 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
 Posted: Thu Oct 27, 2022 6:01 am Post subject: Get hardcoded MemAdress out of method |
 |
|
I've found a method that contains a hard-coded address of my target class. The address isn't just written in the registers, but it is written within the method instructions.
I can't use any code injection here because this method is never called in normal gameplay.
The next issue is, that without mono features and their method name solution, I am not even able to find the method's location since their memory address always changes.
Just to clarify my target here is the address in the instruction
| Code: |
ةٶؔٙٹڄ:٘؝ٸدؑق+4 - mov rax,000001B1E59758A1
|
Thanks for your help!
[img][/img]
| Description: |
|
| Filesize: |
151.05 KB |
| Viewed: |
2729 Time(s) |
|
|
|
| Back to top |
|
 |
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Thu Oct 27, 2022 6:40 am Post subject: |
|
|
Use an AOB to identify the address without using any rewrite and extract the address from the symbol location with a readmem, use LUA to do the same, or use the mono template since you know which module it is.
Read memory example: https://forum.cheatengine.org/viewtopic.php?p=5510717
|
|
| Back to top |
|
|
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
| Posted: Thu Oct 27, 2022 9:42 am Post subject: |
|
|
Thank you cooleko for your help. I've never heard of the readmem method before.
I've tried readmem to get my address with this script
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(method,8,ةٶؔٙٹڄ:٘؝ٸدؑق+4)
alloc(CMhook,8,$process)
Registersymbol(method)
Registersymbol(CMhook)
CMhook:
Readmem(method+2,8)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
Unregistersymbol(CMhook)
Unregistersymbol(method)
|
But instead of getting 000001B1E59758A1 I've got DE806000E5E0000 which I can't found anywhere in the code.
So readmem reads at a completely different location. What am I missing here?
|
|
| Back to top |
|
|
Bloodybone
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 21
Location: Germany
|
| Posted: Thu Oct 27, 2022 9:56 am Post subject: |
|
|
I would personally get the methods token once and then use that to then find the method every time I restarted the game. I would then just call the method because the method already returns(moves it into rax) the desired address.
The Method token gets stored at the methods address+4 so in the picture above you would read the 4bytes at address "1B32252FFB4" and that would be the methods token, assuming that the selected method is the method you would want.
After restarting the game you could then do something like the code below to get the Address you want:
| Code: | local function GetMethodFromToken(image, token)
if image == nil or token == nil or image == 0 or token == 0 then return nil end
return executeCodeEx(1,100,getAddress("mono_get_method"),{type=0,value=image},{type=0,value=token},{type=0,value=0})
end
local assemblies = mono_enumAssemblies()
local methodToken = 0x60015C4
local method = nil
for _,v in ipairs(assemblies) do
local image = mono_getImageFromAssembly(v)
if (mono_image_get_name(image) == "Assembly-CSharp") then
method = GetMethodFromToken(image,methodToken)
--print(method)
break;
end
end
-- Method can be used here
local value = 0
if (method ~= nil) then
local methodaddr = mono_compile_method(method)
if (methodaddr ~= nil) then
value = executeCode(methodaddr,0,100)
end
else
error("Method not found!")
end
-- value is the desired Address
|
You could run this in the lua engine window or in a aa Script inside of a lua block. Though you would want to change the name of the assembly in this line: " if (mono_image_get_name(image) == "Assembly-CSharp") then"
from "Assembly-CSharp" to the name of the assembly that the method is inside of and change the method token to your methods token
|
|
| Back to top |
|
|
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
| Posted: Thu Oct 27, 2022 12:28 pm Post subject: |
|
|
| Bloodybone wrote: | I would personally get the methods token once and then use that to then find the method every time I restarted the game. I would then just call the method because the method already returns(moves it into rax) the desired address.
The Method token gets stored at the methods address+4 so in the picture above you would read the 4bytes at address "1B32252FFB4" and that would be the methods token, assuming that the selected method is the method you would want.
After restarting the game you could then do something like the code below to get the Address you want:
| Code: | local function GetMethodFromToken(image, token)
if image == nil or token == nil or image == 0 or token == 0 then return nil end
return executeCodeEx(1,100,getAddress("mono_get_method"),{type=0,value=image},{type=0,value=token},{type=0,value=0})
end
local assemblies = mono_enumAssemblies()
local methodToken = 0x60015C4
local method = nil
for _,v in ipairs(assemblies) do
local image = mono_getImageFromAssembly(v)
if (mono_image_get_name(image) == "Assembly-CSharp") then
method = GetMethodFromToken(image,methodToken)
--print(method)
break;
end
end
-- Method can be used here
local value = 0
if (method ~= nil) then
local methodaddr = mono_compile_method(method)
if (methodaddr ~= nil) then
value = executeCode(methodaddr,0,100)
end
else
error("Method not found!")
end
-- value is the desired Address
|
You could run this in the lua engine window or in a aa Script inside of a lua block. Though you would want to change the name of the assembly in this line: " if (mono_image_get_name(image) == "Assembly-CSharp") then"
from "Assembly-CSharp" to the name of the assembly that the method is inside of and change the method token to your methods token |
I don't really understand if your idea would work without the token,
but I have to tell you that the token you see in the mono dissector in the image,
changes after every game restart. That is an issue with the game that I never had before.
Funnily enough, this also makes the code list in cheat engine unusable,
because you can only find the methods by its mono address name.
|
|
| Back to top |
|
|
Bloodybone
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 21
Location: Germany
|
| Posted: Thu Oct 27, 2022 1:51 pm Post subject: |
|
|
| Mac99 wrote: | | Bloodybone wrote: | I would personally get the methods token once and then use that to then find the method every time I restarted the game. I would then just call the method because the method already returns(moves it into rax) the desired address.
The Method token gets stored at the methods address+4 so in the picture above you would read the 4bytes at address "1B32252FFB4" and that would be the methods token, assuming that the selected method is the method you would want.
After restarting the game you could then do something like the code below to get the Address you want:
| Code: | local function GetMethodFromToken(image, token)
if image == nil or token == nil or image == 0 or token == 0 then return nil end
return executeCodeEx(1,100,getAddress("mono_get_method"),{type=0,value=image},{type=0,value=token},{type=0,value=0})
end
local assemblies = mono_enumAssemblies()
local methodToken = 0x60015C4
local method = nil
for _,v in ipairs(assemblies) do
local image = mono_getImageFromAssembly(v)
if (mono_image_get_name(image) == "Assembly-CSharp") then
method = GetMethodFromToken(image,methodToken)
--print(method)
break;
end
end
-- Method can be used here
local value = 0
if (method ~= nil) then
local methodaddr = mono_compile_method(method)
if (methodaddr ~= nil) then
value = executeCode(methodaddr,0,100)
end
else
error("Method not found!")
end
-- value is the desired Address
|
You could run this in the lua engine window or in a aa Script inside of a lua block. Though you would want to change the name of the assembly in this line: " if (mono_image_get_name(image) == "Assembly-CSharp") then"
from "Assembly-CSharp" to the name of the assembly that the method is inside of and change the method token to your methods token |
I don't really understand if your idea would work without the token,
but I have to tell you that the token you see in the mono dissector in the image,
changes after every game restart. That is an issue with the game that I never had before.
Funnily enough, this also makes the code list in cheat engine unusable,
because you can only find the methods by its mono address name. |
The Token that I meant isn't the methods address, which is shown in the Image, it is a integer that is unique for every method in a single Module(Image). So that one can be used even after the game restarts. You can just get the token by reading the 4 bytes at the methods address+4. So reading from the address+4 in the picture gives you a 4 byte value which can be used to identify the method. The token could change on Game updates though
You could also call "mono_method_get_token" and passing the address of the method(the method Objects Address that is shown in the mono Dissector) as the first argument and you would also get the token
Also because it may not be clear, everytime I refer to the method, I mean the method Object shown in the mono Dissector and not the method that holds the code.
|
|
| Back to top |
|
|
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
| Posted: Thu Oct 27, 2022 3:37 pm Post subject: |
|
|
I've tried mono_method_get_token and this seems to be not supported in cheat engine.
I can't find any reference to it in the cheat engine mono lua wiki as well.
It seems to be I got your code running. mono_enumAssemblies() just works on the first execution but after that it always returns nil.
Which makes testing a real pain. I got no clue what the variable "method" contains at the end and what should I do with it.
I don't seem to contain the instruction which contains my target address.
I don't know why it is so damn hard. I can see the method and find it repeatedly with its mono name.
Furthermore, I know where I can find the instance of the class in the method, but there is no way to get it all together in a script 
|
|
| Back to top |
|
|
Bloodybone
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 21
Location: Germany
|
| Posted: Thu Oct 27, 2022 4:23 pm Post subject: |
|
|
| Mac99 wrote: | I've tried mono_method_get_token and this seems to be not supported in cheat engine.
I can't find any reference to it in the cheat engine mono lua wiki as well.
It seems to be I got your code running. mono_enumAssemblies() just works on the first execution but after that it always returns nil.
Which makes testing a real pain. I got no clue what the variable "method" contains at the end and what should I do with it.
I don't seem to contain the instruction which contains my target address.
I don't know why it is so damn hard. I can see the method and find it repeatedly with its mono name.
Furthermore, I know where I can find the instance of the class in the method, but there is no way to get it all together in a script |
mono_method_get_token is a method inside of the game, if you want to call it you would have to use something like executeCodeEx, which you can find in the celua.txt file. Not sure why mono_enumAssemblies() only returns the result once, maybe mono gets disabled? The "method" variable is a mono method object, you can use any of CEs mono_method_... functions passing the method as an argument or any mono_method_... functions inside of the game, I for example call mono_compile_method which compiles the method if it isn't yet or if it is it returns the address to the methods code.
Though maybe your approach a few messages ago also works. I think the problem is that you allocate memory and then "readmem" the allocated memory and not the original method, maybe try changing the scipt to something like this:
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
define(method,ةٶؔٙٹڄ:٘؝ٸدؑق+4) // use define instead of alloc to read from actual method
alloc(CMhook,8,$process)
Registersymbol(method)
Registersymbol(CMhook)
CMhook:
Readmem(method+2,8)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
Unregistersymbol(CMhook)
Unregistersymbol(method) |
|
|
| Back to top |
|
|
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
| Posted: Thu Oct 27, 2022 7:31 pm Post subject: |
|
|
First of all, thank you so much for continuous your help.
With the missing "define" I've got the method working.
I've tried to call methods on the now found class instance with lua script, but I don't seem to work.
My only result is that I've found a guaranteed way to crash the game on single lua script operation.
I've seen you are also from Germany.
Do you have any other channel where I can directly contact you, e.g. Discord?
|
|
| Back to top |
|
|
Bloodybone
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2016
Posts: 21
Location: Germany
|
| Posted: Thu Oct 27, 2022 7:41 pm Post subject: |
|
|
| Mac99 wrote: | First of all, thank you so much for continuous your help.
With the missing "define" I've got the method working.
I've tried to call methods on the now found class instance with lua script, but I don't seem to work.
My only result is that I've found a guaranteed way to crash the game on single lua script operation.
I've seen you are also from Germany.
Do you have any other channel where I can directly contact you, e.g. Discord? |
Yeah I do have Discord, Bloodyboneye#3225 if you want to contact me there
|
|
| Back to top |
|
|
Mac99
Newbie cheater
![]() Reputation: 0
Joined: 13 Sep 2022
Posts: 14
|
| Posted: Fri Oct 28, 2022 3:21 pm Post subject: |
|
|
| Bloodybone wrote: | | Mac99 wrote: | First of all, thank you so much for continuous your help.
With the missing "define" I've got the method working.
I've tried to call methods on the now found class instance with lua script, but I don't seem to work.
My only result is that I've found a guaranteed way to crash the game on single lua script operation.
I've seen you are also from Germany.
Do you have any other channel where I can directly contact you, e.g. Discord? |
Yeah I do have Discord, Bloodyboneye#3225 if you want to contact me there |
Ah okay, that's nice. My Discord nickname is different from my name here. The username is Rocket#2349, so don't be confused.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
