| View previous topic :: View next topic |
| Author |
Message |
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
 Posted: Fri Aug 07, 2020 8:14 am Post subject: help with CE and mono dissect |
 |
|
hello
i don't understand how use the data i found with mono dissect outside CE
i found a var that is pointing on the value i search in a object called Game (with 1 result if i search on CE) but now that i know the starting point how i can find again that var outside CE?
i don't think i can use AOB scan or a value scan since i can't know the values near for AOB , or the actual value of the var
is possible to navigate in mono with ahk or something else?
another problem i found was that if an object have static vars and i try to use the structure dissect on CE i can't find all that vars how i can solve that problem? (example on the attachment)
| Description: |
|
| Filesize: |
44.65 KB |
| Viewed: |
6371 Time(s) |
|
|
|
| Back to top |
|
 |
Betcha
Expert Cheater
 Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Fri Aug 07, 2020 8:47 am Post subject: Re: help with CE and mono dissect |
|
|
| Tr1gun87 wrote: | | an object have static vars and i try to use the structure dissect on CE i can't find all that vars how i can solve that problem? |
Right click the Static Field > Fields > Add Static Field Address.
Just make sure the script uses same mono.dll name as game have.
Check dll's name from memory view > view > enumerate dll's and symbols.
|
|
| Back to top |
|
|
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Fri Aug 07, 2020 11:55 am Post subject: |
|
|
Having hacked a lot of mono games, I have to say I don't use mono dissect so much nowadays.
When I do, it's usually to a) check what other members a specific class has or b) scan for instances of a class.
These a very useful though, helped me out of a hard spot many times.
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Fri Aug 07, 2020 12:46 pm Post subject: |
|
|
| Csimbi wrote: | Having hacked a lot of mono games, I have to say I don't use mono dissect so much nowadays.
When I do, it's usually to a) check what other members a specific class has or b) scan for instances of a class.
These a very useful though, helped me out of a hard spot many times. |
and how u find the values? without static address i can't make a CT, so i need to use the mono as reference.... but i don't understand how find in the successive sessions the values
| Betcha wrote: | | Tr1gun87 wrote: | | an object have static vars and i try to use the structure dissect on CE i can't find all that vars how i can solve that problem? |
Right click the Static Field > Fields > Add Static Field Address.
Just make sure the script uses same mono.dll name as game have.
Check dll's name from memory view > view > enumerate dll's and symbols. |
and after? i don't see any difference
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Fri Aug 07, 2020 1:45 pm Post subject: |
|
|
Well, I start with a few values the traditional way; health, ammo, money, something.
Debug a bit to see what reads/writes them to get to the class whose members these values are.
That is usually a character or inventory class or template.
From there, you use dissect mono to see what members there are and see what they do.
There is far less debugging and guesswork involved with mono as CE does most of the legwork for you.
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Fri Aug 07, 2020 1:46 pm Post subject: |
|
|
| Csimbi wrote: | Well, I start with a few values the traditional way; health, ammo, money, something.
Debug a bit to see what reads/writes them to get to the class whose members these values are.
That is usually a character or inventory class or template.
From there, you see what members there are and see what they do.
There is far less debugging and guesswork involved with mono as CE does most of the legwork for you. |
ok but when u close the game if u need again that values u redo the search from the start?
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Fri Aug 07, 2020 1:54 pm Post subject: |
|
|
When you do the debug, save the AOB signature of the "best" instruction you found.
By best I mean, an instruction that reads/writes only the one value you want (i.e. player only, money only, etc.).
Next time, you just do an AOB scan, use 'find out what addresess are accessed' and bang, you have the address again. Alternatively, you can make an AOB script right away that grabs the pointer without having to enable the debugger in the first place (this is my preferred method for many reasons - saving these AOB scriptlets makes future updates a lot easier).
You will find that CE's mono is a bit finicky when it comes to using the debugger and mono at the same time. It might even crash sometimes, so whenever you reach a milestone, save the CT so you don't have to redo stuff or else you will get frustrated quite soon. It is a good practice to switch between mono and the debugger as seldom as you possibly can. And hence the excellent leverage on mono dissect 
Good luck!
