| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| ran_fan06 Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 06 Oct 2007
 Posts: 17
 
 
 | 
			
				|  Posted: Tue Apr 11, 2017 1:44 pm    Post subject: AOB Injection Script Not Working |   |  
				| 
 |  
				| Hi guys. Tried a new method of game cheating, the aob scanning and injecting. So my injection script doesn't work. I expected it to detect that I'm in battle screen and the opcode is reading my team's health, and when it does, it changes the HP to 9999. 
 
  	  | Code: |  	  | [ENABLE]
 //code from here to '[DISABLE]' will be used to enable the cheat
 
 
 
 aobscan(HP Allies,66 89 1C 01 81 E2 FC FF 1F 00) // should be unique
 alloc(newmem,$1000)
 
 label(code)
 label(optional)
 label(original)
 label(return)
 
 newmem:
 
 code:
 pushfd
 pushad
 cmp [ecx+eax+6c],f9e80000
 je optional
 cmp [ecx+eax+6c],f8580000
 je optional
 mov [ecx+eax],bx
 jmp original
 
 optional:
 mov [ecx+eax],(int)9999
 
 
 original:
 and edx,001FFFFC
 jmp return
 popad
 popfd
 
 HP Allies:
 jmp newmem
 nop
 nop
 nop
 nop
 nop
 return:
 registersymbol(HP Allies)
 
 [DISABLE]
 //code from here till the end of the code will be used to disable the cheat
 HP Allies:
 db 66 89 1C 01 81 E2 FC FF 1F 00
 
 unregistersymbol(HP Allies)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: 078B0334
 
 078B030B: 81 FA 00 00 80 1F     -  cmp edx,1F800000
 078B0311: 74 63                 -  je 078B0376
 078B0313: 8B 0D 44 73 4F 00     -  mov ecx,[ePSXe.exe+F7344]
 078B0319: F7 C1 00 00 01 00     -  test ecx,10000
 078B031F: 75 54                 -  jne 078B0375
 078B0321: 8B C8                 -  mov ecx,eax
 078B0323: 89 C2                 -  mov edx,eax
 078B0325: C1 E9 10              -  shr ecx,10
 078B0328: 25 FF FF 00 00        -  and eax,0000FFFF
 078B032D: 8B 0C 8D E0 64 93 00  -  mov ecx,[ecx*4+ePSXe.exe+5364E0]
 // ---------- INJECTING HERE ----------
 078B0334: 66 89 1C 01           -  mov [ecx+eax],bx
 078B0338: 81 E2 FC FF 1F 00     -  and edx,001FFFFC
 // ---------- DONE INJECTING  ----------
 078B033E: BB 20 00 AC 07        -  mov ebx,07AC0020
 078B0343: 03 DA                 -  add ebx,edx
 078B0345: 8B 03                 -  mov eax,[ebx]
 078B0347: 3D 00 00 8B 07        -  cmp eax,078B0000
 078B034C: 75 01                 -  jne 078B034F
 078B034E: C3                    -  ret
 078B034F: B8 00 00 8B 07        -  mov eax,078B0000
 078B0354: 8B 0C 10              -  mov ecx,[eax+edx]
 078B0357: B8 20 00 D5 07        -  mov eax,07D50020
 078B035C: 8B 04 10              -  mov eax,[eax+edx]
 }
 | 
 
 File attached is from dissect data structure window, with group 1 from my team's HP and group 2 as the enemy. The values there is while I'm out of battle screen.
 
 When in battle, the offset 6c will show the value f9e80000 or f8580000 depending on the state of my team. The enemy's team will have different values.[/code]
 
 
 
 
	
		
	 
		| Description: |  |  
		| Filesize: | 28.66 KB |  
		| Viewed: | 11591 Time(s) |  
		| 
  
 
 |  
 |  |  
		| Back to top |  |  
		|  |  
		| panraven Grandmaster Cheater
 
 ![]() Reputation: 62 
 Joined: 01 Oct 2008
 Posts: 958
 
 
 | 
			
				|  Posted: Tue Apr 11, 2017 4:04 pm    Post subject: |   |  
				| 
 |  
				| hi, about your current AA
 1, your don't need push/popad/pushf  as your code don't change the registers, and if use push/pop, the current popad/popf position is not right, they are never executed so the stack will be corrupted. They should place immediate after the label original;
 
 2,the comparison cmp [ecx+eax+6c],f8580000 (and the one more alike) will not work as expected, since [ecx+eax+6c] means dword (4bytes)memory content, from the dissector, the constant value should be f8580024;
 
 3. given the following conjecture (*), what your (int)9999 want to write to probably is a 32bit ps cpu mips instruction . the
 mov [ecx+eax],(int)9999
 will write e7 03 00 00 into the memory, which is invalid mips instruction.
 May be the writing should be in 2bytes instead of 4bytes
 mov word ptr[ecx+eax],(int)9999
 
 However, if it is a code, then writing 2byte may still not work as expected.
 Because for it to work, the original mips code should be also a constant write, like:
 lw  $v0, 10   //  big endian bytes: 8c 02 00 0a
 and you want to replace the 10 to 1000
 lw  $v0, 1000 // big endian bytes: 8c 02 03 e7
 If not, like :
 sub  $v0,$v0,$v1 // be bytes : 00 43 10 22
 then after writing 03 e7 to the place 10 22, it will be
 00 43 03 e7
 which is still an invalid mips instruction.
 (the bytes <-> assemble line conversion can be experiment in the following site )
 
 Even the address is not instruction, writing 2byte is safer than writing 4byte here.
 
 
 (*)
 Then your 3 addresses on data dissect probably are ps cpu mips instruction, see following disassemble (ps use little endian, but for matching display of the pic, this url use big endian).
 Treat the middle double nop as separator, the 1st part is for 1st address, the 2nd part is for the 3rd address.
 
 MIPS Disassemble
 
 -----
 
 [DELETE]  I guess the  "out of battle screen" detection will work, but it may not be easy to change the data (where your 9999 want to go) in a same AA script.  [/DELETE]
 
 A second thought, detection may not work, as I guess that part of code will only execute when your target address act as DATA(of battle), but when "out of battle screen" the DATA may not be access (since not in battle) or use as another purpose.
 
 Sorry if it add confusion~
 _________________
 
 - Retarded. |  |  
		| Back to top |  |  
		|  |  
		| ran_fan06 Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 06 Oct 2007
 Posts: 17
 
 
 | 
			
				|  Posted: Wed Apr 12, 2017 7:22 am    Post subject: |   |  
				| 
 |  
				| The first point is understood. I removed the push and pop. 
 For the second point, I created a new structure during the battle instead of outside battle. I got different structure. Found out that the offset  stores a constant int 2048 (during battle, for my team), which is  in hex. So I compared to that instead, of course changing the code to
 . Is that right? 	  | Code: |  	  | cmp dword ptr[ecx+eax+60], 800 | 
 
 Now comes the third point, which is so out of my league. I think I got your main point that pushing a value into an address holding an instruction won't work, and I need to create an instruction instead (maybe?).
 It is true that when I'm out of battle, the HP addresses I found changes to random numbers. That's why I want to detect when I'm in battle first.
 
 Either way, I feel so inexperienced after reading your reply. Please point me to a good reference if you think that I need to have more basics before handling this kind of case
   |  |  
		| Back to top |  |  
		|  |  
		| panraven Grandmaster Cheater
 
 ![]() Reputation: 62 
 Joined: 01 Oct 2008
 Posts: 958
 
 
 | 
			
				|  Posted: Wed Apr 12, 2017 1:01 pm    Post subject: |   |  
				| 
 |  
				| The real PS has a cpu MIPS (which analog to PC's intel/amd's x86 cpu) and 2M ram, with a cd-media as large as 6xxM.
 
 If the PS Game is not as simple as a tetris, there must be some special mechanism
 to allow the PS execute the 6xxM possible memory within the limited 2M ram.
 It may be an overlay memory management
 
 In different stage of the game, the 2M ram may have different layout, eg
 
  	  | Code: |  	  | On field,          On Battle ,         On Menu ,           On MiniGame
 <common data>      <common data>       <common data>       <common data>
 <field data >      <battle data>       <menu data  >       <miniGm data>
 ...                <battle data>       ...                 ...
 [field code ]      <battle data>       [menu code  ]       [miniGm code]
 [common code]      [common code]       [common code]       [common code]
 
 | 
 
 From your dissector pic, it suggest the addresses are obtained from some data
 (but not code) during a battle stage,
 ie.
 
  	  | Code: |  	  | 8c4 +  d0 = 994
 994 + 4e0 = e74 where 4e0 = 6 * d0
 ===>
 8c4 => 8c4 + d0 * 0   --> 1st player char?
 994 => 8c4 + d0 * 1   --> 2ns player char?
 ...
 e74 => 8c4 + d0 * 7   --> possible 1st/2nd enemy?
 
 | 
 The nice arrangement of addresses in a multiple of 0xd0 size suggest they are
 highly likely indeed data struct for some player char/enemy.
 
 But the pic taking when stage outside battle, where there are now code in the
 same addreses. This suggest that the same address is used both as data (during
 battle) and as code (outside battle). It should be the cause you want to make
 injection cheat instead of continuly freezing the same data addresses?
 
 This is to explain (if not confuse more) my previous post.
 
 ----
 
 Anyway, have you make an injection on where your target address (where you want to
 write 9999) being changed DURING BATTLE STAGE, especially when it decrease?  You
 previous script don't look like make during battle stage?
 
 Then if the modification (writing 9999) is make within the inject, you should no
 need to detect whether it is in battle stage or outside battle stage,... It must be
 in battle stage when the injection is executing!
 
 It should be helpful if such inject script is post.
 
 Then what left is to differencial if the address is freindly or enemy, as you add,
 testing +60 with 800 is such filter (is friend or enemy ).
 Even the +60 is not a realible filter, I'm pretty sure the PS MEMEORY ADDRESS can also be
 use as a filter, and such PS MEMEORY ADDRESS should be obtain in the injection code.
 eg. In your previous script, edx should be the PS MEMEORY ADDRESS at the injection point.
 
 Please make and post a injection script during battle that write to your address want the
 9999 writing.
 ADDED:
 Please also provide a picture for the break point registers values at the point the target address being writing.
 _________________
 
 - Retarded. |  |  
		| Back to top |  |  
		|  |  
		| ran_fan06 Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 06 Oct 2007
 Posts: 17
 
 
 | 
			
				|  Posted: Thu Apr 13, 2017 10:13 am    Post subject: |   |  
				| 
 |  
				| First of all, thanks a lot!! This means so much to me in terms of the things I get to learn. 
 Guessing that I did get what your third point meant, and answering to the new question at the same time, the code I'm trying to inject to is the only code that accesses the HP during battle. I'm being attacked, that code triggered. I attack the enemy, the code triggered.
 
 Of course I'm using the find out what writes to the address  function to my HP. But I believe it also accesses every other thing. Even while not in battle. See attachment A below. It's the addresses being accessed & written to by that code alone constantly.
 
 I've successfully injected into it by comparing ecx to b579a0, and eax to 8f24 (attachment B), then if those are true, writing (int)9999 into it. It worked with the side effect that my MP drains to 0. I believe it should've been mov word ptr instead of just mov.
 
 I guess that's how the 2M memory handles the 6xxM memory, like what you said....
 
 I don't know how to create a breakpoint to the code only when it accesses the HP address, so I didn't do it. But I used the find out what writes thingy which I think is the same. So it's in attachment B.
 
 
 
 
	
		
	 
		| Description: |  |  
		| Filesize: | 34.17 KB |  
		| Viewed: | 11436 Time(s) |  
		| 
  
 
 |  
 
 
	
		
	 
		| Description: |  |  
		| Filesize: | 33.18 KB |  
		| Viewed: | 11436 Time(s) |  
		| 
  
 
 |  
 |  |  
		| Back to top |  |  
		|  |  
		| panraven Grandmaster Cheater
 
 ![]() Reputation: 62 
 Joined: 01 Oct 2008
 Posts: 958
 
 
 | 
			
				|  Posted: Thu Apr 13, 2017 11:47 am    Post subject: |   |  
				| 
 |  
				| It seems all values shown on pic 2 are valid MIPS instructions. 
 It is strange to me that the previous injection script is the ONLY (?) code that change your target address (*) , and also that it treat the address as PS MEMORY DATA and as PS MEMORY CODE.
 
 The target address is team hp during battle stage, for my understand of how epsxe work , there should be a x86 code being compiled base on a piece of ps memory code specifically treat the target address as your team hp, instead of writing the address yet another ps memory codes, which I think only happen when the real PS reading code from CD and should only happen at the time of changing from battle stage to non battle stage or vice versa.
 
 I'm lost too at this moment.
 If you don't mind, would you please pm me what the game is?
 
 (*)
 In pic 1, EDX is 80108f24, this should be PS Memory, which map to pc / x86 memory of Eax+Ecx = b608c4 (as your 1st address at dissector).
 
 There may be some AR code of the PS GAME having the number 80108f24 ? FF9 ? http://wescastro.com/codetwink/cheats.codetwink.com/psx/view/1254/50/
 
 
 ADDED:
 [delete]If the init inject script DO also treat the target address as your team hp,
 it should be possible to use EDX (as ps memory address) and the +60 == 800 (2 bye or 4byte?) to act as filter, ie EDX alone to differential friendly or enemy, the +60 check it in battle stage.[/delete]
 oops, it is not necessary right, when PS writing the team hp with MIPS CODE, the address +60 may still equal 800, which +60 will soon writing by same code in a few nano second... so the in battle stage detection failed.
 _________________
 
 - Retarded. |  |  
		| Back to top |  |  
		|  |  
		| ran_fan06 Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 06 Oct 2007
 Posts: 17
 
 
 | 
			
				|  Posted: Thu Apr 13, 2017 9:11 pm    Post subject: |   |  
				| 
 |  
				| It blows my mind that you actually figured out the game from a list of registers     
 Well, it's not the only code that accesses the HP address. But, it is the only code accessing it at the right time, which is during battle. When I'm out of battle, the HP addresses holds random values, different in each screen.
 
 The +60 offset hold 4 bytes value of hex 800 or int 2048, only for my team. The same offset hold 4 bytes value of 0 for the enemy. The offset also changes to that value only during battle. While out of battle, it changes to random values. So the offset allows me to detect both in-battle state and team hp state, is it not?
 
 BTW, I still don't know how to can read the values addressed by the code as MIPS instructions. Haha.
 |  |  
		| Back to top |  |  
		|  |  
		| panraven Grandmaster Cheater
 
 ![]() Reputation: 62 
 Joined: 01 Oct 2008
 Posts: 958
 
 
 | 
			
				|  Posted: Sat Apr 15, 2017 2:13 am    Post subject: |   |  
				| 
 |  
				| @"I still don't know how to can read the values addressed by the code as MIPS instructions." 
 It can be try to convert the bytes to see if it is valid MIPS code.
 Try MIPS Disassemble
 
 Given it is FF9, and the info from the AR code page , and how to map PS MEM to PC MEM from the previous inject script, I try emulate the
 D00F11B8 0001
 for battle stage detection.
 
 Hopefully it has no typo and work and the comment is clear to explain what it do.
 
 ADDED:
 The "HP Allies" contain space, which make it not valid AA symbol.
 AA symbol contain only alpha-number characters and _ . @ #.
 
 
  	  | Code: |  	  | 
 [ENABLE]
 
 aobscan(HP_Allies,66 89 1C 01 81 E2 FC FF 1F 00) // should be unique
 alloc(newmem,$1000)
 
 label(code)
 
 label(original)
 label(return)
 
 label(done)
 label(doPlayer)
 label(doEnemy)
 
 label(MapPSMEM)
 
 newmem:
 
 code:
 push ecx  //  save temp
 push eax
 //////////// from here to done: to check if we need to modify bx, and only bx
 //// not modify edx
 
 /// emulate D00F11B8 0001 to detect in battle stage
 mov  eax,800f11b8   /// ps mem address
 call MapPSMEM       //// map it to pc memory address
 cmp  word ptr[eax],0001 /// compare 2byte word
 
 jne  done       /// the D00F11B8 0001 test fail , not in battle, no modify bx
 
 //// test player hp address
 cmp  edx,80108F24 /// player #1 hp
 je   doPlayer
 cmp  edx,80108FF4 /// player #2 hp
 je   doPlayer
 cmp  edx,801090c4 /// player #1 hp
 je   doPlayer
 cmp  edx,80109194 /// player #1 hp
 je   doPlayer
 //// test enemy hp address
 cmp  edx,80109264 /// enemy #1 hp
 je   doEnemy
 cmp  edx,80109334 /// enemy #2 hp
 je   doEnemy
 cmp  edx,80109404 /// enemy #3 hp
 je   doEnemy
 cmp  edx,801094d4 /// enemy #4 hp
 je   doEnemy
 cmp  edx,801095a4 /// enemy #5 hp
 je   doEnemy
 
 jmp  done  /// no matching hp address, done, no modify bx
 
 doPlayer:
 mov  ax,#9999  //// prefix # or (int) for decimal number
 cmp  ax,bx
 jle  @f
 mov  bx,ax  /// player hp no less than 9999
 @@:
 jmp  done
 doEnemy:
 
 mov  ax,1
 cmp  ax,bx
 jge  @f
 mov  bx,ax  /// enemy hp no more than 1, 1 hit kill
 @@:
 jmp  done
 
 done:
 pop eax  // restore temp
 pop ecx
 
 original:
 mov [ecx+eax],bx  /// original
 and edx,001FFFFC  /// original
 
 jmp return
 
 MapPSMEM:
 //  input  eax = PS MEM Address
 //  output eax = the PC address that PS MEM Address map to
 //  no error check
 push  ecx
 mov   ecx,eax
 shr   ecx,10
 and   eax,0ffff
 reassemble(HP_Allies-7) // copy  mov ecx,[ecx*4+ePSXe.exe+5364E0]
 lea   eax,[eax+ecx]     // get pc address
 pop   ecx
 ret
 
 HP_Allies:
 jmp newmem
 nop
 nop
 nop
 nop
 nop
 return:
 registersymbol(HP_Allies)
 
 [DISABLE]
 HP_Allies:
 db 66 89 1C 01 81 E2 FC FF 1F 00
 
 | 
 _________________
 
 - Retarded. |  |  
		| Back to top |  |  
		|  |  
		| ran_fan06 Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 06 Oct 2007
 Posts: 17
 
 
 | 
			
				|  Posted: Mon Apr 17, 2017 10:13 pm    Post subject: |   |  
				| 
 |  
				|  	  | Code: |  	  | Sorry for the late reply. Haven't had the time. So the mapping of the PS Mem to the PC Mem is a necessary thing to tackle? Trust me when I say I only get around 30% of the instructions you created. 
 The[b] shr, lea[/b] is new to me. Don't even know why you use the [b]and[/b] instruction with the value 0ffff, or why [b]shr ecx[/b] with 10. [i]Also why you reassemble the HP_allies-7 code before calling lea.[/i] (Now I know that it gives an error if I rewrite the whole instruction, so you just reused the code instead)
 
 The code does work. I am just hoping that I can understand more of it.
 
 Btw, can't I just use the edx to compare the 800f11b8 with 1?
 
 EDIT:
 OK, I played around with the [b]shr[/b] and the [b]and[/b]. What you did was getting 800f to ecx and getting 11b8 to eax from the address 800f11b8. Then you reuse the code from ePSXe to change the ecx, add it to eax, and move the addition to eax as a PC mem address mapped from PS mem address.
 
 Why reuse the code? Is the code the one that maps the address
 | 
 
 Oh god I just realized you copied the code from ePSXe to obtain the PC address mapped. Silly me... Haha... Well it still involves using an AR code discovered by someone else.
 
 I guess I could've just find the address that identifies whether I'm in battle or not using CE, and use that address for battle stage detection instead. Still, can't I just compare edx to 1 before finding the PC address?
 
 I learned so much from you. Thank you. If you have more to teach me, any tips, a link for me to learn more, whatever, please do post it or PM.
 |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |