Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Help]Please help, about CustomTypeAutoAssembler

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 2:25 pm    Post subject: [Help]Please help, about CustomTypeAutoAssembler Reply with quote

[img]1111.jpg[/img]

Please help me correct my code.

Thx!

my code:
Code:
registerCustomTypeAutoAssembler([[
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)

TypeName:
db 'W',0

ByteSize:
dd 4

UsesFloat:
db 0

CallMethod:
db 1

ConvertRoutine:
[32-bit]
push ebp
mov ebp,esp
push ecx
mov ecx,[ebp+8]
[/32-bit]

mov eax,rcx
xor eax,[rcx]
xor eax,3D821A9E
ror eax,03

[64-bit]
ret
[/64-bit]
[32-bit]
pop ecx
pop ebp
ret 4
[/32-bit]

ConvertBackRoutine:
[32-bit]
push ebp
mov ebp,esp
push edx //save the registers
push ecx
mov edx,[ebp+0c]
mov ecx,[ebp+08]
[/32-bit]

push eax
push edx

mov edx,[edx]

mov eax,ecx
rol eax,03
xor eax,rdx
xor eax,3D821A9E

pop edx
mov [edx],eax
pop eax

[64-bit]
ret
[/64-bit]

[32-bit]
//cleanup first
pop ecx
pop edx
pop ebp
ret 8
[/32-bit]



1111.jpg
 Description:
 Filesize:  117.88 KB
 Viewed:  5145 Time(s)

1111.jpg


Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sun Nov 27, 2016 2:39 pm    Post subject: Reply with quote

Code:
lea eax,[rdi+08]
You need to know the value of RDI for this encryption as well.
Maybe this...
Code:
ConvertRoutine:
[64-bit]
mov eax,edx
xor eax,[rcx]
xor eax,3D821A9E
ror eax,03
ret
[/64-bit]
Code:
ConvertBackRoutine:
[64-bit]
rol ecx,03
xor ecx,edx
xor ecx,3D821A9E
mov [r8],ecx
ret
[/64-bit]
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sun Nov 27, 2016 3:04 pm    Post subject: Reply with quote

<safe...>

When create a new AA custom type in ce 6.6, note the following comment

Code:

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
//rdx=address
mov eax,[rcx] //eax now contains the bytes 'input' pointed to

ret
[/64-bit]


The ConvertRoutine is create at CE Memory Space, any normal address reference is on CE memory not target process memory.
The RCX in the CE address is for 1st parameter(unsigned char *input) which is used to read content that copied from target process to ce memory, RDX is for the memory address at Target Process, but to use memory content pointed by RDX at target process, it may need calling ReadProcessMemory inside ConvertRoutine.

In the Lua version, the signature is
Code:

function customvaluetype21_bytestovalue(b1,b2,b3,b4,address)


The 'address' is the target process memory address. Since Lua can safely read target process memory, it may be easier to do it in Lua version, but expected to be extremely slow.

And, as Zanzer said, it need to know what [rdi+8] is, and if it is possible to access it.

bye~

_________________
- Retarded.


Last edited by panraven on Sun Nov 27, 2016 3:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 3:27 pm    Post subject: Reply with quote

Zanzer wrote:
Code:
lea eax,[rdi+08]
You need to know the value of RDI for this encryption as well.
Maybe this...
Code:
ConvertRoutine:
[64-bit]
mov eax,edx
xor eax,[rcx]
xor eax,3D821A9E
ror eax,03
ret
[/64-bit]
Code:
ConvertBackRoutine:
[64-bit]
rol ecx,03
xor ecx,edx
xor ecx,3D821A9E
mov [r8],ecx
ret
[/64-bit]


At the start of the decryption code, RAX, RCX, RDI+08 are equal.



123123.jpg
 Description:
 Filesize:  294.13 KB
 Viewed:  5120 Time(s)

123123.jpg


Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sun Nov 27, 2016 4:21 pm    Post subject: Reply with quote

Analyzing only this piece of code:

We know how encryption (ConvertBackRoutine) is made.


Code:
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)

TypeName:
db 'W',0

ByteSize:
dd 4

UsesFloat:
db 0

CallMethod:
db 1

ConvertRoutine:
[64-bit]
mov eax,[rcx]
xor eax,edx
xor eax,3D821A9E
ror eax,03
ret
[/64-bit]

ConvertBackRoutine:
[64-bit]
rol ecx,03
xor ecx,3D821A9E
xor ecx,edx
mov [r8],ecx
ret
[/64-bit]


for 64bit CallMethod 1

Inside ConvertRoutine function:
rcx - address of buffer (this is a copy)
rdx - address (in target process)
eax - return value



Inside ConvertBackRoutine procedure:
ecx - user input
rdx - address (in target process)
r8 - address of buffer



Edit: Warframe is a multiplayer game. You probably access a copy anyway. I think current shield value is stored on server.

_________________
Back to top
View user's profile Send private message MSN Messenger
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 5:00 pm    Post subject: Reply with quote

mgr.inz.Player wrote:
Analyzing only this piece of code:
Edit: Warframe is a multiplayer game. You probably access a copy anyway. I think current shield value is stored on server.


Already made:
Unlimited HP
Unlimited Shield
Unlimited Power
Unlimited Ammo
One Hit Kill
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sun Nov 27, 2016 5:02 pm    Post subject: Reply with quote

"Unlimited HP" - did you test it properly?
_________________
Back to top
View user's profile Send private message MSN Messenger
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 5:18 pm    Post subject: Reply with quote

mgr.inz.Player wrote:
"Unlimited HP" - did you test it properly?

yes

Now I want to find TIME, so I need to decrypt the custom AA

and,Do I understand that right?



2.jpg
 Description:
 Filesize:  109.31 KB
 Viewed:  5020 Time(s)

2.jpg




Last edited by jackzxy on Sun Nov 27, 2016 6:29 pm; edited 3 times in total
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sun Nov 27, 2016 5:38 pm    Post subject: Reply with quote

jackzxy wrote:
and,Do I understand that right?


Again:

for 64bit CallMethod 1

Inside ConvertRoutine function:
rcx - address of buffer (this is a copy)
rdx - address (in target process)
eax - return value



Inside ConvertBackRoutine procedure:
ecx - user input
rdx - address (in target process)
r8 - address of buffer





When CE wants to get the value, it has to make a copy of structure at source address, let's say 0x12345678.
So, CE makes a copy from target process to CE Memory, with size defined with ByteSize.
Let's say this buffer is at address 0x00940530 (in CE process, not the target/game process)

ConvertRoutine is called, registers will be:
RCX will be 0x00940530
RDX will be 0x12345678, but, we can not read or write from 0x12345678, because ConvertRoutine works inside CE process, not inside the target/game process.
We set EAX. Function returns EAX value.
Then we see this value in value column.





When CE wants to set the value, again it makes a copy of structure at address let's say 0x12345678.
Let's say this buffer is at address 0x00220530 (again, in CE process, not the target/game process)

ConvertBackRoutine is called, registers will be:
ECX - user value
RDX will be 0x12345678, but, we can not read or write from 0x12345678, because ConvertRoutine works inside CE process, not inside the target/game process.
R8 will be 0x00220530
We do some modifications inside buffer.
This buffer is written back to 0x12345678

_________________
Back to top
View user's profile Send private message MSN Messenger
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 5:48 pm    Post subject: Reply with quote

mgr.inz.Player wrote:
jackzxy wrote:
and,Do I understand that right?


Again:

for 64bit CallMethod 1

Inside ConvertRoutine function:
rcx - address of buffer (this is a copy)
rdx - address (in target process)
eax - return value



Inside ConvertBackRoutine procedure:
ecx - user input
rdx - address (in target process)
r8 - address of buffer





When CE wants to get the value, it has to make a copy of structure at source address, let's say 0x12345678.
So, CE makes a copy from target process to CE Memory, with size defined with ByteSize.
Let's say this buffer is at address 0x00940530 (in CE process, not the target/game process)

ConvertRoutine is called, registers will be:
RCX will be 0x00940530
RDX will be 0x12345678, but, we can not read or write from 0x12345678, because ConvertRoutine works inside CE process, not inside the target/game process.
We set EAX. Function returns EAX value.
Then we see this value in value column.





When CE wants to set the value, again it makes a copy of structure at address let's say 0x12345678.
Let's say this buffer is at address 0x00220530 (again, in CE process, not the target/game process)

ConvertBackRoutine is called, registers will be:
ECX - user value
RDX will be 0x12345678, but, we can not read or write from 0x12345678, because ConvertRoutine works inside CE process, not inside the target/game process.
R8 will be 0x00220530
We do some modifications inside buffer.
This buffer is written back to 0x12345678


Thank you
I understand that you explained it.
Has not been found on the ConvertRoutine information or instructions.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sun Nov 27, 2016 5:52 pm    Post subject: Reply with quote

Did my code not work?
Back to top
View user's profile Send private message
jackzxy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2010
Posts: 6

PostPosted: Sun Nov 27, 2016 6:10 pm    Post subject: Reply with quote

Zanzer wrote:
Did my code not work?

The result of the decryption is wrong.
But thank you very much for your help.

in game:
address=684AE058
[address]=55C8F3A6

in ConvertRoutine:
address of input:684AE058
rcx=ABA2AE0(Changing)
[rcx]=55C8F3A6

rdx like rcx

Do not know how to read the address of input
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites