Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Help] What to do when AoB is not unique
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Wed Apr 13, 2016 1:40 pm    Post subject: [Help] What to do when AoB is not unique Reply with quote

So there is this function which alters 8 different values with the same code.

When an attempt is made to auto-assemble the script doesn't work because AoB is not unique.

What to do ?

Thanks in advance.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Apr 13, 2016 2:00 pm    Post subject: This post has 1 review(s) Reply with quote

Aleynacombi wrote:
So there is this function which alters 8 different values with the same code.

http://forum.cheatengine.org/viewtopic.php?t=583376

Aleynacombi wrote:
When an attempt is made to auto-assemble the script doesn't work because AoB is not unique.

Put more bytes in your AoB signature. You can try bytes before the injection point as well; just make sure you add to the address of your hook to make sure the injection point is the same. If you absolutely can't add bytes to make it unique, there are other ways.

If changing all of them is an option, you can use Lua to do that.

Try to hook some other instruction (maybe a read from the address). This usually isn't as good as the main instruction that writes to it, but it'll usually work.

There's probably an instruction that accesses some other address in the same structure as the address in question which would make a good injection point.

If it absolutely must be a write to that address, you can try backtracing your injection point to the calling subroutine and see if something in there is unique. Look at the subroutine your injection point is in to determine how the address in question is derived.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Wed Apr 13, 2016 2:11 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Aleynacombi wrote:
So there is this function which alters 8 different values with the same code.

http://forum.cheatengine.org/viewtopic.php?t=583376


Yeah I know all that using cmp to check which one it is and continue on accordingly but this case was different because the whole code/function is the same. Which is a first for me. I made godmode and onehit in Rouge Legacy for example. In RL , while many adresses were accessed by the same code , the AoB of that function/code was actually different based on the accessed adress.

ParkourPenguin wrote:
Aleynacombi wrote:
When an attempt is made to auto-assemble the script doesn't work because AoB is not unique.

Put more bytes in your AoB signature. You can try bytes before the injection point as well; just make sure you add to the address of your hook to make sure the injection point is the same. If you absolutely can't add bytes to make it unique, there are other ways.

If changing all of them is an option, you can use Lua to do that.

Try to hook some other instruction (maybe a read from the address). This usually isn't as good as the main instruction that writes to it, but it'll usually work.

There's probably an instruction that accesses some other address in the same structure as the address in question which would make a good injection point.

If it absolutely must be a write to that address, you can try backtracing your injection point to the calling subroutine and see if something in there is unique. Look at the subroutine your injection point is in to determine how the address in question is derived.


I tried adding bytes but the whole thing is just not unique.

Searching for an instruction that accessed some of the adresses in the same structure didn't help aswell. As it lead me to just a few bytes before the one i'm looking for.

I have literal 0 knowledge of "lua" and don't know what you mean by "subroutine". Mind explaining a bit of that ? Maybe a tutorial of what you're telling ?

Thanks for the reply!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Apr 13, 2016 2:37 pm    Post subject: Reply with quote

You had originally stated in the first part of your first post that there was one function which accessed multiple values (I believe you mean addresses). That's why I posted that link there.


Are you certain there is absolutely nothing you can use as an alternate injection point in the same structure as the address in question? I'm not talking about searching for instructions that access that address; I mean searching for instructions that access other addresses in the same structure as the address you're concerned with.

Lua is a scripting language that CE has implemented to allow users to do more advanced things easier than we would normally be able to do them.
A subroutine is pretty much anything that expects to get called to run. You can think of it like a function.

Do you care about what happens to those other subroutines that have the same AoB signature? More specifically, do they access anything important? If not, then replacing all of them should be fine.

I really wouldn't recommend backtracing since it seems a bit too advanced for you, but there's a tutorial covering it here.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Wed Apr 13, 2016 2:51 pm    Post subject: Reply with quote

ParkourPenguin wrote:
You had originally stated in the first part of your first post that there was one function which accessed multiple values (I believe you mean addresses). That's why I posted that link there.


Are you certain there is absolutely nothing you can use as an alternate injection point in the same structure as the address in question? I'm not talking about searching for instructions that access that address; I mean searching for instructions that access other addresses in the same structure as the address you're concerned with.

Lua is a scripting language that CE has implemented to allow users to do more advanced things easier than we would normally be able to do them.
A subroutine is pretty much anything that expects to get called to run. You can think of it like a function.

Do you care about what happens to those other subroutines that have the same AoB signature? More specifically, do they access anything important? If not, then replacing all of them should be fine.

I really wouldn't recommend backtracing since it seems a bit too advanced for you, but there's a tutorial covering it here.


So there are 8 stats or kind of like treats which help you progress in the game. Their max level is 5 so instead of increasing one level , I want them to instantly increase to max level which is 5.

The subroutine has this in it : "mov statlevel,calculatedstatlevel"
I want to change it so : "mov statlevel,5"
However as I stated before the whole thing is not unique and I can't inject from anywhere else because everywhere else where I can inject has nothing to do with this subroutine.

Should I post the code that handles the 8 different stats ? Maybe take a look at it or something because I definitely can't do anything at this point.

Also I've seen that tutorial. I immiedately quit when I saw "Chicken Invaders" in the title. I certainly don't want to fiddle with that game anymore.

Thanks for the reply!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Apr 13, 2016 3:16 pm    Post subject: Reply with quote

It doesn't matter if it has nothing to do with that subroutine since all you need is a reference to the address. Having anything in the same structure is good enough unless you need it to be run whenever it's written to (which seems to be the case).

Why do you think you can't replace all of them at once? It seems like the most logical thing to do in this situation.

Posting the original code would help.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Wed Apr 13, 2016 3:38 pm    Post subject: Reply with quote

ParkourPenguin wrote:
It doesn't matter if it has nothing to do with that subroutine since all you need is a reference to the address. Having anything in the same structure is good enough unless you need it to be run whenever it's written to (which seems to be the case).

Why do you think you can't replace all of them at once? It seems like the most logical thing to do in this situation.

Posting the original code would help.




Here are the stats as you can see. I want it so that every time one of them is purchased that stat goes to max level. Also apparently the max level is 6.

Code:
0456B16F - 0F86 53000000         - jbe 0456B1C8
0456B175 - 8D 4C B1 10           - lea ecx,[ecx+esi*4+10]
0456B179 - 8B 09                 - mov ecx,[ecx]
0456B17B - 49                    - dec ecx
0456B17C - 89 48 04              - mov [eax+04],ecx
0456B17F - 8B 43 08              - mov eax,[ebx+08]
0456B182 - 8D 4F 01              - lea ecx,[edi+01]
0456B185 - 39 70 0C              - cmp [eax+0C],esi
0456B188 - 0F86 36000000         - jbe 0456B1C4
0456B18E - 8D 44 B0 10           - lea eax,[eax+esi*4+10]
0456B192 - 89 08                 - mov [eax],ecx
0456B194 - 8B 43 14              - mov eax,[ebx+14]
0456B197 - 39 78 0C              - cmp [eax+0C],edi
0456B19A - 0F86 18000000         - jbe 0456B1B8
0456B1A0 - 8D 44 B8 10           - lea eax,[eax+edi*4+10]
0456B1A4 - 8B 4D 10              - mov ecx,[ebp+10]
0456B1A7 - 89 08                 - mov [eax],ecx //this is the line I get from searching what writes to it. I want it to make it mov [eax],6
0456B1A9 - 8B 43 30              - mov eax,[ebx+30]
0456B1AC - 40                    - inc eax
0456B1AD - 89 43 30              - mov [ebx+30],eax
0456B1B0 - 8D 65 F4              - lea esp,[ebp-0C]
0456B1B3 - 5E                    - pop esi
0456B1B4 - 5F                    - pop edi
0456B1B5 - 5B                    - pop ebx
0456B1B6 - C9                    - leave
0456B1B7 - C3                    - ret
0456B1B8 - 6A 2A                 - push 2A { 42 }
0456B1BA - 68 78060000           - push 00000678 { 1656 }
0456B1BF - E8 745DAFFF           - call 04060F38
0456B1C4 - 6A 3C                 - push 3C { 60 }
0456B1C6 - EB F2                 - jmp 0456B1BA
0456B1C8 - 6A 55                 - push 55 { 85 }
0456B1CA - EB EE                 - jmp 0456B1BA
0456B1CC - 6A 65                 - push 65 { 101 }
0456B1CE - EB EA                 - jmp 0456B1BA
0456B1D0 - 6A 7B                 - push 7B { 123 }
0456B1D2 - EB E6                 - jmp 0456B1BA
0456B1D4 - 68 8B000000           - push 0000008B { 139 }
0456B1D9 - EB DF                 - jmp 0456B1BA
0456B1DB - 68 B2000000           - push 000000B2 { 178 }
0456B1E0 - EB D8                 - jmp 0456B1BA
0456B1E2 - 68 C7000000           - push 000000C7 { 199 }
0456B1E7 - EB D1                 - jmp 0456B1BA
0456B1E9 - 68 D9000000           - push 000000D9 { 217 }
0456B1EE - EB CA                 - jmp 0456B1BA
0456B1F0 - 68 F2000000           - push 000000F2 { 242 }
0456B1F5 - EB C3                 - jmp 0456B1BA
0456B1F7 - 68 02010000           - push 00000102 { 258 }
0456B1FC - EB BC                 - jmp 0456B1BA
0456B1FE - 68 18010000           - push 00000118 { 280 }
0456B203 - EB B5                 - jmp 0456B1BA
0456B205 - 68 8B010000           - push 0000018B { 395 }
0456B20A - EB AE                 - jmp 0456B1BA
0456B20C - 68 BC010000           - push 000001BC { 444 }
0456B211 - EB A7                 - jmp 0456B1BA
0456B213 - 68 D6010000           - push 000001D6 { 470 }
0456B218 - EB A0                 - jmp 0456B1BA
0456B21A - 68 FC010000           - push 000001FC { 508 }
0456B21F - EB 99                 - jmp 0456B1BA
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Apr 13, 2016 4:26 pm    Post subject: Reply with quote

You said there's 8, but there's 9 in your table. I'm assuming that last one is either a mistake or something else.

Try this and see if it works.
Code:
[ENABLE]
alloc(statLevelMax,1024)
registersymbol(statLevelMax)

statLevelMax:
  mov ecx,6
  mov [eax],ecx
  ret

{$lua}
if syntaxcheck then return end

statChangeAddys = AOBScan("8B 4D 10 89 08 8B 43 30 8D 65 F4")
if not statChangeAddys or statChangeAddys.Count ~= 8 then return 0 end

local delayT = createTimer()
delayT.Interval = 100
delayT.OnTimer = function(timer)
  for i = 0, statChangeAddys.Count - 1 do
    autoAssemble(string.format("%s:\ncall %X", statChangeAddys[i], getAddress("statLevelMax")))
  end
  timer.destroy()
end
{$asm}

[DISABLE]
dealloc(statLevelMax)
unregistersymbol(statLevelMax)

{$lua}
if syntaxcheck or not statChangeAddys then return end
for i = 0, statChangeAddys.Count - 1 do
  autoAssemble(string.format("%s:\ndb 8B 4D 10 89 08", statChangeAddys[i]))
end

statChangeAddys.destroy()
statChangeAddys = nil

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Apr 13, 2016 4:51 pm    Post subject: Reply with quote

It seems unlikely that you cannot find a unique signature, manually. Furthermore, that ParkourPenguin's suggestion to use a different injection point does not work.

Did you try an injection point that was 'accessing' your address instead of 'writing' to it?
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Thu Apr 14, 2016 10:04 am    Post subject: Reply with quote

++METHOS wrote:
It seems unlikely that you cannot find a unique signature, manually. Furthermore, that ParkourPenguin's suggestion to use a different injection point does not work.

Did you try an injection point that was 'accessing' your address instead of 'writing' to it?


I did try "what is accessing the adress". There were 2 results , one of them being the exact same one I got from "what is writing to the adress" and the other one is about the animation that plays when you purchase the trait. Both of them are non-unique.

ParkourPenguin wrote:
You said there's 8, but there's 9 in your table. I'm assuming that last one is either a mistake or something else.

