Cheat Engine

[mentallyDegenerated]

I am having a very strange problem in an assembly script.

So basically, I am running through a shared opcode and I try to indentify only 1 of the addresses that are being accessed by this opcode. I did a conditional breakpoint, and I managed to find a way to seperate my address from the rest.

This is the shared opcode: mov rax,[rcx]

When I apply this condition in the breakpoint "R14 == -1 and R13 == 0x64 and RAX == 0xFFFFFFFF" , it breaks when RCX is the address I am looking for. All good for now.

Now I want to be able to access the address held in RCX using an AA script, by moving it's value in a custom address that I created (gunAdd). This is the code that I wrote:

newmem:
cmp eax,FFFFFFFF
jne code
cmp r14,-1
jne code
cmp r13d,64
jne code
mov [gunAdd],rcx
jmp code

code:
mov rax,[rcx] // original code
mov edx,r13d //original code
jmp return

When the script gets activated, the value of gunAdd stays 0 all the time, and nothing writes to it. However, when I set the same conditional breakpoint WHILE the script is activated (at the start of newmem), somehow the conditions come correct and RCX correctly gives it's value to [gunAdd]. I have absolutely no idea what is wrong. I've been looking at this for 2 hours and I haven't figured out the problem. I even tried to change r13d to r13 just for the sake of it, but nothing changed.

Any help would be highly appreciated.


Edit: I tried a simplier way of doing it which involves compares, but instead of jne, I use cmove. The same exact thing happens. I am using Cheat Engine 7.4.

[ParkourPenguin]

You're using eax instead of rax and r13d instead of r13 in assembly.

Beyond that, there's no difference. Maybe you're not doing whatever you need to do in-game to make the code injection run.

[mentallyDegenerated]

Yes, as for eax, my bad for putting it as RAX, and as for r13, it just somewhy didn't break when I wrote it as R13D in the conditional breakpoint. It doesn't matter anyway.

That's exactly the problem that I am facing. I looked at it for several hours and couldn't find any mistake. But as I mentioned earlier, my code works fine whenever there is a breakpoint at the top of my injected code (with the same conditions as the ones used in the script), but whenever I don't set a breakpoint, my address just never gets written to, even though the script is correct. The conditions are also correct. I always get the correct address when I use these conditions, but in aa it just doesn't work. This really this takes me out of my mind, because it makes no sense. I am either completely retarded or there is some bug. Or both. I don't know.

[ParkourPenguin]

What you're saying is physically impossible. You and/or I are missing something.

Enable the script and set a breakpoint at the jmp to your code. Set the condition as you normally would. When it triggers, step through your code and see what goes wrong.

Also post your full script here.

[mentallyDegenerated]

I know it's physically impossible, that's why it drives me so crazy. I did exactly what you told me (several times) and whenever the breakpoint was on (with my conditions set), the jumps were skipped and my address got it's value as it was always supposed to. And it happened every single time.

As I mentioned in my first post, I also tried another way of seperating my address from the rest, which was by checking the value of RAX after it got written to by the original code. It didn't even use jumps, but instead cmove after the condition. Exactly the same thing happened. Whenever the breakpoint was on, the code executed as it was supposed to and the script worked fine. Otherwise, not really.

That's why I posted here, so that maybe if this was a bug, someone else could have it too.

I didn't want to share the entire script here, because it is for a multiplayer game (which goes against the rules of the forum if I am not mistaken), and also people may try to copy my script/aob.

Thanks for your time though. I really appreciate it.

[ParkourPenguin]

Saying it's "physically impossible" was a kind way of saying you're doing something wrong.

Just remove all references to the game's name in the script. e.g. use "game.exe+1234" or something like that.

Other people probably won't consider whatever you're doing to be important enough to steal. And if they do, you'd only be able to slow them down.

How'd this work out, or did you just ignore it?

[mentallyDegenerated]

I've had a bad time with stealers in the past, so I ain't making up things with my imagination.

And yes, as I said in my last post, I tried it several times. Look at my previous post.

I don't think you can get what I mean if you don't experience it by yourself. Thanks for your time anyway. I will try to do it in a different way.

[ParkourPenguin]

Edit: my bad, I must've skipped over that part on my first read or forgotten about it between my first and second reply

Are you serious? You haven't tried what I said at all. If you did, you haven't stated what happened.

Enable your script.

Set the breakpoint on the `jmp` instruction that jumps to your code.

Set the condition on that breakpoint.

According to you, that breakpoint should trigger at some point.

When it does, step through your code (Debug -> Step Into; F7) and see where it goes wrong.

[mentallyDegenerated]

As I said before, I already did that several times. I set the breakpoint at the jump and then step through my code to check why the jumps happen, even though the conditions are set correctly. And I will say it again, when the breakpoint is set, and i step through, the jumps don't get triggered and my address gets it's value as it was intended. So by first view, the script works as it supposed to.

When I remove the breakpoint though, the script doesn't work and my address doesn't get it's value. I know, it doesn't make sense. But that's what I am trying to explain from the beginning. And I tried another way to which worked by checking the value of RAX, which only involved 1 compare, and the same story all over again.

That's what I am trying to say. That it doesn't make sense. I understand you for thinking that this is not possible and that probably I do something wrong. But honestly, it's not the first time I do such a thing and I looked it very carefully for quite some time before coming in a forum asking for help.

[ParkourPenguin]

So, with the script enabled, the thread executes `mov [gunAdd],rcx` if and only if that conditional breakpoint is set somewhere before it in the original code. If there is no breakpoint set, that instruction is never executed.

The next thing I'd try is figuring out how close that breakpoint can be set before it stops working. If it's set on the `jmp` at the injection point, then as you've tested it works, but if it's set on the instruction `mov [gunAdd],rcx`, then surely it won't work since the thread wouldn't reach it in the first place (I'd verify this even though it's "obvious"). That means there should be a point between there at which it stops working.

This is all assuming there's no other interference- e.g. something writing 0 to [gunAdd]. Try to get this down to as minimal of an example as possible- e.g. start a new instance of CE, copy over that AA script, save / close the real table, restart the game, and try again.
You really should be able to provide more than just what you did in the first post without needing to reveal anything you consider a secret. An SSCCE is always ideal, but given the restriction on multiplayer games, it's probably not completely possible in this case (unless you can somehow replicate this in the CE tutorial).

[Dark Byte]

Is the name of the module this code is in VEHDebug? If so, the code triggers only when debugging and stepping.

Besides that, perhaps there's another instance where this code matches all conditions, but then rcx is 0 and thus writes a 0 there

[mentallyDegenerated]

The jump to my injected code does happen, regardless of whether the breakpoint is set or not, or whether [gunAdd] receives the value that I want from rcx (since it's a shared opcode). It doesn't really matter whether the conditional breakpoint is set at the jump to my injected code or not, as long as the registers don't get changed (since this would ruin the condition). I have tried it in all the possible places, including the start of newmem, and the outcome is the same. I even tried to remove some of the compares, just to see if at least my address would receive a value, but it seems like it just jumps to code all the time (unless of course there is no comparing).

Since gunAdd is my own custom address, and due to the way the script is written, it doesn't get written to by anything. I started off with a clean sheet, closed both game and CE, and even reinstalled CE just for the sake of it. I don't think it matters.

As for the other parts of the script, there isn't anything really special to them. All there is is the memory allocation of newmem, and the definition of the gunAdd address. Nothing more.

gunAdd really only changes to my desired value when I set the conditional breakpoint (as long as it's before mov [gunAdd],rcx of course).

I even tried to remove some of the conditions seperately, only leaving 1 at a time in the aa script (I know I wouldn't get the correct value to my address, but I just wanted to try to find if there was a specific problem in each and every one of the conditions I had set in the script). Didn't work either.

Nothing was writing to it, I mean, not even 0. And that wouldn't be possible in this case either, since RCX is always a static address, because RAX is a pointer, so it couldn't be 0 regardless.

Note: I did manage to get my desired value to [gunAdd] using a slightly different method (the original script still does not work though). My new method is pretty much almost exactly the same as the second one i had made, which worked by comparing the value of RCX with a static address (which used cmove after the compare, which didn't work btw). The only difference between the one that works and the second one is that the second one used CMOVE to transfer the value of rcx between registers, and the current one just jumps to a different location. Pretty much the same. Well, still I didn't get what the problem was in the original, as well as the second script I made. But the conditions were definitely correct.

Thank you both for your time.