| View previous topic :: View next topic |
| Author |
Message |
janetwestonn
How do I cheat?
![]() Reputation: 0
Joined: 30 Nov 2018
Posts: 5
|
 Posted: Fri Nov 30, 2018 12:26 pm Post subject: aobscanmodule() not returning usable variable |
 |
|
aobscanmodule() will not return a variable that can be used in the assembly opcodes. This would be useful for games that have anti-hacks which continuously scan for code modifications.
The following autoassemble script attempts to defeat anti-hacks by immediately overwriting the jump + NOPs that autoassemble uses to jump to new memory. But it will not work because "scannedaddress" cannot be used.
Proof of concept code:
| Code: | [ENABLE]
aobscanmodule(scannedaddress,game.exe,0F2F81F40000000F)
alloc(newmem,$1000)
label(code)
label(return)
label(ammo)
registersymbol(ammo)
newmem:
ammo:
dq 0
code:
// overwrite the jump and the 2 NOPs to defeat anti-hacks
push rbx
mov rbx,0F2F81F40000000F
mov scannedaddress,rbx <- ***The instruction cannot be compiled.***
pop rbx
mov [ammo],rcx // use ammo in the address list
comiss xmm0,[rcx+000000F4] // original code
jmp return
scannedaddress:
jmp code
nop
nop
return:
registersymbol(scannedaddress)
[DISABLE]
unregistersymbol(scannedaddress)
unregistersymbol(ammo)
dealloc(newmem) |
Last edited by janetwestonn on Fri Nov 30, 2018 2:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Fri Nov 30, 2018 12:57 pm Post subject: |
|
|
you must tell alloc where to allocate. so alloc(newmem,4096,game.exe)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
janetwestonn
How do I cheat?
![]() Reputation: 0
Joined: 30 Nov 2018
Posts: 5
|
| Posted: Fri Nov 30, 2018 2:16 pm Post subject: |
|
|
Using CE 6.8.1
According to the wiki, alloc() does not require an address and does not show error window if not provided: wiki.cheatengine.org/index.php?title=Auto_Assembler:alloc
Modifying alloc() as requested still has same error.
| Code: | | alloc(newmem,$1000,"chrome.exe"+D65CE) |
| Quote: | | Error in line 16 (mov 00000000,rbx) : This instruction can't be compiled |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Nov 30, 2018 2:39 pm Post subject: |
|
|
The destination can't be an immediate- it doesn't make sense to move a value into another value. Put it in square brackets if you're addressing a memory location.
The third parameter to alloc specifies a region the memory should be allocated in. This is necessary because RIP-relative addressing requires the addressed memory location to be within a signed 32-bit displacement of the instruction. Even if you weren't addressing a memory location, it would still probably fail because the jmp to your code would take 14 bytes instead of 5 if it were far away.
Also, if the injection point isn't writable, you'll need to call VirtualProtect to change it back.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
janetwestonn
How do I cheat?
![]() Reputation: 0
Joined: 30 Nov 2018
Posts: 5
|
| Posted: Fri Nov 30, 2018 3:08 pm Post subject: |
|
|
| ParkourPenguin wrote: | | The destination can't be an immediate- it doesn't make sense to move a value into another value. Put it in square brackets if you're addressing a memory location. |
Modified it to this as requested but still has same error.
| Code: | | mov [scannedaddress],rbx |
| ParkourPenguin wrote: | | The third parameter to alloc specifies a region the memory should be allocated in. This is necessary because RIP-relative addressing requires the addressed memory location to be within a signed 32-bit displacement of the instruction. Even if you weren't addressing a memory location, it would still probably fail because the jmp to your code would take 14 bytes instead of 5 if it were far away. |
OK, good to know.
| ParkourPenguin wrote: | | Also, if the injection point isn't writable, you'll need to call VirtualProtect to change it back. |
That function is not in the list: wiki.cheatengine.org/index.php?title=Auto_Assembler:Commands
So I assume you're talking about the WinAPI. Thank you for pointing that out. But I guess the same problem would happen because "scannedaddress" could not be used with VirtualProtect() either.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Nov 30, 2018 4:01 pm Post subject: |
|
|
I can replicate that behaviour.
Perhaps it's something to do with the syntax check and/or the order CE executes the script in.
Use a label as a workaround:
| Code: | [ENABLE]
aobscanmodule(scannedaddress,game.exe,0F2F81F40000000F)
alloc(newmem,$1000,game.exe)
label(injectPoint)
label(code)
label(return)
label(ammo)
registersymbol(ammo)
newmem:
ammo:
dq 0
code:
push rbx
mov rbx,0F2F81F40000000F
mov [injectPoint],rbx
pop rbx
mov [ammo],rcx
comiss xmm0,[rcx+000000F4]
jmp return
scannedaddress:
injectPoint:
jmp code
nop
nop
return:
registersymbol(scannedaddress)
[DISABLE]
unregistersymbol(scannedaddress)
unregistersymbol(ammo)
dealloc(newmem) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
janetwestonn
How do I cheat?
![]() Reputation: 0
Joined: 30 Nov 2018
Posts: 5
|
| Posted: Sat Dec 01, 2018 3:26 am Post subject: |
|
|
Thank you for providing a workaround. Awesome!
Now, for the script to actually overwrite the jump and NOPs you need to use fullAccess(). WinAPI's VirtualProtect() is not strictly necessary.
Memory in a .exe is read+execute. We need to modify it to read+write+execute.
| Code: | | fullAccess(scannedaddress, 8) |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Dec 01, 2018 8:48 am Post subject: |
|
|
You could use that, but I don't know of any analogous way to change it back. The game could detect that pretty easily. But hey, if it works, it works.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