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Fri Aug 07, 2020 6:09 pm Post subject: |
|
|
| Csimbi wrote: | When you do the debug, save the AOB signature of the "best" instruction you found.
By best I mean, an instruction that reads/writes only the one value you want (i.e. player only, money only, etc.).
Next time, you just do an AOB scan, use 'find out what addresess are accessed' and bang, you have the address again. Alternatively, you can make an AOB script right away that grabs the pointer without having to enable the debugger in the first place (this is my preferred method for many reasons - saving these AOB scriptlets makes future updates a lot easier).
You will find that CE's mono is a bit finicky when it comes to using the debugger and mono at the same time. It might even crash sometimes, so whenever you reach a milestone, save the CT so you don't have to redo stuff or else you will get frustrated quite soon. It is a good practice to switch between mono and the debugger as seldom as you possibly can. And hence the excellent leverage on mono dissect
Good luck! |
actually i don't get it... how u get the pointer from the code?
in the code i have "mov [edi+40],eax" without know edi i can't backtrace the address... and edi as a register isn't static so u should debug and stop the code in that point and only after u can get the location... i don't think is a "easy" way ... maybe i'm missing something?
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Sat Aug 08, 2020 12:29 am Post subject: |
|
|
You're on the right path.
Looking at the instruction, the instance's base address should be EDI - no need to backtrace anything.
Throw the value of EDI into the data dissect window and see what you get.
If that's not it, see where EDI gets its value (backtrace) and try to go from there. Most of the time games use the base address, but in case it's something in an array or a list, that's not the case.
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Sat Aug 08, 2020 3:13 am Post subject: |
|
|
| Csimbi wrote: | You're on the right path.
Looking at the instruction, the instance's base address should be EDI - no need to backtrace anything.
Throw the value of EDI into the data dissect window and see what you get.
If that's not it, see where EDI gets its value (backtrace) and try to go from there. Most of the time games use the base address, but in case it's something in an array or a list, that's not the case. |
the first 2 rows of the function are this:
in al,dx
push edi
so edi is pushed from somewhere else (like parameter of the function?)
i don't know what "in" do but i don't think is relevant since "al" "dx" aren't main register(?)
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Sat Aug 08, 2020 4:29 am Post subject: |
|
|
in al,dx is most likely garbage.
A the call should start with push ebp.
Anyway, push edi saves the register, if that's where it starts, then the function calling this one should be setting edi earlier.
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Sat Aug 08, 2020 4:34 am Post subject: |
|
|
| Csimbi wrote: | in al,dx is most likely garbage.
A the call should start with push ebp.
Anyway, push edi saves the register, if that's where it starts, then the function calling this one should be setting edi earlier. |
so u backtrace other functions till u found edi?
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3305
|
| Posted: Sat Aug 08, 2020 6:55 am Post subject: |
|
|
| It has to come from somewhere, right?
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Sat Aug 08, 2020 11:14 pm Post subject: Re: help with CE and mono dissect |
|
|
| Betcha wrote: | | Tr1gun87 wrote: | | an object have static vars and i try to use the structure dissect on CE i can't find all that vars how i can solve that problem? |
Right click the Static Field > Fields > Add Static Field Address.
Just make sure the script uses same mono.dll name as game have.
Check dll's name from memory view > view > enumerate dll's and symbols. |
now i noticed that the address are added on the CT, but i have an error on line 20:
call mono.mono_get_root_domain
"the instruction can't be compiled"
|
|
| Back to top |
|
|
Tr1gun87
Cheater
![]() Reputation: 0
Joined: 17 May 2017
Posts: 27
|
| Posted: Sun Aug 09, 2020 4:49 pm Post subject: |
|
|
i think i solved both problems... if csimbi was talking about static addresses too... than i think i understand now
the mono problem was (like i found on another post) a dll rename
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
