Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Can't Toggle AOB Script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Fri Apr 20, 2018 9:37 am    Post subject: Can't Toggle AOB Script Reply with quote

I've been making a few scripts for Ori and the Blind Forest (not the definitive edition) and one a few were AOB's and one was a full injection. But when I close the game and start up, I can't select the scripts. I doubt the game has been updated so I'm not sure why I can't toggle them.

One of the script is;

Code:
[ENABLE]

aobscan(Deathcount,89 48 14 8B 05 A4 4F BC 0F) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [eax+14],ecx
  mov [eax+14], #0
  mov eax,[0FBC4FA4]
  jmp return

Deathcount:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(Deathcount)

[DISABLE]

Deathcount:
  db 89 48 14 8B 05 A4 4F BC 0F

unregistersymbol(Deathcount)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 2381C6A3

""+2381C67E: 8B 05 B0 B5 E1 05     -  mov eax,[05E1B5B0]
""+2381C684: 83 EC 08              -  sub esp,08
""+2381C687: 6A 00                 -  push 00
""+2381C689: 50                    -  push eax
""+2381C68A: E8 81 B0 BE E2        -  call 06407710
""+2381C68F: 83 C4 10              -  add esp,10
""+2381C692: 85 C0                 -  test eax,eax
""+2381C694: 0F 84 62 00 00 00     -  je 2381C6FC
""+2381C69A: 8B 05 B0 B5 E1 05     -  mov eax,[05E1B5B0]
""+2381C6A0: 8B 4D 08              -  mov ecx,[ebp+08]
// ---------- INJECTING HERE ----------
""+2381C6A3: 89 48 14              -  mov [eax+14],ecx
""+2381C6A6: 8B 05 A4 4F BC 0F     -  mov eax,[0FBC4FA4]
// ---------- DONE INJECTING  ----------
""+2381C6AC: 8B 0D B0 B5 E1 05     -  mov ecx,[05E1B5B0]
""+2381C6B2: 8B 49 14              -  mov ecx,[ecx+14]
""+2381C6B5: 83 EC 08              -  sub esp,08
""+2381C6B8: 51                    -  push ecx
""+2381C6B9: 50                    -  push eax
""+2381C6BA: 39 00                 -  cmp [eax],eax
""+2381C6BC: E8 47 3C C3 E2        -  call 06450308
""+2381C6C1: 83 C4 10              -  add esp,10
""+2381C6C4: 8B 05 78 BC E1 05     -  mov eax,[05E1BC78]
""+2381C6CA: 89 45 EC              -  mov [ebp-14],eax


The other, full injection is;
Code:
define(address,22C8F809)
define(bytes,D9 40 04 D9 5D F4)

[ENABLE]

assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
mov [eax+04],(float)15
  fld dword ptr [eax+04]
  fstp dword ptr [ebp-0C]
  jmp return

address:
  jmp newmem
  nop
return:

[DISABLE]

address:
  db bytes
  // fld dword ptr [eax+04]
  // fstp dword ptr [ebp-0C]

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 22C8F809

22C8F7E7: E8 FC 2B 6F E3     -  call 063823E8
22C8F7EC: 83 C4 10           -  add esp,10
22C8F7EF: 85 C0              -  test eax,eax
22C8F7F1: 0F 84 60 00 00 00  -  je 22C8F857
22C8F7F7: 8B 47 3C           -  mov eax,[edi+3C]
22C8F7FA: 8B 40 48           -  mov eax,[eax+48]
22C8F7FD: 8B 40 10           -  mov eax,[eax+10]
22C8F800: 8B C8              -  mov ecx,eax
22C8F802: 39 09              -  cmp [ecx],ecx
22C8F804: 05 BC 00 00 00     -  add eax,000000BC
// ---------- INJECTING HERE ----------
22C8F809: D9 40 04           -  fld dword ptr [eax+04]
22C8F80C: D9 5D F4           -  fstp dword ptr [ebp-0C]
// ---------- DONE INJECTING  ----------
22C8F80F: D9 45 F4           -  fld dword ptr [ebp-0C]
22C8F812: D9 05 C8 C9 17 1E  -  fld dword ptr [1E17C9C8]
22C8F818: DF F1              -  fcomip st(0),st(1)
22C8F81A: DD D8              -  fstp st(0)
22C8F81C: 0F 82 35 00 00 00  -  jb 22C8F857
22C8F822: D9 87 88 00 00 00  -  fld dword ptr [edi+00000088]
22C8F828: D9 EE              -  fldz
22C8F82A: DF F1              -  fcomip st(0),st(1)
22C8F82C: DD D8              -  fstp st(0)
22C8F82E: 7A 27              -  jp 22C8F857
}
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Apr 20, 2018 10:25 am    Post subject: Reply with quote

The full injection fails because the code probably wasn't allocated at the same address. Use an aobscan instead.

The aobscan script is failing because an instruction in the aob pattern is directly addressing dynamically allocated memory. Replace those operand bytes with wildcards in the aob pattern and add more bytes until the pattern is unique. In the code injection, you could use reassemble and readmem to assemble the correct instruction and restore the original bytes, but it would be easier to inject at one instruction earlier (i.e. ""+2381C6A0).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Fri Apr 20, 2018 11:04 am    Post subject: Reply with quote

ParkourPenguin wrote:
The full injection fails because the code probably wasn't allocated at the same address. Use an aobscan instead.

The aobscan script is failing because an instruction in the aob pattern is directly addressing dynamically allocated memory. Replace those operand bytes with wildcards in the aob pattern and add more bytes until the pattern is unique. In the code injection, you could use reassemble and readmem to assemble the correct instruction and restore the original bytes, but it would be easier to inject at one instruction earlier (i.e. ""+2381C6A0).


Sorry for sounding like a noob but how do I use reassemble and reabmem to assemble the correct instruction?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Apr 20, 2018 2:19 pm    Post subject: Reply with quote

You shouldn't do that. As I said, it's easier to inject at the previous instruction. Highlight the instruction at ""+2381C6A0 in the disassembler and make the AOB Injection template from that.

If you want to ignore that advice, there are examples of reassemble and readmem on these forums you can find by searching for them.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Ejay1984
Newbie cheater
Reputation: 0

Joined: 16 Nov 2017
Posts: 24

PostPosted: Fri Apr 20, 2018 11:56 pm    Post subject: Reply with quote

ParkourPenguin wrote:
You shouldn't do that. As I said, it's easier to inject at the previous instruction. Highlight the instruction at ""+2381C6A0 in the disassembler and make the AOB Injection template from that.

If you want to ignore that advice, there are examples of reassemble and readmem on these forums you can find by searching for them.


Thanks a lot, I'll do that injection.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites