 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Anivia
How do I cheat?
![]() Reputation: 0
Joined: 30 Oct 2024
Posts: 2
|
 Posted: Wed Oct 30, 2024 12:22 pm Post subject: How to convert a script to python? |
 |
|
I'm pretty much just a python programmer for Machine Learning. It took me about two days to learn the basics of CheatEngine and I managed to create a working script. I have asked ChatGPT to help me converting the following script into python so it can better integrate into my ML project, but after executing the code the program crash immediately. Since I'm such a novice in C/C++/assembly, I wonder if anyone can provide me with directions or insights on what I did wrong.
Thanks!
---
This script works fine.
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,somegame.exe,D9 9E 18 01 00 00 83) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
globalalloc(_camera_base,4)
newmem:
code:
mov [_camera_base],esi
fstp dword ptr [esi+00000118]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db D9 9E 18 01 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
---
The python code I wrote with help from ChatGPT
| Code: | import pymem
import struct
pm = pymem.Pymem(self.wow_process_name)
aob = b'\xD9\x9E\x18\x01\x00\x00\x83'
aob_address = pymem.pattern.pattern_scan_all(pm.process_handle, aob)
if not aob_address:
raise ValueError("AOB not found.")
new_mem = pymem.memory.allocate_memory(pm.process_handle, 0x1000)
camera_base = pymem.memory.allocate_memory(pm.process_handle, 4)
shellcode = (
b'\x89\x35' + struct.pack('<I', camera_base) +
b'\xD9\x9E\x18\x01\x00\x00' +
b'\xE9' + struct.pack('<I', (aob_address + 6 - (new_mem + 10)) & 0xFFFFFFFF)
# mov [_camera_base], esi
# fstp dword ptr [esi+00000118]
# jmp return
)
# Write the shellcode to the allocated memory
pm.write_bytes(new_mem, shellcode, len(shellcode))
# Create a jump instruction from the original AOB address to the allocated shellcode
jump_to_shellcode = b'\xE9' + struct.pack('<I', (new_mem - (aob_address + 5)) & 0xFFFFFFFF)
pm.write_bytes(aob_address, jump_to_shellcode, len(jump_to_shellcode))
# Fill remaining bytes after jump with NOPs
nop_sled = b'\x90' * (6 - len(jump_to_shellcode)) # Fill remaining bytes with NOPs
pm.write_bytes(aob_address + len(jump_to_shellcode), nop_sled, len(nop_sled))
print("Injection complete. Camera base stored at:", hex(camera_base))
|
|
|
| Back to top |
|
 |
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3321
|
| Posted: Wed Oct 30, 2024 5:01 pm Post subject: |
|
|
It's because ChatGPT is just a stupid copycat AI; it cannot think, it merely regurgitates what it was thought and it was not thought to make a single thought yet.
I'd love to help, but I know nothing about Python.
Why'd you want to convert it though?
Just run it in CE or build a trainer from it.
What's in new_mem? I am not seeing it being initialized with shellcode. |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Wed Oct 30, 2024 6:05 pm Post subject: |
|
|
It MAY crash in CE script as well , if INJECT (aob_address) and newmem (new_mem) has a distance more than 2Gigabytes (max signed 4 bytes magnitude), because then the e9+(4 bytes relative address offset) at INJECT (aob_address) jump point not to newmem (new_mem).
In CE case. it will not use 5-bytes jump, but a composite jump instruction of size 14byte, which may corrupt the inject point.
_________________
- Retarded. |
|
| Back to top |
|
|
Anivia
How do I cheat?
![]() Reputation: 0
Joined: 30 Oct 2024
Posts: 2
|
| Posted: Wed Oct 30, 2024 8:26 pm Post subject: |
|
|
| Csimbi wrote: | It's because ChatGPT is just a stupid copycat AI; it cannot think, it merely regurgitates what it was thought and it was not thought to make a single thought yet.
I'd love to help, but I know nothing about Python.
Why'd you want to convert it though?
Just run it in CE or build a trainer from it.
What's in new_mem? I am not seeing it being initialized with shellcode. |
Thanks for your reply!
I need to use python because it's part of a larger reinforcement learning project where the game will run on many client machines (probably a few dozens of then) and python is used to define the environment which the reinforcement learning agents can interact with. If I'm not using python to do the AOB injection, then I need to find a way to make CE part of the python program (which is also a solution, but I haven't searched anything about it yet).
I need to access camera view distance which is not exposed in the game API. After trying several methods, I've only made it working with cheat engine and the script I posted in the original post (but as explained by panraven, my script might need further improvement as well).
-----------------------------------------
As for new_mem, it's allocated here:
| Code: | | new_mem = pymem.memory.allocate_memory(pm.process_handle, 0x1000) |
which is supposed to work just like
| Code: | | alloc(newmem,$1000) |
in the CE script.
-----------------------------------------
I think my problem is most likely due to the calculation of some offsets, so I'd appreciate it if you can explain how CE calculates the offsets in a little bit more details as you can see in python the code needed by pymem to calculate the offsets are things like:
| Code: |
b'\xE9' + struct.pack('<I', (aob_address + 6 - (new_mem + 10)) & 0xFFFFFFFF)
b'\xE9' + struct.pack('<I', (new_mem - (aob_address + 5)) & 0xFFFFFFFF)
b'\x90' * (6 - len(jump_to_shellcode))
|
============================================
The forum says I can't create a double post so I need to continue here
| panraven wrote: | It MAY crash in CE script as well , if INJECT (aob_address) and newmem (new_mem) has a distance more than 2Gigabytes (max signed 4 bytes magnitude), because then the e9+(4 bytes relative address offset) at INJECT (aob_address) jump point not to newmem (new_mem).
In CE case. it will not use 5-bytes jump, but a composite jump instruction of size 14byte, which may corrupt the inject point. |
Thanks for your reply and explanation.
----------------
Can you provide any insight on how to improve the CE script? I followed a cached version of this post forum.cheatengine.org/viewtopic.php?t=572465 (images on the real-time one are no longer accessable) to create my script.
----------------
| Quote: | | In CE case. it will not use 5-bytes jump |
I wonder if you are refering to this line of code.
| Code: | | jump_to_shellcode = b'\xE9' + struct.pack('<I', (new_mem - (aob_address + 5)) & 0xFFFFFFFF) |
Should I replace aob_address + 5 with aob_address + 14 here? Thanks. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4696
|
| Posted: Wed Oct 30, 2024 9:47 pm Post subject: |
|
|
Looks like 32-bit code. Nearby allocations don't matter: the address space is 4 GiB so everything is within +-2GiB of everything else.
| Anivia wrote: | | Code: | | b'\xE9' + struct.pack('<I', (aob_address + 6 - (new_mem + 10)) & 0xFFFFFFFF) |
|
This return jump is off by a bit.
The argument to the 0xE9 `jmp` opcode is a relative displacement from EIP. EIP will be the address of the next instruction: i.e. 5 bytes after the address of the `jmp` instruction. The operand is then `target_address - EIP`, or `aob_address+6 - (new_mem+17)`. 17 because the instructions written to new_mem take up 6, 6, and 5 bytes respectively.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3321
|
| Posted: Thu Oct 31, 2024 12:47 pm Post subject: |
|
|
| Anivia wrote: |
As for new_mem, it's allocated here:
| Code: | | new_mem = pymem.memory.allocate_memory(pm.process_handle, 0x1000) |
which is supposed to work just like
| Code: | | alloc(newmem,$1000) |
in the CE script.
|
Allocated, yet, but not initialized, which suggests you might be trying to execute uninitialized code. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
