| View previous topic :: View next topic |
| Author |
Message |
anidominus
How do I cheat?
![]() Reputation: 0
Joined: 29 Mar 2012
Posts: 4
|
 Posted: Fri Mar 30, 2012 9:56 am Post subject: Auto Assemble Script and Offsets |
 |
|
Win7 64 4GB using CheatEngine 6.1 32bit
I having an issue with the Auto Assembler and offsets. Here is my script....
[BEGINSCRIPT]
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov [ecx],0
originalcode:
//mov [ecx],edx
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
exit:
jmp returnhere
307BB3C2:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
307BB3C2:
mov [ecx],edx
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
//Alt: db 89 11 C7 05 A8 E2 52 01 F8 00 83 00
[ENDSCRIPT]
The problem is with the labels 307BB3C2:
They don't automatically change to the correct address when the game is reloaded so when the cheat engine is restarted, it doesn't allow me to enable the script.
If I use modualname+offset it works until the game is restarted and I am in the same boat. I have tried trying to find the offset by looking at the target address of 307BB3C2 and subtracting the Preferedbase address but that doesn't work either.
the preferedimage base seems to be where game.exe is located. I calculated this by looking at [someaddress] and then turning on show module names and then grabbing the offset from [game.exe+offset]. I would then take the value I got from [someaddress] and subtract offset from it and get what I thought game.exe would be amd every time this has equaled the preferedimagebase.
I have also noticed that the code is showing me game.exe+offset on some portions of executable code and not on others. For example.... If i go to adddress [0120F243] I would see modualename+offset to the left of the assembley code (move [ecx], 3) or whatever. However, when looking at 307BB3C2 I see 307BB3c2 regardless if the "Show Moduale Name" is active or not.
Now here is the last piece of info. I am trying to hack a game that is running through an emulator. The emulator is pcsx2.exe.
Grabbing these offsets is the last hurdle I'm facing before I start to create my trainer.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25831
Location: The netherlands
|
| Posted: Fri Mar 30, 2012 10:17 am Post subject: |
|
|
This looks like JIT'ed code. (You're lucky, i usually tell people to give up using the debugger on emulator games)
In this case use AOBSCAN to find the code instead
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
anidominus
How do I cheat?
![]() Reputation: 0
Joined: 29 Mar 2012
Posts: 4
|
| Posted: Fri Mar 30, 2012 11:09 pm Post subject: |
|
|
| Dark Byte wrote: | This looks like JIT'ed code. (You're lucky, i usually tell people to give up using the debugger on emulator games)
In this case use AOBSCAN to find the code instead |
Well, I tried dang near all day with no luck.
the code just jumps around too much. I have no idea to find the offset. It appears the emulator is writing the code as it goes like its doing its on version of the auto assembler. So instead of code being written in a linear fashion, the code is be written as needed which means offsets won't work.
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Sat Mar 31, 2012 3:40 am Post subject: |
|
|
can't you find the pointer, as base=emulator.exe ?
using pointerscan maybe
_________________
... Fresco |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25831
Location: The netherlands
|
| Posted: Sat Mar 31, 2012 4:48 am Post subject: |
|
|
no, pointers will not work in an emulator
Use an aobscan to find the code to hook
| Code: |
[enable]
alloc(newmem,2048)
label(returnhere)
aobscan(_hookaddress,89 11 C7 05 A8 E2 52 01 F8 00 83 00)
label(hookaddress)
registersymbol(hookaddress)
newmem:
mov [ecx],0
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
jmp returnhere
_hookaddress:
hookaddress:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
returnhere:
[disable]
hookaddress:
mov [ecx],edx
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
unregistersymbol(hookaddress)
dealloc(newmem)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
anidominus
How do I cheat?
![]() Reputation: 0
Joined: 29 Mar 2012
Posts: 4
|
| Posted: Sat Mar 31, 2012 9:51 pm Post subject: |
|
|
| Dark Byte wrote: | no, pointers will not work in an emulator
Use an aobscan to find the code to hook
| Code: |
[enable]
alloc(newmem,2048)
label(returnhere)
aobscan(_hookaddress,89 11 C7 05 A8 E2 52 01 F8 00 83 00)
label(hookaddress)
registersymbol(hookaddress)
newmem:
mov [ecx],0
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
jmp returnhere
_hookaddress:
hookaddress:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
returnhere:
[disable]
hookaddress:
mov [ecx],edx
mov [pcsx2.exe+149E2A8],pcsx2.exe+7A00F8
unregistersymbol(hookaddress)
dealloc(newmem)
|
|
Excellent technique. This worked well. Thanks!!
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