Try this and see if it works.
Code:
[ENABLE]
alloc(statLevelMax,1024)
registersymbol(statLevelMax)

statLevelMax:
  mov ecx,6
  mov [eax],ecx
  ret

{$lua}
if syntaxcheck then return end

statChangeAddys = AOBScan("8B 4D 10 89 08 8B 43 30 8D 65 F4")
if not statChangeAddys or statChangeAddys.Count ~= 8 then return 0 end

local delayT = createTimer()
delayT.Interval = 100
delayT.OnTimer = function(timer)
  for i = 0, statChangeAddys.Count - 1 do
    autoAssemble(string.format("%s:\ncall %X", statChangeAddys[i], getAddress("statLevelMax")))
  end
  timer.destroy()
end
{$asm}

[DISABLE]
dealloc(statLevelMax)
unregistersymbol(statLevelMax)

{$lua}
if syntaxcheck or not statChangeAddys then return end
for i = 0, statChangeAddys.Count - 1 do
  autoAssemble(string.format("%s:\ndb 8B 4D 10 89 08", statChangeAddys[i]))
end

statChangeAddys.destroy()
statChangeAddys = nil


Yeah that ninth one was a mistake. Crashed my game later on.

Didn't work sadly , the script did not activate.

Thanks for the try!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Apr 14, 2016 10:12 am    Post subject: Reply with quote

If the script didn't activate, then something is wrong with the AoB signature. Either it's not finding anything or the number of results it's finding isn't 8. Replace that AoB pattern with one that satisfies those conditions.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Thu Apr 14, 2016 10:32 am    Post subject: Reply with quote

ParkourPenguin wrote:
If the script didn't activate, then something is wrong with the AoB signature. Either it's not finding anything or the number of results it's finding isn't 8. Replace that AoB pattern with one that satisfies those conditions.


Tried with lots of other AoB's. Still doesn't work.

I guess this will have to go in requests section.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Thu Apr 14, 2016 12:34 pm    Post subject: Reply with quote

Aleynacombi wrote:
Both of them are non-unique.
-Just to be clear, when you say that the AOB signatures are not unique, are you referring to what CE automatically generates for you...or are you highlighting a huge section of code manually, and testing the signature by scanning for it? And when you scan for it, are you getting 0 results or more than 1?

I still think that it is unlikely that there is no unique signature - be it viable or not. If you can send me a link to the game, I will look at it myself.
Back to top
View user's profile Send private message
JohannesJoestar
Advanced Cheater
Reputation: 0

Joined: 01 Nov 2015
Posts: 79

PostPosted: Thu Apr 14, 2016 1:06 pm    Post subject: Reply with quote

++METHOS wrote:
Aleynacombi wrote:
Both of them are non-unique.
-Just to be clear, when you say that the AOB signatures are not unique, are you referring to what CE automatically generates for you...or are you highlighting a huge section of code manually, and testing the signature by scanning for it? And when you scan for it, are you getting 0 results or more than 1?

I still think that it is unlikely that there is no unique signature - be it viable or not. If you can send me a link to the game, I will look at it myself.


More than 1. For example the code that I want to edit "mov [eax],ecx" 89 08 gives about 5000 results.

It's HuniePop. I destroyed this game money, dates, etc but can't edit these "treats" you have in the game. I posted a screenshot earlier in this post.

Thank you for your time!


Last edited by JohannesJoestar on Thu Apr 14, 2016 1:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Thu Apr 14, 2016 1:20 pm    Post subject: Reply with quote

You should probably PM me those links...at least the second one. I have it now, so you can remove it from your post or you might get flagged.

Before I download this, can you please tell me if you manually copied a large section of code to use for your AOB scan? So, instead of searching for a two byte signature, you're searching for a 100+ byte signature.

Also, just to be sure...you did try to let CE auto-build your script for you, right? You used the AOB Injection template?

Thanks.

EDIT:
I think you did not let CE build your script for you. Here is your AOB signature:
Code:
8B 43 30 40 89 43 30 8D 65 F4 5E 5F 5B C9 C3 6A 2A
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites