 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
 Posted: Wed Mar 13, 2013 12:11 pm Post subject: Need help with this script.. |
 |
|
Alright so i have this script.
| Code: | debugProcess()
function ValueScan()
results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
count=stringlist_getCount(results)
for i = 0, count do
address=stringlist_getString(results,0)
script=[[
label(value)
registersymbol(value)
]]..address..[[:
value:
db C8 AF 00 00 C8 AF 00 00 00 00 00 00
]]
autoAssemble(script);
end
object_destroy(results)
results=nil
debug_setBreakpoint("value", 4, bptAccess)
end
end
debugProcess()
function debugger_onBreakpoint()
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
if(readInteger(ECX+0x10)==45000) then
print("yes it is")
else
print("no its not")
end
end
createHotkey(ValueScan, VK_F2) |
This scripts searches for C8 AF 00 00 C8 AF 00 00 00 00 00 00 and register a symbol for its value,
Now when I open the shop inside the game, the breakpoint being triggered.
pretty well, now my issue is, how can I inject the opcode that access that address?
opcode is
.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Mar 13, 2013 1:10 pm Post subject: |
|
|
Erm, I'm not sure I understand what you want, but if you want to overwrite the opcode that triggered your breakpoint, I suggest using the EIP register which holds the address of the current asm instruction.
So maybe something like:
| Code: | function debugger_onBreakpoint()
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
if(readInteger(ECX+0x10)==45000) then
print("yes it is")
script=EIP..[[:
mov [ecx+10],ecx //overwrite mov eax,[ecx+10]
]]
autoAssemble(script);
else
print("no its not")
end
end |
will be of some use. If that doesn't work you can try stuff like writeBytes(EIP, 0x1,0x2,0x3,...).
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Mar 13, 2013 1:34 pm Post subject: |
|
|
Sorry if you mis understood me.
What I meant,
I want to inject the opcode address with regular AutoAssmbler script..
Like doing this..
| Code: | alloc(newscript,64)
label(returnhere)
label(ourvalue)
registersymbol(ourvalue)
newscript:
//mov eax,[ecx+10]
//mov ecx,[ebp-10]
mov eax, [ourvalue]
mov ecx,[ebp-10]
jmp returnhere
ourvalue:
db 64
EIPaddress: //really don't know how to make it return to the original function..
jmp newscript
nop
returnhere: //return here opcode is mov ["some random address.."],ecx |
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Mar 13, 2013 2:21 pm Post subject: |
|
|
Make your lua script register a symbol at the address the triggers the breakpoint and after resume execution. Like that:
| Code: | function debugger_onBreakpoint()
if(readInteger(ECX+0x10)==45000) then
print("yes it is")
registerSymbol("EIPaddress", EIP)
else
print("no its not")
end
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
end |
Then use the AA script you posted above. As a safety check in the memory editor that EIPaddress is at the right address and not just after or something.
| Flashacking wrote: | | really don't know how to make it return to the original function.. |
Was that directed at me? Because I don't see why your script wouldn't jump back to the original function :/ .
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Mar 13, 2013 2:38 pm Post subject: |
|
|
| Gniarf wrote: | Make your lua script register a symbol at the address the triggers the breakpoint and after resume execution. Like that:
| Code: | function debugger_onBreakpoint()
if(readInteger(ECX+0x10)==45000) then
print("yes it is")
registerSymbol("EIPaddress", EIP)
else
print("no its not")
end
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
end |
Then use the AA script you posted above. As a safety check in the memory editor that EIPaddress is at the right address and not just after or something.
| Flashacking wrote: | | really don't know how to make it return to the original function.. |
Was that directed at me? Because I don't see why your script wouldn't jump back to the original function :/ . |
The EIP, points to the next opcode that coming after the opcode I want to inject.
Now I tried using the AA script that I posted, but it don't inject the opcode or anywhere.
Is there anyway to get the EIP?
Heres a pic.
| Description: |
|
| Filesize: |
606.05 KB |
| Viewed: |
8709 Time(s) |
|
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25831
Location: The netherlands
|
| Posted: Wed Mar 13, 2013 2:57 pm Post subject: |
|
|
If eip is b2b0eb2 then you know that it was caused by eip-3 ( b2b0eaf )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Mar 13, 2013 3:29 pm Post subject: |
|
|
Erm, very strange...
This does not work
| Code: | debugProcess()
function ValueScan()
print('1')
results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
count=stringlist_getCount(results)
for i = 0, count do
address=stringlist_getString(results,0)
script=[[
label(value)
registersymbol(value)
]]..address..[[:
value:
db C8 AF 00 00 C8 AF 00 00 00 00 00 00
]]
autoAssemble(script);
end
object_destroy(results)
results=nil
print(2)
debug_setBreakpoint("value", 4, bptAccess)
end
end
debugProcess()
function debugger_onBreakpoint()
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
print('checking now..')
if(readInteger(ECX+0x10)==45000) then
print("yes it is")
registerSymbol("EIPaddress", EIP)
toggle()
else
print("no its not")
end
end
function toggle()
script=[[
alloc(newmem,2048)
label(returnhere)
label(exit)
label(ourvalue)
registersymbol(ourvalue)
newmem:
//mov eax,[ecx+10]
//mov ecx,[ebp-10]
mov eax, [ourvalue]
mov ecx,[ebp-10]
jmp exit
exit:
jmp returnhere
ourvalue:
db 64
EIPaddress-3:
jmp newmem
nop
returnhere:]]
end
createHotkey(ValueScan, VK_F2) |
If anyone can tell me why? 
Although this solution does work.
| Code: | debugProcess()
AAscript = addresslist_getMemoryRecordByDescription(getAddressList(), "Toggle ON script")
function ValueScan()
results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
count=stringlist_getCount(results)
for i = 0, count do
address=stringlist_getString(results,0)
script=[[
label(value)
registersymbol(value)
]]..address..[[:
value:
db C8 AF 00 00 C8 AF 00 00 00 00 00 00
]]
autoAssemble(script);
end
object_destroy(results)
results=nil
debug_setBreakpoint("value", 4, bptAccess)
end
end
debugProcess()
function debugger_onBreakpoint()
debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run)
if(readInteger(ECX+0x10)==45000) then
registerSymbol("EIPaddress", EIP)
memoryrecord_freeze(AAscript)
else
print("failed")
end
local ScriptActive = memoryrecord_isActive(AAscript)
if ScriptActive==true then
print("succeed enabling hack")
end
end
createHotkey(ValueScan, VK_F2) |
And the Auto Assembler script contains this
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(exit)
label(ourvalue)
registersymbol(ourvalue)
newmem:
//mov eax,[ecx+10]
//mov ecx,[ebp-10]
mov eax, [ourvalue]
mov ecx,[ebp-10]
jmp exit
exit:
jmp returnhere
ourvalue:
db 64
EIPaddress-3:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat |
Anyway to do this only in LUA? dunno why I can't make it.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Mar 13, 2013 3:39 pm Post subject: |
|
|
Aren't you missing an "autoAssemble(script)" in toggle()? 
Also I'd vouch for putting: | Code: | debug_removeBreakpoint("value")
debug_continueFromBreakpoint(co_run) |
at the end of debugger_onBreakpoint(), even if it works the way you currently put them.
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Fri Mar 15, 2013 9:27 am Post subject: |
|
|
How can I enable 2 breakpoints at once?
Like if I try doing
| Code: | function EXPValueScan()
debugProcess()
EXPDebug = 1
results=AOBScan("F0 3F 8D 01 00 00 01 00 00 00")
if (results~=nil) then
count=stringlist_getCount(results)
for i = 0, count do
address=stringlist_getString(results,0)
script=[[
label(EXPvalue)
registersymbol(EXPvalue)
]]..address..[[+2:
EXPvalue:
db 8D 01
]]
autoAssemble(script);
end
object_destroy(results)
results=nil
debug_setBreakpoint("EXPvalue", 4, bptAccess)
print('debugging EXP')
end
end
function CostValueScan()
debugProcess()
PriceDebug = 1
results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
count=stringlist_getCount(results)
for i = 0, count do
address=stringlist_getString(results,0)
script=[[
label(Costvalue)
registersymbol(Costvalue)
]]..address..[[:
Costvalue:
db C8 AF 00 00 C8 AF 00 00 00 00 00 00
]]
autoAssemble(script);
end
object_destroy(results)
results=nil
debug_setBreakpoint("Costvalue", 4, bptAccess)
print('debugging Cost')
end
end
function debugger_onBreakpoint()
if EXPDebug == 1 then
debug_removeBreakpoint("EXPvalue")
if(readInteger(ECX+0x40)==397) then
registerSymbol("EXPEIPaddress", EIP)
toggleEXP()
else
showMessage("Hack (EXP hack) enabling has failed, please check that you're attached to the right processor")
end
elseif PriceDebug==1 then
debug_continueFromBreakpoint(co_run)
debug_removeBreakpoint("Costvalue")
if(readInteger(ECX+0x10)==45000) then
registerSymbol("CostEIPaddress", EIP)
toggleCost()
else
showMessage("Hack (Cost hack) enabling has failed, please check that you're attached to the right processor")
end
end
end |
But when the Cost hack breakpoint being triggered
it executes 4-10 times (It being called 4-10 times)
This part.. which is from the other breakpoint
| Code: | else
showMessage("Hack (EXP hack) enabling has failed, please check that you're attached to the right processor")
end |
How can I do it without that issue..
