 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
jc3213
Newbie cheater
![]() Reputation: 0
Joined: 18 Jan 2011
Posts: 13
|
 Posted: Sun Apr 30, 2017 6:38 am Post subject: How to hack certain memory range with one cheat? |
 |
|
I'm hacking a game, the memory range for example from 00640000~00650000. I want set all the memory address in the range to "1" that means I want to set
00640000:01(h)
00640001:01(h)
...
00650000:01(h)
In the cheat table, I'm writing many cheats.
00640000 8Byte 0101010101010101(h)
00640008 8Byte 0101010101010101(h)
00640010 8Byte 0101010101010101(h)
....
0064FFF8 8Byte 0101010101010101(h)
I just wonder if I can shorten them to 1 cheat either address or script. I don't know about scripting, so it will be grateful if someone can help. Thanks in advanced
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Apr 30, 2017 10:21 am Post subject: |
|
|
| Code: | for i = 0x00640000, 0x00650000 do
writeBytes(i, 1)
end |
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Sun Apr 30, 2017 12:23 pm Post subject: |
|
|
Hm, I know CE has "fill memory" in the tools menu of the memory viewer which would be more efficient, though I didn't see anything obvious with a quick look at main.lua so it may not be available from there, something like this might still be more efficient than a loop making making 0x1000 separate writes to memory:
| Code: | local start = 0x00640000
local end = 0x00650000
local value = "\x00"
writeBytes(start, stringToByteTable(value:rep(end-start-1))) |
haven't tested it however, note the -1 is due to the assumption that stringToByteTable will 0 terminate the string (like C/asm expects)
|
|
| Back to top |
|
|
jc3213
Newbie cheater
![]() Reputation: 0
Joined: 18 Jan 2011
Posts: 13
|
| Posted: Sun Apr 30, 2017 5:34 pm Post subject: |
|
|
| Zanzer wrote: | | Code: | for i = 0x00640000, 0x00650000 do
writeBytes(i, 1)
end |
|
Thanks, that is a lua script right? I wonder if I can only fill 0 to 1, some value in the memory range can't be changed to 1(also I thought it could) and will make the game freeze
| FreeER wrote: | Hm, I know CE has "fill memory" in the tools menu of the memory viewer which would be more efficient, though I didn't see anything obvious with a quick look at main.lua so it may not be available from there, something like this might still be more efficient than a loop making making 0x1000 separate writes to memory:
| Code: | local start = 0x00640000
local end = 0x00650000
local value = "\x00"
writeBytes(start, stringToByteTable(value:rep(end-start-1))) |
haven't tested it however, note the -1 is due to the assumption that stringToByteTable will 0 terminate the string (like C/asm expects) |
I've been using CE since 3.5.x but I haven't found "fill memory", maybe I was just too lazy or too careless.
Will that code only fill 0 to 1? since some value can't be changed to 1 and will cause freeze
Thanks for your help.
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Sun Apr 30, 2017 7:58 pm Post subject: |
|
|
| jc3213 wrote: | | Will that code only fill 0 to 1? since some value can't be changed to 1 and will cause freeze |
That code would change everything from 0x640000 to 0x650000 (assuming it's not read only) to 0 since I used "\x00" as the value (oops lol), to write 1s you'd use "\x01" for value (\x specifies an embedded hex value, \x97 would be the same as 'a') though if stringToByteTable added a terminating 0 byte then you'd need to overwrite that (simple enough however, writeBytes(0x650000,1)). However if you need to only change bytes that are already zero to 1 then neither one of the code snippets will do what you want since they simply overwrite everything...
If you really need to check each byte then the best I can think of right now would be using Zanzer's code but with an added if statement like so
| Code: | for i = 0x00640000, 0x00650000 do
if readBytes(i) == 0 then
writeBytes(i, 1)
end
end |
But I'd expect a good bit of lag when running a lua script like that (I could be wrong of course, feel free to try it!)...Doing it 8 bytes at a time might help eg.
| Code: | for i = 0x00640000, 0x00650000, 8 do
if readQword(i) == 0 then
writeQword(i, 0x0101010101010101)
end
end |
Though since that checks each 8 byte section of memory to see if it's 0 it may not be enough to do what you want. You could also try 4 bytes using readInteger and writeInteger , 4 instead of 8, and 0x01010101
Alternatively an assembly script may be faster something like
| Code: | [ENABLE]
globalalloc(zeroToOneTest,1000)
label(LOOP)
label(SET)
label(DONE)
label(DONECHECK)
define(tochange, 0)
define(changeto, 1)
zeroToOneTest:
// nearly the same concept as comparing strings
lea esi, [00640000-1] // start address (-1 since 1 is added at the start of the loop)
lea edi, [esi+10000] // end address
//mov edi, 00650000 // end address
LOOP:
inc esi
mov al, byte ptr [esi] // read a byte
cmp al, tochange
jne DONECHECK
// otherwise
SET:
mov byte ptr [esi], changeto
DONECHECK:
cmp esi, edi
je DONE
jmp LOOP
DONE:
ret
createThread(zeroToOneTest)
[DISABLE]
|
|
|
| Back to top |
|
|
jc3213
Newbie cheater
![]() Reputation: 0
Joined: 18 Jan 2011
Posts: 13
|
| Posted: Sun Apr 30, 2017 11:48 pm Post subject: |
|
|
Wow, thanks very much!!! The assembly code helps very much, since I don't know lua scripts but some assembly codes. Your codes help me much even with my other code tables!!
BTW, The assembly code created a thread named zeroToOneTest, I wonder if there is some code like deleteThread(void) in the [DISABLE] Sector in order to stop that thread.
And, will the code still work, that if the game have anti debug or something(when using CE to find the pointer, the game crashes, that's why I need to write a code myself)
Last edited by jc3213 on Tue May 02, 2017 6:44 am; edited 2 times in total |
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Mon May 01, 2017 5:29 am Post subject: |
|
|
| jc3213 wrote: | | BTW, The assembly code created a thread named zeroToOneTest, I wonder if there is some code like deleteThread(void) in the [DISABLE] Sector in order to stop that thread. |
when the thread reaches the ret then it stops. There is another way that you can do it so that the code allocated for the thread also gets freed (you probably shouldn't use globalalloc in that case though). You can find an x86 example here and an x64 one here, both by ParkourPenguin
BTW, createThread actually takes any address and tries to execute the data there as code, zeroToOneTest is just the symbol created by globalalloc which CE will replace with the address of the allocated memory.
| jc3213 wrote: | | And, will the code still work, that if the game have anti debug or something(when using CE to find the pointer, the game crashes, that's why I need to write a code myself) |
Well... that depends on the anti-cheat and how it detects you. If it's detecting that you have CE active, well those scripts depend on CE (though you could do something similar in another language if you know how), or if it's comparing the values to copies of what they should be to see if they've changed then it's still going to detect it. However, if it simply has a problem with you scanning for the pointer / using a debugger then you should be fine.
PS. I'd personally prefer if you edited the quote to not include everything, just one of those quirks I have about scrolling through threads that are 3 times the size they need to be because of quotes lol
|
|
| Back to top |
|
|
jc3213
Newbie cheater
![]() Reputation: 0
Joined: 18 Jan 2011
Posts: 13
|
| Posted: Tue May 02, 2017 7:32 am Post subject: |
|
|
| FreeER wrote: | BTW, createThread actually takes any address and tries to execute the data there as code, zeroToOneTest is just the symbol created by globalalloc which CE will replace with the address of the allocated memory.
Well... that depends on the anti-cheat and how it detects you. If it's detecting that you have CE active, well those scripts depend on CE (though you could do something similar in another language if you know how), or if it's comparing the values to copies of what they should be to see if they've changed then it's still going to detect it. However, if it simply has a problem with you scanning for the pointer / using a debugger then you should be fine. |
Many thanks, I'll check it myself and have a try.
PS: I've arranged the code to
| Code: | [ENABLE]
alloc(mycode, 256)
label(scan)
label(range)
label(done)
mycode:
lea esi, [00640000]
lea edi, [00650000]
scan:
mov al, byte ptr [esi]
cmp al, 00
jne range
mov byte ptr [esi], 01
range:
cmp esi, edi
je done
inc esi
jmp scan
done:
ret
createThread(mycode)
[DISABLE]
dealloc(mycode) |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
