|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Vortexian How do I cheat? Reputation: 0
Joined: 18 Jul 2018 Posts: 8
|
Posted: Sat Jan 01, 2022 6:16 pm Post subject: Thread access error causing crash, help requested |
|
|
Hi! I'm trying to modify some health value in a game to make a godmode, but the game likes to pass stuff through memcpy, which, as far as I can tell, performs the following (in regards to the data I'm trying to access):
Code: |
mov rcx, [rdx]
mov [rax], rcx
|
The code I'm testing right now is this:
Code: |
code:
cmovne rdx,rax
mov [rdx], #130 // my line of code
mov rax,[rbp+50]
jmp return
|
Where [rdx] will be the health value to move all the time. This code comes BEFORE the call to memcpy. Enabling this doesn't give me any issues until I do something in-game that updates the health value - only then does the game crash. If the script is injected in a location that includes the call to memcpy (like through an AOB injection, and the scanned AOB includes the call), the game crashes on enabling the script.
I can break and trace this code to find what function is going to memcpy, and I can see and somewhat understand the code here. However, if I try to modify [rdx] before the call to memcpy, the game crashes. The dump file produced by the game simply describes the error as "The thread tried to read from or write to a virtual address for which it does not have the appropriate access." I don't really know how to prevent this or further debug the reason as to why I am crashing, and any advice would be appreciated. Thanks.
_________________
im kinda edgy |
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Sat Jan 01, 2022 6:43 pm Post subject: |
|
|
Well you're using a conditional move without a compare; at least in your script, not sure if the right compare is before your injection. And you're maybe (based on the last compare) setting RDX and if it's used latter and isn't the right structure it likely won't have the right pointers to use latter, thus might be using some random value as an address.
_________________
|
|
Back to top |
|
|
Vortexian How do I cheat? Reputation: 0
Joined: 18 Jul 2018 Posts: 8
|
Posted: Sat Jan 01, 2022 7:09 pm Post subject: |
|
|
Quote: | Well you're using a conditional move without a compare; at least in your script, not sure if the right compare is before your injection. And you're maybe (based on the last compare) setting RDX and if it's used latter and isn't the right structure it likely won't have the right pointers to use latter, thus might be using some random value as an address. |
There is a test instruction right before the conditional move. As far as I am aware I'm not modifying any structures that's used by memcpy. The following is the unmodified code before the memcpy call.
Code: |
test rax,rax
cmovne rdx,rax
mov rax,[rbp+50]
test rax,rax
cmovne rcx,rax
call VCRUNTIME140.memcpy
...
|
I'm only modifying the value of rdx after the conditional move. The memcpy function has several return instructions littered throughout, which I don't understand - the code in memcpy that's modifying the data I'm looking at comes after several of these, and there aren't any jumps happening that get to this specific point in memcpy -- I'm not sure if this is something I should be too concerned about.
Directly injecting into memcpy is not something I want to do, as numerous functions use memcpy.
_________________
im kinda edgy |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sat Jan 01, 2022 7:30 pm Post subject: |
|
|
Vortexian wrote: | Directly injecting into memcpy is not something I want to do | Wise.
Are you sure rdx contains the address of your health? I'd inject the code and set a breakpoint at mov [rdx],#130 to have a better idea of what's going on.
Vortexian wrote: | The memcpy function has several return instructions littered throughout, which I don't understand - the code in memcpy that's modifying the data I'm looking at comes after several of these, and there aren't any jumps happening that get to this specific point in memcpy | CE's dissect code feature doesn't catch everything. Indirect jumps (e.g. jump table) won't be analyzed by CE at all.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Vortexian How do I cheat? Reputation: 0
Joined: 18 Jul 2018 Posts: 8
|
Posted: Sat Jan 01, 2022 7:58 pm Post subject: |
|
|
Quote: |
Are you sure rdx contains the address of your health?
|
No, I'm not sure. Finding what writes/what accesses the health values when scanned always results in the memcpy function, from which I break and trace, look at the stack, and see which function called memcpy and try to interpret from there. As far as I'm aware, memcpy (at least the portion that pops up on the write/access monitor) is using RAX as the address for the health, and the value of RDX (which is moved into RCX in memcpy) as the new health value.
I'll look at the mov [rdx], #130.
Edit: sorry, the function is memmove, not memcpy.
Double edit: it appears to switch between memmove and memcpy at runtime. Weird.
I don't know if I mentioned this already, but this game was designed in Unreal Engine 4. The dumpers I've tried to find and use so far have not worked, unfortunately.
_________________
im kinda edgy |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|