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Mar 15, 2013 3:47 pm Post subject: |
|
|
| Code: | EXPDebug = 0
PriceDebug = 0
EXPvalue = 0
Costvalue = 0
DebugProcessEnabled = false
function setDebugProcess()
if DebugProcessEnabled then return
debugProcess()
DebugProcessEnabled = true
end
function EXPValueScan()
local results=AOBScan("F0 3F 8D 01 00 00 01 00 00 00")
if (results~=nil) then
EXPvalue=('0x'..stringlist_getString(results,0))+2
object_destroy(results); results=nil
setDebugProcess()
debug_setBreakpoint(EXPvalue, 4, bptAccess)
EXPDebug = 1
print('debugging EXP')
end
end
function CostValueScan()
local results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
Costvalue=('0x'..stringlist_getString(results,0))+0
object_destroy(results); results=nil
setDebugProcess()
debug_setBreakpoint(Costvalue, 4, bptAccess)
PriceDebug = 1
print('debugging Cost')
end
end
function debugger_onBreakpoint()
if EXPDebug==1 then
debug_removeBreakpoint(EXPvalue)
EXPDebug=0
if(readInteger(ECX+0x40)==397) then
registerSymbol("EXPEIPaddress", EIP)
toggleEXP()
else
showMessage("Hack (EXP hack) enabling has failed, please check that you're attached to the right processor")
end
end
if PriceDebug==1 then
debug_removeBreakpoint(Costvalue)
PriceDebug=0
if(readInteger(ECX+0x10)==45000) then
registerSymbol("CostEIPaddress", EIP)
toggleCost()
else
showMessage("Hack (Cost hack) enabling has failed, please check that you're attached to the right processor")
end
end
debug_continueFromBreakpoint(co_run)
end |
_________________
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Fri Mar 15, 2013 6:12 pm Post subject: |
|
|
better now, don't execute the message everytime again..
But still it disable the other breakpoint..
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Mar 15, 2013 8:03 pm Post subject: |
|
|
Maybe CE bug. Or maybe I made a typo (I didn't test this)
Try newest CE build:
Note: do not overwrite your CT files with this build (better save as another file).
_________________
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Mar 15, 2013 9:16 pm Post subject: |
|
|
| ...Or someone is trying to debug exp and cost at the same time. If that the case move both debug_removeBreakpoint below their respective if(readInteger .
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Mar 15, 2013 9:30 pm Post subject: |
|
|
@Gniarf, @Flashacking
Hmm, this probably was fixed 7h ago (removing breakpoints),
http://code.google.com/p/cheat-engine/source/detailadmin/cash.php?hacker=1&myid=05
@Flashacking, you definitely need newer CE build (rev 1705 or newer)
For removing breakpoints.
And, try this:
| Code: | EXPDebug = 0
PriceDebug = 0
EXPvalue = 0
Costvalue = 0
DebugProcessEnabled = false
function setDebugProcess()
if DebugProcessEnabled then return
debugProcess()
DebugProcessEnabled = true
end
function EXPValueScan()
local results=AOBScan("F0 3F 8D 01 00 00 01 00 00 00")
if (results~=nil) then
EXPvalue=('0x'..stringlist_getString(results,0))+2
object_destroy(results); results=nil
setDebugProcess()
debug_setBreakpoint(EXPvalue, 4, bptAccess)
EXPDebug = 1
print('debugging EXP')
end
end
function CostValueScan()
local results=AOBScan("C8 AF 00 00 C8 AF 00 00 00 00 00 00")
if (results~=nil) then
Costvalue=('0x'..stringlist_getString(results,0))+0
object_destroy(results); results=nil
setDebugProcess()
debug_setBreakpoint(Costvalue, 4, bptAccess)
PriceDebug = 1
print('debugging Cost')
end
end
breakpointToRemove = {}
function removeBreakpoint(timer)
timer_setEnabled(timer,false)
object_destroy(timer)
debug_removeBreakpoint(breakpointToRemove)
end
function debugger_onBreakpoint()
if EXPDebug==1 then
if(readInteger(ECX+0x40)==397) then
registerSymbol("EXPEIPaddress", EIP)
debug_removeBreakpoint(EXPvalue)
EXPDebug=0
toggleEXP()
else
showMessage("Hack (EXP hack) enabling has failed, please check that you're attached to the right processor")
end
end
if PriceDebug==1 and EXPDebug==0 then
if(readInteger(ECX+0x10)==45000) then
registerSymbol("CostEIPaddress", EIP)
debug_removeBreakpoint(Costvalue)
PriceDebug=0
toggleCost()
else
showMessage("Hack (Cost hack) enabling has failed, please check that you're attached to the right processor")
end
end
debug_continueFromBreakpoint(co_run)
end
|
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
