Code: | AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01 |
These take up those 5 bytes so the next instruction is
| Code: | | AC4BFSP.exe+1566FE4 5D - pop ebp |
| Code: | [Enable]
alloc(Cave,128) //Creates the codecave where we can write custom code.
registersymbol(Aob) //Registers Aob so we can use it in the [Disable] part.
aobscan(Aob,89410CB001) //Scans for this address AC4BFSP.exe+1566FDF
Cave: //The cave address where the custom code is written in memory.
mov [ecx+0C],F423F// Writes the custom value. F423F is hex for 999999 dec. The value you wanted.
mov al,01//AC4BFSP.exe+1566FE2 B0 01 - mov al,01, this instruction was written over when we jumped to the cave that required 5 bytes remember.
jmp Aob+5//Aob is the AC4BFSP.exe+1566FDF and we add 5 bytes cause thats the distance to the next instruction in memory AC4BFSP.exe+1566FE4 5D - pop ebp
Aob: //AC4BFSP.exe+1566FDF
jmp Cave //Jump to the custom code.
[Disable]
//Write the original instructions back first. Don't deallocate the memory first, this itself can cause a crash. Your other script deallocated first, do that last.
Aob://AC4BFSP.exe+1566FDF
mov [ecx+0C],eax
mov al,01
dealloc(Cave) //Deallocates after the original instructions are back to normal.
unregistersymbol(Aob) |
_________________
|
|
| Back to top |
|
|
mohammedfenix1
Cheater
Reputation: 0
Joined: 08 Feb 2015
Posts: 48
|
| Posted: Mon Feb 09, 2015 7:07 pm Post subject: |
|
|
| Pingo wrote: | The instruction mov [ecx+0C],eax might change but it looks generic to me.
Good chance it won't change.
The script is simple, just look at the image you posted.
| Code: | Aobscan Address -> AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01
Next Instruction -> AC4BFSP.exe+1566FE4 5D - pop ebp |
The jump requires 5 bytes.
| Code: | AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01 |
These take up those 5 bytes so the next instruction is
| Code: | | AC4BFSP.exe+1566FE4 5D - pop ebp |
| Code: | [Enable]
alloc(Cave,128) //Creates the codecave where we can write custom code.
registersymbol(Aob) //Registers Aob so we can use it in the [Disable] part.
aobscan(Aob,89410CB001) //Scans for this address AC4BFSP.exe+1566FDF
Cave: //The cave address where the custom code is written in memory.
mov [ecx+0C],F423F// Writes the custom value. F423F is hex for 999999 dec. The value you wanted.
mov al,01//AC4BFSP.exe+1566FE2 B0 01 - mov al,01, this instruction was written over when we jumped to the cave that required 5 bytes remember.
jmp Aob+5//Aob is the AC4BFSP.exe+1566FDF and we add 5 bytes cause thats the distance to the next instruction in memory AC4BFSP.exe+1566FE4 5D - pop ebp
Aob: //AC4BFSP.exe+1566FDF
jmp Cave //Jump to the custom code.
[Disable]
//Write the original instructions back first. Don't deallocate the memory first, this itself can cause a crash. Your other script deallocated first, do that last.
Aob://AC4BFSP.exe+1566FDF
mov [ecx+0C],eax
mov al,01
dealloc(Cave) //Deallocates after the original instructions are back to normal.
unregistersymbol(Aob) |
|
thanks man there was a point i did not understand it so i told u to explain how did u made the script and now i can understand it thank u
i saved the script in notepad so i can use it but when i used it with another value it caused crashing the game maybe i chose the wrong bytes anyway i will try to find out what the problem i know it is small problem 
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Mon Feb 09, 2015 7:41 pm Post subject: |
|
|
What were you trying?
_________________
|
|
| Back to top |
|
|
mohammedfenix1
Cheater
Reputation: 0
Joined: 08 Feb 2015
Posts: 48
|
| Posted: Tue Feb 10, 2015 12:39 pm Post subject: |
|
|
| Pingo wrote: | | What were you trying? |
i told u that copied your script
[code]
[Enable]
alloc(Cave,128)
registersymbol(Aob)
aobscan(Aob,89410CB001)
Cave:
mov [ecx+0C],F423F
mov al,01
jmp Aob+5
Aob:
jmp Cave
[Disable]
Aob:
mov [ecx+0C],eax
mov al,01
dealloc(Cave)
unregistersymbol(Aob)
and i try to use it with this bytes F3 0F 11 86 D0 00 00 00
when i Enable the script it is crashing the game
i think i that i chose the wrong bytes
| Description: |
|
| Filesize: |
42.74 KB |
| Viewed: |
23092 Time(s) |
|
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Feb 10, 2015 12:52 pm Post subject: |
|
|
| Pingo wrote: | The jump requires 5 bytes.
| Code: | AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01 |
These take up those 5 bytes so the next instruction is
| Code: | | AC4BFSP.exe+1566FE4 5D - pop ebp |
|
| Pingo wrote: | | Code: | | jmp Aob+5//Aob is the AC4BFSP.exe+1566FDF and we add 5 bytes cause thats the distance to the next instruction in memory |
|
Tip:
Let CE build your script for you to eliminate errors:
In memory viewer, with the instruction highlighted, select 'tools' from the drop-down menu. Click on 'auto assemble'. In the auto assemble window, click on 'template' and select 'cheat table framework code'. Click on 'template' again, and select 'code injection'. Click on 'file' from the drop-down menu...select 'assign to current cheat table'.
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Tue Feb 10, 2015 2:02 pm Post subject: |
|
|
| ++METHOS wrote: | | Pingo wrote: | The jump requires 5 bytes.
| Code: | AC4BFSP.exe+1566FDF 89 41 0C - mov [ecx+0C],eax
AC4BFSP.exe+1566FE2 B0 01 - mov al,01 |
These take up those 5 bytes so the next instruction is
| Code: | | AC4BFSP.exe+1566FE4 5D - pop ebp |
|
| Pingo wrote: | | Code: | | jmp Aob+5//Aob is the AC4BFSP.exe+1566FDF and we add 5 bytes cause thats the distance to the next instruction in memory |
|
Tip:
Let CE build your script for you to eliminate errors:
In memory viewer, with the instruction highlighted, select 'tools' from the drop-down menu. Click on 'auto assemble'. In the auto assemble window, click on 'template' and select 'cheat table framework code'. Click on 'template' again, and select 'code injection'. Click on 'file' from the drop-down menu...select 'assign to current cheat table'. |
Why would I do that. I'm well aware CE can do that but what would I learn having CE do everything for me.
I'd rather learn to do it manually and know how to fix errors.
There is nothing wrong with that script i wrote.
@mohammedfenix1
You can't just change the bytes that way. You're writing over other instructions.
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Feb 10, 2015 2:08 pm Post subject: |
|
|
Pingo-
My response was to mohammedfenix1.
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Tue Feb 10, 2015 2:10 pm Post subject: |
|
|
| ++METHOS wrote: | Pingo-
My response was to mohammedfenix1. |
You quoted me so I thought that's who you were addressing, my bad.
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Feb 10, 2015 2:43 pm Post subject: |
|
|
| It's my fault. I should have been specific. I was merely reiterating what you had already said to point out that each script is specific, especially with regard to byte size.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
