| View previous topic :: View next topic |
| Author |
Message |
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
 Posted: Sun Jun 19, 2016 4:31 pm Post subject: [Bug] cheatengine suddenly replaces bytes after injecting |
 |
|
It seems that Cheat Engine randomly replaces some bytes right after the AOB injection point when I activate a script, which of course crashes the game. Here is an example :
The code I'm injecting is :
| Code: | aobscanmodule(aob_highlight,witcher3.exe,48 8B 39 8B 41 08 45) // should be unique
alloc(newmem,$1000,"witcher3.exe"+9AF4EE)
label(code)
label(return)
registersymbol(pointer_highlight)
alloc(pointer_highlight,8)
newmem:
code:
mov [pointer_highlight], rcx
mov rdi,[rcx]
mov eax,[rcx+08]
jmp return
aob_highlight:
jmp code
nop
return:
registersymbol(aob_highlight)
[DISABLE]
aob_highlight:
db 48 8B 39 8B 41 08
unregistersymbol(aob_highlight)
dealloc(newmem)
unregistersymbol(pointer_highlight)
dealloc(pointer_highlight) |
I'm at a loss, I don't know what could be causing this and it's the first time i've seen this behavior.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sun Jun 19, 2016 5:07 pm Post subject: |
|
|
hmm, this is weird, the allocation preference is ignored.
Are you using ce 6.5.1 ?
Anyhow, try
| Code: |
alloc(pointer_highlight,8,"witcher3.exe"+9AF4EE)
|
so it's sure that all allocs are in the same region
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 5:19 am Post subject: |
|
|
The bug happens both on 6.5 and 6.5.1.
I can still inject code correctly in other games but not in witcher3.
As you said, it looks like the initial jump is getting overridden by the allocation and i have no idea why this is happening.
Here is how my Cheat Engine is configured :
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Mon Jun 20, 2016 5:37 am Post subject: |
|
|
| Try unchecking the Kernel-MemoryQueryRoutines in the extra settings.
|
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 5:54 am Post subject: |
|
|
| hhhuut wrote: | | Try unchecking the Kernel-MemoryQueryRoutines in the extra settings. |
When I do that, I can't enable the script anymore. When I do a search for the relevant array of bytes (with writable grey) I don't get any results, but I can still see the correct code using the Memory Viewer.
edit : enabling CE Kernel routine for Read/Write Process Memory gives me the same error as previously.
|
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
 Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
| Posted: Mon Jun 20, 2016 6:03 am Post subject: |
|
|
| Code: |
[ENABLE]
aobscanmodule(aobhighlight,witcher3.exe,48 8B 39 8B 41 08 45)
alloc(newmem,$1000,"witcher3.exe"+9AF4EE)
label(code)
label(return)
label(pointerhighlight)
registersymbol(pointerhighlight)
newmem:
code:
mov [pointerhighlight],rcx
mov rdi,[rcx]
mov eax,[rcx+08]
jmp return
pointerhighlight:
dq 0
aobhighlight:
jmp code
nop
return:
registersymbol(aobhighlight)
[DISABLE]
dealloc(newmem)
aob_highlight:
db 48 8B 39 8B 41 08
unregistersymbol(aobhighlight)
unregistersymbol(pointerhighlight)
|
_________________
... |
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 6:08 am Post subject: |
|
|
Same bug, even though the resulting bytes are a bit different now :
Edit : and deactivating the script doesn't help, as some bytes have been changed beyond the injection point 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 20, 2016 6:11 am Post subject: |
|
|
what is the exact address of "witcher3.exe"+9AF4EE ?
and what is the exact address the aob finds ?
(disable show symbols and show module addresses)
(and as a way to circumvent it, you could go with the assumption that those bytes are going to change, so your script could get adapted to that situation)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 6:19 am Post subject: |
|
|
| Dark Byte wrote: | what is the exact address of "witcher3.exe"+9AF4EE ?
and what is the exact address the aob finds ?
(disable show symbols and show module addresses) |
The exact address is 7FF670DAF4EE
| Dark Byte wrote: | | (and as a way to circumvent it, you could go with the assumption that those bytes are going to change, so your script could get adapted to that situation) |
What is it in this situation? The way the program works, a bug during the injection, a bug during the allocation, an anti-cheat system?
When I autoassemble and inject any other part of the program, it still gives me a similar bug :/
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Jun 20, 2016 6:33 am Post subject: |
|
|
ok. I can see it allocates at a wrong spot with such an address. I'll check it out
in the meantime try
| Code: |
aobscanmodule(aob_highlight,witcher3.exe,48 8B 39 8B 41 08 45) // should be unique
alloc(newmem,$ff0)
label(code)
label(return)
registersymbol(pointer_highlight)
alloc(pointer_highlight,8)
newmem:
code:
mov [pointer_highlight], rcx
mov rdi,[rcx]
mov eax,[rcx+08]
xor r12d,r12d
lea rcx,[rax+rax*4]
mov r14,rdx
jmp return
aob_highlight:
jmp code
nop
nop
return:
registersymbol(aob_highlight)
[DISABLE]
aob_highlight:
db 48 8B 39 8B 41 08 45 33 e4 48 8d 0c 80 4c 8b f2
unregistersymbol(aob_highlight)
dealloc(newmem)
unregistersymbol(pointer_highlight)
dealloc(pointer_highlight)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Mon Jun 20, 2016 7:12 am Post subject: |
|
|
Is this a bug in the "autoAssemble2"-function or the "findFreeBlockForRegion"-routine?
Just curious 
|
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 7:15 am Post subject: |
|
|
| Dark Byte wrote: | | ok. I can see it allocates at a wrong spot with such an address. I'll check it out |
Injecting the code worked fine 1 year ago when the game came out. This week it doesn't work anymore (even though the AOBs are still good). The 2 main factors that changed are that I'm now using windows 10 and the new version of Cheat Engine.
| Dark Byte wrote: | | in the meantime try |
I get "Warning. Not all code is injectable".
But transfering the new DISABLE section makes it so that I can disable the script without having the game crashing.
|
|
| Back to top |
|
|
DarkIceCore
Expert Cheater
![]() Reputation: 0
Joined: 10 Jun 2012
Posts: 102
Location: Moscow
|
| Posted: Mon Jun 20, 2016 2:01 pm Post subject: |
|
|
same problem with last CE version
with 64bit app
some like this F3 0F 10 80 88 00 00 00 - movss xmm0,[rax+00000088]
and many other with F3 xx xx xx etc
when injected standard jump changing to FF 25 00 00 00 00
edit:
and looks like "alloc(newmem,$ff0)" helps. not already tested all situations, but with some that helps.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jun 20, 2016 4:13 pm Post subject: |
|
|
What output (four lines) you get when you execute this code (Lua script):
| Code: | if autoAssemble([[alloc(newmem,1024,witcher3.exe+9AF4EE)
label(justtesting)
registersymbol(justtesting)
newmem:
justtesting:]])
then
print( 'witcher3.exe+9AF4EE =',string.format('%x',getAddress("witcher3.exe+9AF4EE")) )
print( 'justtesting =',string.format('%x',getAddress("justtesting")) )
end
if autoAssemble([[alloc(newmem,8192,witcher3.exe+9AF4EE)
label(justtesting)
registersymbol(justtesting)
newmem:
justtesting:]])
then
print( 'witcher3.exe+9AF4EE =',string.format('%x',getAddress("witcher3.exe+9AF4EE")) )
print( 'justtesting =',string.format('%x',getAddress("justtesting")) )
end |
_________________
|
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Mon Jun 20, 2016 4:19 pm Post subject: |
|
|
Here is what i get :
| Code: | witcher3.exe+9AF4EE = 7ff670daf4ee
justtesting = 26651850000
witcher3.exe+9AF4EE = 7ff670daf4ee
justtesting = 26651860000
|
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
