Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Save values like registersymbol does, without injection

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
sandsmaster
Newbie cheater
Reputation: 1

Joined: 21 Jan 2021
Posts: 24
PostPosted: Fri Jan 22, 2021 12:51 pm    Post subject: Save values like registersymbol does, without injection Reply with quote
Hi everyone!

I'm trying to get the hunger pointer from a game called Cryofall.

In a nuthell, I found the value and ran most of the pointer scans that cheat engine offers,
but there are no stable pointers. I tried with pointers of level 9 and max offset 1024, and
found around a bilion (10^9), but none is stable. I heard that Cryofall uses some kind of memory
randomization, so this removes static adresses (but just heard about it).
So I went for what writes to this address and found an entry that modifies 4 values. So far so good,
but just that far, because then I tried AOB script with just a registersymbol for the "hunger" register.
Unfortunately Cryofall has some anti-cheat there, so the game crashes on jumping to script

Here's the code if you're curious:

Code:
{ Game   : dotnet.exe
  Version:
  Date   : 2021-01-22
  Author : botcho

  This script does blah blah blah
}

[ENABLE]

aobscan(GetHung,89 4A 04 C5 FB 11 B6 80 00 00 00) // should be unique
alloc(newmem,$1000,7FFC6A52EC12)

label(code)
label(return)
label(hunger)
registersymbol(hunger)

newmem:

hunger:
  dd 0

code:
  mov [rdx+04],ecx // ecx got the value
  mov [hunger],ecx
  vmovsd [rsi+00000080],xmm6
  jmp return

GetHung:
  jmp newmem
  nop 6
return:
registersymbol(GetHung)

[DISABLE]

GetHung:
  db 89 4A 04 C5 FB 11 B6 80 00 00 00

unregistersymbol(hunger)
unregistersymbol(GetHung)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 7FFC6A52EC12

7FFC6A52EBED: 0F B6 D2                       -  movzx edx,dl
7FFC6A52EBF0: 85 C2                          -  test edx,eax
7FFC6A52EBF2: 74 14                          -  je 7FFC6A52EC08
7FFC6A52EBF4: C5 FB 10 86 80 00 00 00        -  vmovsd xmm0,[rsi+00000080]
7FFC6A52EBFC: C5 F9 2E C6                    -  vucomisd xmm0,xmm6
7FFC6A52EC00: 7A 06                          -  jp 7FFC6A52EC08
7FFC6A52EC02: 0F 84 E2 00 00 00              -  je 7FFC6A52ECEA
7FFC6A52EC08: B8 01 00 00 00                 -  mov eax,00000001
7FFC6A52EC0D: 48 8B D7                       -  mov rdx,rdi
7FFC6A52EC10: 88 02                          -  mov [rdx],al
// ---------- INJECTING HERE ----------
7FFC6A52EC12: 89 4A 04                       -  mov [rdx+04],ecx
7FFC6A52EC15: C5 FB 11 B6 80 00 00 00        -  vmovsd [rsi+00000080],xmm6
// ---------- DONE INJECTING  ----------
7FFC6A52EC1D: 48 8B 5E 50                    -  mov rbx,[rsi+50]
7FFC6A52EC21: 48 83 7E 48 00                 -  cmp qword ptr [rsi+48],00
7FFC6A52EC26: 75 4A                          -  jne 7FFC6A52EC72
7FFC6A52EC28: 48 8B 0F                       -  mov rcx,[rdi]
7FFC6A52EC2B: 48 89 4D A0                    -  mov [rbp-60],rcx
7FFC6A52EC2F: 48 8D 4D A0                    -  lea rcx,[rbp-60]
7FFC6A52EC33: E8 38 BF 1D FD                 -  call 7FFC6770AB70
7FFC6A52EC38: 48 8B F0                       -  mov rsi,rax
7FFC6A52EC3B: C5 F8 28 C6                    -  vmovaps xmm0,xmm6
7FFC6A52EC3F: 33 D2                          -  xor edx,edx
}


I've cheated a few dozens of games, but never got that before. Curious there is a
anti-cheat that resets the pointers on start. Maybe not, but haven't seen it before.
What makes me more suspicous is, the game is nearly 700 mB

Any help would be of help.[/b]
_________________
I don't post too much. yet.


Last edited by sandsmaster on Tue Jan 26, 2021 5:44 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702
PostPosted: Fri Jan 22, 2021 1:48 pm    Post subject: Reply with quote
Higher max offset, multiple pointermaps, and ~3 max offsets per node would be better pointer scanner settings. Might be irrelevant since the engine uses .NET, and I've always had problems finding static pointers in games using interpreted/jitted code. (I'm pretty sure it was actually some .NET game where I eventually traced back a pointer path's base address to an immediate in an instruction)

It crashes because you don't know how to write AA scripts. (code tags also exist)
Code:
newmem:

hunger:
dd 0

code:
...

GetHung:
jmp newmem
...
You're jumping to a bunch of 0 bytes before getting to the code. Put hunger far away from the code.
Code:
newmem+800:
hunger:
  dd 0
You could also put the label right after the end of your code, but it might not be aligned then (not a big issue, just annoying to me).

The third parameter to alloc should be the symbol used in the aobscan (i.e. "GetHung"); otherwise, it might get allocated more than 2GB away from the injection point and crash next time you restart the game. (this is the template's fault IIRC)
Code:
aobscan(GetHung,89 4A 04 C5 FB 11 B6 80 00 00 00)
alloc(newmem,$1000,GetHung)


You appear to be copying a value (i.e. ecx) and not the address of the value (i.e. rdx). If you only want to read from the value, I guess it's fine, but if you also want to write to it, this is wrong. (don't forget to change dd to dq under "hunger:" for storing 64-bit registers)
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
sandsmaster
Newbie cheater
Reputation: 1

Joined: 21 Jan 2021
Posts: 24
PostPosted: Thu Jan 28, 2021 11:21 am    Post subject: Reply with quote
Hello again.

Thanks for the help man. You really know what you're doing. I changed everything you suggested, but sadly couldn't
get the pointer out. Guess the .Net games don't like static addresses indeed. I even tried to backtrace the instruction
to a call above it, but for some reason I coldn't find higher one. I tried with 4128 steps (maybe it's little)

Anyways. After the script worked, I found that there aren't any static comparison values in the dissect data/structure
either. But I wrote a python script to double check it and thought it might be useful to someone else too. It's nothing
complicated. Just get's the name of the file and removes the addresses in the save values list, so you can put it inside
a diff checker. I'll upload it here for now, but you can post it anywhere on the site, you want.

EDIT:
forgot to see the allowed extensions section lol. Guess won't be here. I can send it on private
It's the .py file, not .exe.
_________________
I don't post too much. yet.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites