TryToChEat
How do I cheat?
![]() Reputation: 0
Joined: 24 Sep 2015
Posts: 1
Location: Hungary
|
 Posted: Sat Oct 03, 2015 7:39 am Post subject: General questions about AOB Injection .. and more |
 |
|
*************************************************************
Hey cheatengines! 
Firstly, I would like to welcome you all, as I am a new member!
You are don't know me yet, but i have read a bunch of good tutorials, a loads of great explanations, very good ideas, and many more well scripted cheat tables, from a lot of great thinkers on this site already in the past few years!
So I would like to thank you for all of your time, and very hard work on the site. (moderators, administrators, constant answerers, script writers, as teachers, so all of You)
And last, but not least, I would love to thanks for this site!
Thank You Dark Byte!
*************************************************************
My first question ..
for what will I use the Array of Bytes scan? I will use it for find my address where that is an instruction, what will modifying something what related to my desired value or anything else. I can use this injection form if I want to create something like a table, for "used by anyone", whether it is the same version of the "game", or not. Basically there will be an instruction, (when the scan ran succesfully) either if that is not that offset what i looking for.
This is a tutorial example: | Code: | "Tutorial-i386.exe"+25201: 8B 5D B4 - mov ebx,[ebp-4C]
"Tutorial-i386.exe"+25204: 8B 75 B8 - mov esi,[ebp-48]
"Tutorial-i386.exe"+25207: C9 - leave
"Tutorial-i386.exe"+25208: C3 - ret
"Tutorial-i386.exe"+25209: 00 00 - add [eax],al
"Tutorial-i386.exe"+2520B: 00 00 - add [eax],al
"Tutorial-i386.exe"+2520D: 00 00 - add [eax],al
"Tutorial-i386.exe"+2520F: 00 83 EC 04 89 1C - add [ebx+1C8904EC],al
"Tutorial-i386.exe"+25215: 24 89 - and al,-77
"Tutorial-i386.exe"+25217: C3 - ret
// ---------- INJECTING HERE ----------
"Tutorial-i386.exe"+25218: 8B 83 80 04 00 00 - mov eax,[ebx+00000480]
// ---------- DONE INJECTING ----------
"Tutorial-i386.exe"+2521E: 3D E8 03 00 00 - cmp eax,000003E8
"Tutorial-i386.exe"+25223: 75 2C - jne Tutorial-i386.exe+25251
"Tutorial-i386.exe"+25225: 8B 83 68 04 00 00 - mov eax,[ebx+00000468]
"Tutorial-i386.exe"+2522B: B2 01 - mov dl,01
"Tutorial-i386.exe"+2522D: 8B 8B 68 04 00 00 - mov ecx,[ebx+00000468]
"Tutorial-i386.exe"+25233: 8B 09 - mov ecx,[ecx]
"Tutorial-i386.exe"+25235: FF 91 20 02 00 00 - call dword ptr [ecx+00000220]
"Tutorial-i386.exe"+2523B: 8B 83 78 04 00 00 - mov eax,[ebx+00000478]
"Tutorial-i386.exe"+25241: B2 00 - mov dl,00
"Tutorial-i386.exe"+25243: 8B 8B 78 04 00 00 - mov ecx,[ebx+00000478] |
I can use this AoB: | Code: | | 8B 83 * * * * 3D E8 03 00 00 75 |
with 1 found address, if i ignoring the offset, and predict the fact, the value on the desired address will be compared agaist 1000. "db 75" will be there because the comparison.
but ....
| Code: | "Tutorial-i386.exe"+2521E:
0042521E - 3D E8 03 00 00 - cmp eax,000003E8
"modified code samples":
00390065 - 81 F8 E8030000 - cmp eax,000003E8
00390065 - 66 3D E803 - cmp ax,03E8
|
and so on and so forth.
I concluded that I need some AoB from before this instruction.
so I use this AoB: | Code: | | C9 C3 00 00 00 00 00 00 00 83 EC 04 89 * 24 |
This will find: | Code: | "Tutorial-i386.exe"+25207:
C9 - leave |
and I want to know that what is there on that "AoB+11" address.
I want to debug the next three instruction, if that is possible, "without run them", but either way.
How can I do so?
- I prefer assembly code(ing), this is my interests.
- Is there any way to know exactly whats going on there, (how long intructions, what kind of ..) "without run"?
(I had ideas, with EIP, with a function call .. but thats will be a compare against EIP's After run the instructions.)
_________________
I want to post enough! |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
