Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Access violation when enabling AOB script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
94d33m
Newbie cheater
Reputation: 0

Joined: 13 Jan 2019
Posts: 14
Location: Bangladesh

PostPosted: Tue Jan 15, 2019 3:58 pm    Post subject: Access violation when enabling AOB script Reply with quote

Did an AOB injection which works, but get access violation if I put wildcards in disable part of code and then disabling the script


 Description:
 Filesize:  270.04 KB
 Viewed:  4085 Time(s)






Last edited by 94d33m on Fri Jan 18, 2019 12:27 pm; edited 2 times in total
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jan 15, 2019 5:18 pm    Post subject: Reply with quote

post your script.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
94d33m
Newbie cheater
Reputation: 0

Joined: 13 Jan 2019
Posts: 14
Location: Bangladesh

PostPosted: Wed Jan 16, 2019 10:06 am    Post subject: Reply with quote

Here


 Description:
 Filesize:  82.57 KB
 Viewed:  4056 Time(s)




Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Wed Jan 16, 2019 11:54 am    Post subject: Reply with quote

ammo is double, and double is encoded in a different way.

anyway, use:
Code:
mov [rsi+000007B8],(double)5000

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
94d33m
Newbie cheater
Reputation: 0

Joined: 13 Jan 2019
Posts: 14
Location: Bangladesh

PostPosted: Wed Jan 16, 2019 2:32 pm    Post subject: Reply with quote

Nope, I was doing that for the float value on top(health). Anyways, figured i get this error when i put '??' marks in the disable part, ill see how to make it work and reply here if i find it.


 Description:
 Filesize:  414.11 KB
 Viewed:  4036 Time(s)




Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Jan 16, 2019 5:02 pm    Post subject: Reply with quote

Why are you replacing the offset with wildcards if you presume the value of the offset in the code injection?

Use readmem and reassemble:
Code:
[ENABLE]
aobscanmodule(INJECT,Tutorial-x86_64.exe,F3 0F 5C C8 F3 0F 11 8E)
alloc(newmem,$1000,"Tutorial-x86_64.exe")

label(step3health_bak)
label(return)

registersymbol(INJECT)
registersymbol(step3health_bak)

newmem:
  movss xmm1,[newmem+400]
  reassemble(INJECT+4)
  jmp long return
step3health_bak:
  readmem(INJECT,12)

newmem+400:
  dd (float)5000

INJECT:
  jmp long newmem
  nop
  nop
  nop
  nop
  nop
  nop
  nop
return:

[DISABLE]
INJECT:
  readmem(step3health_bak,12)

unregistersymbol(INJECT)
unregistersymbol(step3health_bak)
dealloc(newmem)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Wed Jan 16, 2019 7:15 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
ammo is double, and double is encoded in a different way.

anyway, use:
Code:
mov [rsi+000007B8],(double)5000

sorry i didnt see the commented instruction (movss), i just thought you were doing double because you mentioned ammo and ammo is double in cetut.

also you should learn about SSE/SSE2 instruction extension (SSE for sp-fp SSE2 for dp-fp), using FPU x87 instruction set in process runs in long-mode is not efficient. (and according to some old x86 sdm's FPU takes extra cycles / more nanoseconds to execute)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
94d33m
Newbie cheater
Reputation: 0

Joined: 13 Jan 2019
Posts: 14
Location: Bangladesh

PostPosted: Thu Jan 17, 2019 12:38 am    Post subject: Reply with quote

ParkourPenguin wrote:
Why are you replacing the offset with wildcards if you presume the value of the offset in the code injection?

Use readmem and reassemble:
Code:
[ENABLE]
aobscanmodule(INJECT,Tutorial-x86_64.exe,F3 0F 5C C8 F3 0F 11 8E)
alloc(newmem,$1000,"Tutorial-x86_64.exe")

label(step3health_bak)
label(return)

registersymbol(INJECT)
registersymbol(step3health_bak)

newmem:
  movss xmm1,[newmem+400]
  reassemble(INJECT+4)
  jmp long return
step3health_bak:
  readmem(INJECT,12)

newmem+400:
  dd (float)5000

INJECT:
  jmp long newmem
  nop
  nop
  nop
  nop
  nop
  nop
  nop
return:

[DISABLE]
INJECT:
  readmem(step3health_bak,12)

unregistersymbol(INJECT)
unregistersymbol(step3health_bak)
dealloc(newmem)


Ow thanks man, I'll try that.. Btw dint really get your question... What I was trying to do was make sure code works after restart. Since that could change some of those array of bytes I inserted those wildcards. But thought I should put wildcards in disable part too, since I must put back the original array of bytes when I disable. Not sure if I was going on right track
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Thu Jan 17, 2019 8:23 am    Post subject: Reply with quote

94d33m wrote:
What I was trying to do was make sure code works after restart. Since that could change some of those array of bytes I inserted those wildcards.
...
Not sure if I was going on right track


the script will work fine after restart, however script might not work properly after software update.

- once software updated, you may use wildcards.
- you may use wildcard in processes that encode absolute memory-operand.

and you probably need to "Use readmem and reassemble" as ParkourPenguin mentioned.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Jan 17, 2019 9:58 am    Post subject: Reply with quote

Look at the instruction:
Code:
F3 0F11 8E B8070000 - movss [rsi+000007B8],xmm1

You're replacing the last four bytes with wildcards. These four bytes are the offset +7B8 in the instruction.

The rationale behind replacing the offset with wildcards is so that the script does not depend on what that offset is. This makes the script more versatile and can adapt if the offset ever changes due to a software update, among other reasons.

That's generally a good goal, but you were going about it incorrectly. You were still assuming the offset is +7B8 in the code injection:
Code:
newmem:
  mov [rsi+000007B8],(float)5000

This instruction is fine and will do what you expect it to do, but you're assuming the offset will always be +7B8. If that offset ever changes (and you do everything else w/ readmem correctly), your code injection won't write to the new offset- it'll still write to rsi+000007B8 just like you told it to. If anything, this is worse than not using wildcards in the first place. At least then the script won't enable and write over an unrelated value.

In the code injection I wrote, it doesn't directly use the offset +7B8. Instead, reassemble tells CE to look at the specified address (i.e. the address of the movss instruction), disassemble it, and reassemble it where the reassemble call was placed. If the offset ever changes, CE will disassemble and reassemble the new offset correctly.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
salumor
Advanced Cheater
Reputation: 0

Joined: 14 Jan 2019
Posts: 84

PostPosted: Thu Jan 17, 2019 4:28 pm    Post subject: Reply with quote

Sry to hook on, but I've got a question concerning that turning topic and might be of interesst to OP too.

What if you do have an offset address you got taking a look at dissected data structure. Lets say you do "cmp [eax+30],#24". What's best practice here?

I just can think of finding the offset elswhere if it's nowhere near and do something like (incl. all labels, registers & co)
Code:
aobscan(region/module)(AddressForOffset,***)
....
cmp [eax+OffsetLabel],#24
....
OffsetLabel:
readmem(AddressForOffset,4)

What if you wouldn't find that address? Any best practices for that case in general?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Jan 17, 2019 10:21 pm    Post subject: Reply with quote

In a more general case where you only want the offset and can't simply reassemble the original instruction, the simplest method would be to assemble the code yourself. If the original injection point starts with the instruction "mov ecx,[eax+30]" (AoB: 8B 48 30), you could write "cmp [eax+30],#24" like so:
Code:
// cmp [eax+disp8],#24
db 83 78
readmem(INJECT+2,1)
db 18
When doing it this way, there should always be a comment detailing the actual instruction. This makes it at least somewhat readable.

This solution is good enough- it's what I'd do if I released a table. I can think of a couple better (albeit more convoluted) ways that involve Lua.

The first would be to use a {$lua} block that returns a define(...) command which sets the offset. This is easy if the injection point is static, but that's probably pointless since that location would have a bigger chance of changing than the offset itself. aobscans are a problem because they run after {$lua} blocks; hence, the Lua code must also scan for the AoB (preferably via a single-pass scan; see "vtByteArrays" in CE source for details).

The second way would probably involve registerAutoAssemblerCommand or registerAutoAssemblerPrologue. At the very least, this would reduce code duplication across multiple scripts. See the CE Lua documentation for more information.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
94d33m
Newbie cheater
Reputation: 0

Joined: 13 Jan 2019
Posts: 14
Location: Bangladesh

PostPosted: Fri Jan 18, 2019 12:26 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Why are you replacing the offset with wildcards if you presume the value of the offset in the code injection?

Use readmem and reassemble:
Code:
[ENABLE]
aobscanmodule(INJECT,Tutorial-x86_64.exe,F3 0F 5C C8 F3 0F 11 8E)
alloc(newmem,$1000,"Tutorial-x86_64.exe")

label(step3health_bak)
label(return)

registersymbol(INJECT)
registersymbol(step3health_bak)

newmem:
  movss xmm1,[newmem+400]
  reassemble(INJECT+4)
  jmp long return
step3health_bak:
  readmem(INJECT,12)

newmem+400:
  dd (float)5000

INJECT:
  jmp long newmem
  nop
  nop
  nop
  nop
  nop
  nop
  nop
return:

[DISABLE]
INJECT:
  readmem(step3health_bak,12)

unregistersymbol(INJECT)
unregistersymbol(step3health_bak)
dealloc(newmem)


Have some questions on this code,
0) what is the thing that we are trying to achieve with this code?
1) why are we moving value from address [newmem +400], is [newmem+400] just a free space in memory that we want to use ?

2) what is this reassemble (inject +4), why reassemble and why 4?
3) what is readmem(inject, 12) and why 12!
4) what is the difference b/w register symbol and label?

Or how what basics do I need to know to understand these?
Thanks in advance buddies
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Jan 18, 2019 11:06 pm    Post subject: Reply with quote

94d33m wrote:
0) what is the thing that we are trying to achieve with this code?
I made that in response to the problem in your original post. If you don't know why you made your code in the first place, there's not much point to this topic.

My script does not rely on the offset an instruction uses. In other words, the offset 0x7B8 in the instruction "movss [rsi+7B8],xmm1" could change to 0x7C0 and the script would still enable perfectly fine.

94d33m wrote:
1) why are we moving value from address [newmem +400], is [newmem+400] just a free space in memory that we want to use ?
It's where I chose to store a floating point constant. There's no such "movss xmm1,(float)5000" instruction, so that's the next best thing.

If you want to make it more readable, use a label:
Code:
label(myValue)
...
newmem:
  movss xmm1,[myValue]
...
newmem+400:
myValue:
  dd (float)5000


94d33m wrote:
2) what is this reassemble (inject +4), why reassemble and why 4?
The reassemble command disassembles an instruction at the specified address and assembles it at where the command is placed.
INJECT+4 is the address of the instruction "movss [rsi+7B8],xmm1". The +4 is there because that instruction comes 4 bytes after INJECT - the start of the specified AOB signature.

reassemble is used here because it's the most appropriate method with regards to semantics. I want the code injection to execute the original instruction, but I don't know what the offset is. So, I tell CE to reassemble whatever the original instruction was and put it in the code injection.
In this specific case, you could use readmem instead of reassemble and it'll work perfectly fine; however, that's not true in general. Instructions that depend on the address they're located at (e.g. RIP-relative addressing) will break if the bytes are copied directly, while reassemble will work correctly.

94d33m wrote:
3) what is readmem(inject, 12) and why 12!
The readmem command reads a number of bytes from an address and copies them to where the command is placed. INJECT is the address to copy bytes from, and 12 (decimal; not hex) is the number of bytes to copy.

readmem should not be replaced with reassemble because reassemble is not guaranteed to give back the same bytes even if the original instruction is reassembled at the same address. This happens when multiple instructions with different machine code representations can be represented by the same mnemonic.
For example, the instruction "mov eax,[0291EC74]" could be assembled using the opcode A1 (mov eax,moffs32) or the opcode 8B (mov r32,r/m32). This might cause problems because both forms have different sizes. If CE assembles the wrong one, the game will probably crash. readmem doesn't have this problem since it doesn't consider mnemonics- it just copies memory.

94d33m wrote:
4) what is the difference b/w register symbol and label?
That's comparing apples with oranges: those two commands do two different things.
The label command declares a symbol that will be used to represent a certain address. The scope of that symbol is limited to the current execution of the script. Labels alone can't be used in some other script or the next time the same script is enabled or disabled. The registersymbol command makes a symbol accessible globally. In my script, the "step3health_bak" symbol needed to be registered in the enable section because the disable section needs to know where the backup was stored.

94d33m wrote:
Or how what basics do I need to know to understand these?
You can find more information on the CE wiki.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites