 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
ysfc3m
How do I cheat?
![]() Reputation: 0
Joined: 13 Apr 2020
Posts: 8
|
 Posted: Wed May 13, 2020 7:19 am Post subject: AOB Inection crash |
 |
|
Memory View:
[img]i.hizliresim. com/PNzei2.jpg[/img]
AOB Template:
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax],dx
mov [eax+04],ecx
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem) |
Point is write 3 values to txt file.
Example output per line (code,boolean,price)
220410000-0-500000
My AOB Injection
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)
alloc(newmem,$1000)
alloc(buf, 50)
alloc(buf2, $100)
label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(dash)
buf: // allocated 50 bytes
db 0
buf2:
FileName:
db 'D:\games\myvaluesave.txt',0
byteswritten:
dd 0
tmp_register:
dd 0
crlf:
db 0d 0a 00
dash:
db '=',0
hexcbuf:
dd 0 0
db 0
newmem:
// [eax+04]-[eax+0C]-[eax+08]
pushfd
pushad // I missed this at 64-bit :D
mov ebx, dword ptr [eax+08]
push ebx
mov ebx, dword ptr [eax+0C]
push ebx
mov ebx, dword ptr [eax+04]
mov eax, ebx // convert inttost ebx
call inttostr // save to buf
lea edx, [buf+0] // code [eax+04]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+0C]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+08]
call savefile
lea edx, [crlf+0] // cr/lf
call savefile
popad
popfd
code:
mov [eax],dx
mov [eax+04],ecx
jmp return
newmem+200:
savefile:
mov ebx, edx // buffer to write
push 0
push 80
push 4
push 0
push 0
push 4
push FileName
call CreateFileA
mov dword ptr [byteswritten], 0
mov esi, eax // move file handle to esi
mov edx, ebx
mov eax, ebx
mov ebx, FFFFFFFF
aloop: // get string length
inc ebx
cmp byte ptr [eax+ebx], 0
jnz short aloop
push 0
push [byteswritten]
push ebx // nNumberOfBytesToWrite
push eax //; lpBuffer
push esi //; hFile
call WriteFile
push esi
call CloseHandle
ret
newmem+300:
inttohex:
// put data to eax
lea edx, [hexcbuf+0]
mov ebx, 8
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec ebx
mov byte ptr [edx+ebx], cl
sar eax, 4
cmp ebx, 0
jne loophere
ret
newmem+400:
inttostr:
// put data to eax
lea ecx, [buf+0]
// initialize buf[50]
mov ebx, #50
itoaloop:
mov byte ptr [ecx], 0
inc ecx
dec ebx
cmp ebx, 0
jg itoaloop
// Convert rax to string
lea ecx, [buf+0]
xor esi, esi
mov ebx, #10
itoaloop2:
xor edx, edx
div ebx
add dl, 30
mov byte ptr [ecx], dl
inc ecx
inc esi
cmp eax, 0
jne itoaloop2
// String reverse
xor edx, edx
mov eax, esi
mov ebx, 2
div ebx
dec esi
xor ebx, ebx
lea ecx, [buf+0]
itoaloop3:
mov dl, byte ptr [ecx+ebx]
mov dh, byte ptr [ecx+esi]
mov byte ptr [ecx+ebx], dh
mov byte ptr [ecx+esi], dl
dec eax
dec esi
inc ebx
cmp eax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem) |
myvaluesave.txt:
| Code: | 1668312668=1650418802=1634689631
1668312668=1650418802=1634689631
1668312668=1701279083=1601138015
1668312668=1701666657=1919905119
1668312668=1835100275=1601138015 |
It should work 100+ times but after 5 game crash. Can you help ?
|
|
| Back to top |
|
 |
Csimbi
I post too much
 Reputation: 98
Joined: 14 Jul 2007
Posts: 3375
|
| Posted: Wed May 13, 2020 11:40 am Post subject: |
|
|
There's no check on the pointers (and what you access thru them).
Wrap those in try/except blocks and see what happens.
|
|
| Back to top |
|
|
ysfc3m
How do I cheat?
![]() Reputation: 0
Joined: 13 Apr 2020
Posts: 8
|
| Posted: Wed May 13, 2020 11:43 am Post subject: |
|
|
| Csimbi wrote: | There's no check on the pointers (and what you access thru them).
Wrap those in try/except blocks and see what happens. |
Hello, thank you for your answer.
Can you give me code example please ?
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed May 13, 2020 1:36 pm Post subject: Re: AOB Inection crash |
|
|
| ysfc3m wrote: | Memory View:
https://i.hizliresim.com/PNzei2.jpg
AOB Template:
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax],dx
mov [eax+04],ecx
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem) |
fmyvaluesave.txt:
| Code: | 1668312668=1650418802=1634689631
1668312668=1650418802=1634689631
1668312668=1701279083=1601138015
1668312668=1701666657=1919905119
1668312668=1835100275=1601138015 |
It should work 100+ times but after 5 game crash. Can you help ? |
first off, i did not read the whole code as your code is extra-long for simple value-logging.
second, according the image you provided many memory locations are being modified by the value of ECX:
- EAX+24 (DWORD)
- EAX+14 (BYTE from CL)
- ESP+10 (DWORD)
- EAX+4 (DWORD)
- EAX+C (DWORD)
- EAX+8 (DWORD)
all of these memory locations will contain the exact same value of what ECX register holds.
i will assume ECX sets them to 0.
third, according to the image you provided EAX is the base address:
- offset 4 is ITEM CODE
- offset C is 0 or 1
- offset 8 is ITEM PRICE
at this point i would assume you are trying to fetch whatever in these memory locations before being overridden by ECX, however are you sure about these memory locations and what they contain?
if offset C is either 0 or 1 then why column two in your fmyvaluesave.txt contain some unknown value, some thing that is not 0 or 1.
at this point i would assume that this subroutine is shared between multiple threads, from which we can say other threads does have some values you are not interested in.
fourth, did you stare at fmyvaluesave.txt column3:PRICE?
the values there are near 2GB, or in other words its near the limit of signed-dword (int).
it make no sense for a game developer to price things that high, which again makes me think that subroutine is shared between multiple threads.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 154
Joined: 06 Jul 2014
Posts: 4753
|
| Posted: Wed May 13, 2020 1:51 pm Post subject: |
|
|
CreateFile's dwDesiredAccess argument seems wrong.
WriteFile's lpNumberOfBytesWritten parameter is a pointer, not a value. You're lucky it's initialized to 0, but the instant anything writes any nonzero value to byteswritten, WriteFile will certainly access bad memory.
The code you're writing is weird and I stopped looking at it in substantial detail after the first ~10 instructions. Maybe you overflow a buffer somewhere... I don't know. Error handling is also something you should do, but at least that's not an uncommon omission.
Perhaps you should simply log the integer numbers to a large buffer, and have CE's Lua engine read and flush it to disk every so often? Or, if that code isn't run hundreds of times per second, you could omit assembly entirely and use a breakpoint with Lua?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed May 13, 2020 2:15 pm Post subject: |
|
|
CreateFile's dwDesiredAccess is indeed wrong.
the expected value:
| Code: | | #define GENERIC_WRITE (0x40000000L) |
so does the WriteFile's lpNumberOfBytesWritten, its expecting a pointer not a value.
besides that, i would open it in shared mode just in case i want to keep the file open in a text editor.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ysfc3m
How do I cheat?
![]() Reputation: 0
Joined: 13 Apr 2020
Posts: 8
|
| Posted: Wed May 13, 2020 4:39 pm Post subject: |
|
|
Hello thank you for all answers, i am really new to CE and Assembly. A helpful user wrote this code for me. This is the new code:
| Code: | [ENABLE]
aobscanmodule(INJECT,"Game.bnbx"+263C57,66 89 10 89 48 04 89 48 0C 89 48 08 C7 44 24 10 FF FF FF FF)
alloc(newmem,$1000, "Game.bnbx"+263C57)
alloc(buf, $50, "Game.bnbx"+263C57)
alloc(buf2, $100, "Game.bnbx"+263C57)
label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(dash)
label(iszero)
label(justone)
buf: // allocated 50 bytes
db 0
buf2:
FileName:
db 'D:\test.txt',0
byteswritten:
dd 0
tmp_register:
dd 0
crlf:
db 0d 0a 00
dash:
db '=',0
iszero:
db '0',0
hexcbuf:
dd 0 0
db 0
newmem:
pushfd
pushad // I missed this at 64-bit :D
cmp eax, 0
je code
cmp eax, FFFFFFFF
je code
cmp eax, 7FFFFFFF
je code
cmp [eax+04], 0
je code
cmp [eax+0C], 2
jae code
cmp [eax+0C], 0
jb code
mov ebx, dword ptr [eax+08]
push ebx
mov ebx, dword ptr [eax+0C]
push ebx
mov ebx, dword ptr [eax+04]
mov eax, ebx // convert inttost ebx
call inttostr // save to buf
lea edx, [buf+0] // code [eax+04]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+0C]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+08]
call savefile
lea edx, [crlf+0] // cr/lf
call savefile
code:
popad
popfd
mov [eax],dx
mov [eax+04],ecx
jmp return
newmem+200:
savefile:
mov ebx, edx // buffer to write
push 0
push 80
push 4
push 0
push 0
push 4
push FileName
call CreateFileA
mov dword ptr [byteswritten], 0
mov esi, eax // move file handle to esi
mov edx, ebx
mov eax, ebx
mov ebx, FFFFFFFF
aloop: // get string length
inc ebx
cmp byte ptr [eax+ebx], 0
jnz short aloop
push 0
push [byteswritten]
push ebx // nNumberOfBytesToWrite
push eax //; lpBuffer
push esi //; hFile
call WriteFile
push esi
call CloseHandle
ret
newmem+300:
inttohex:
// put data to eax
lea edx, [hexcbuf+0]
mov ebx, 8
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec ebx
mov byte ptr [edx+ebx], cl
sar eax, 4
cmp ebx, 0
jne loophere
ret
newmem+400:
inttostr:
// put data to eax
lea ecx, [buf+0]
// initialize buf[50]
mov ebx, #50
itoaloop:
mov byte ptr [ecx], 0
inc ecx
dec ebx
cmp ebx, 0
jg itoaloop
// Convert rax to string
lea ecx, [buf+0]
xor esi, esi
mov ebx, #10
itoaloop2:
xor edx, edx
div ebx
add dl, 30
mov byte ptr [ecx], dl
inc ecx
inc esi
cmp eax, 0
jne itoaloop2
// String reverse
cmp esi, 1
je justone
xor edx, edx
mov eax, esi
mov ebx, 2
div ebx
dec esi
xor ebx, ebx
lea ecx, [buf+0]
itoaloop3:
mov dl, byte ptr [ecx+ebx]
mov dh, byte ptr [ecx+esi]
mov byte ptr [ecx+ebx], dh
mov byte ptr [ecx+esi], dl
dec eax
dec esi
inc ebx
cmp eax, 0
jne itoaloop3
// Finally
justone:
ret
db 90 90 90 90
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem) |
And output
| Code: | 168410001=0=1850000
389164000=0=7899999
1111310001=0=2299999
1111310001=0=2299999
1111310001=0=2299999
389161000=0=1799999
389165000=0=11299999
1111310001=0=2299999
................ |
Output values are correct.
If this code works for around 100 values no problem.
I must work this code for 5000-6000 values. When i try this, sometimes game crash, sometimes missing values example 6000 values -> writes to txt 3500 values.
What do you suggest ?
|
|
| Back to top |
|
|
ysfc3m
How do I cheat?
![]() Reputation: 0
Joined: 13 Apr 2020
Posts: 8
|
| Posted: Thu May 14, 2020 5:06 pm Post subject: |
|
|
I need some suggestions please. Code is working fine like i write in my previous post but missing output or crash on 4000-6000 values.
What must i focus ?
- Finding a powerfull computer with ssd
- Try to enhance this assembly code
- Like @ParkourPenguin said "log the integer numbers to a large buffer, and have CE's Lua engine read and flush it to disk every so often"
- CE not enough for this, focus on c++ hook function
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
