 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Bit Byte
Advanced Cheater
![]() Reputation: 0
Joined: 28 Nov 2022
Posts: 62
|
 Posted: Sat Aug 12, 2023 4:37 am Post subject: How to get and write bytes to/from address in AA |
 |
|
I did this in AA
| Code: | [ENABLE]
alloc(newmem,100,"game.exe"+48830B)
label(returnhere)
label(exit)
label(buffer1)
label(buffer2)
label(buffer3)
newmem:
buffer1:
db 83 F9 0F 75 3d 52 48 8B 15
buffer2:
db readmem(((("game.exe"+1CBBA78) - (newmem + buffer1)) - 4))
buffer3:
db 48 8B 92 08 03 00 00 48 8B 92 90 00 00 00 48 8B 92 60 01 00 00 48 8B 52 38 48 8B 92 E0 04 00 00 48 8B 52 08 C7 42 48 0B 00 00 00 5A C7 43 0C FF FF FF FF EB 0A 89 4B 08 C7 43 0C FF FF FF FF
exit:
jmp returnhere
"game.exe"+48830B:
jmp newmem
nop 5
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+48830B:
db 89 4B 08 C7 43 0C FF FF FF FF |
getting error at buffer2::
db readmem(((("game.exe"+1CBBA78) - (newmem + buffer1)) - 4))
what i'm trying to do:
| Code: | FireAllocatedMemory = Memory.VirtualAllocEx(Memory.handle, ModuleBase-1000, 100, (uint)Memory.AllocationType.Commit | (uint)Memory.AllocationType.Reserve, (uint)Memory.MemoryProtection.ExecuteReadWrite);
byte[] buffer1 = { 0x83, 0xF9, 0x0F, 0x75, 0x3d, 0x52, 0x48, 0x8B, 0x15 };
Memory.WriteBytes(FireAllocatedMemory, buffer1, buffer1.Length);
byte[] buffer2 = BitConverter.GetBytes((int)(((ulong)(ModuleBase + 0x1CBBA78) - (ulong)(FireAllocatedMemory + buffer1.Length)) - 4));
Memory.WriteBytes(FireAllocatedMemory + buffer1.Length, buffer2, buffer2.Length);
byte[] buffer3 = { 0x48 ,0x8B ,0x92 ,0x08 ,0x03 ,0x00 ,0x00
,0x48 ,0x8B ,0x92 ,0x90 ,0x00
,0x00 ,0x00 ,0x48 ,0x8B ,0x92 ,0x60 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x52
,0x38 ,0x48 ,0x8B ,0x92 ,0xE0 ,0x04 ,0x00 ,0x00 ,0x48 ,0x8B
,0x52 ,0x08 ,0xC7 ,0x42 ,0x48 ,0x0B
,0x00 ,0x00 ,0x00 ,0x5A ,0xC7 ,0x43 ,0x0C ,0xFF ,0xFF ,0xFF ,0xFF
,0xEB ,0x0A ,0x89
,0x4B ,0x08 ,0xC7 ,0x43 ,0x0C ,0xFF ,0xFF ,0xFF ,0xFF
Memory.WriteBytes(FireAllocatedMemory + buffer1.Length + buffer2.Length, buffer3, buffer3.Length);
|
The bytes from buffer 1 2 and 3 should be written to newmem consecutively, but having difficulty with buffer 2, because its not straight up bytes.
Help
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Sat Aug 12, 2023 11:21 am Post subject: |
|
|
This reads 4 bytes at the specified address and puts them where `readmem` is placed:
| Code: | | readmem("game.exe"+1CBBA78, 4) |
If that's not good enough, use Lua:
| Code: | buffer1:
db 83 F9 0F 75 3d 52 48 8B 15
{$lua}
if syntaxcheck then return 'db 0' end
local bytes = readBytes(address, size, true)
for k,v in ipairs(bytes) do
bytes[k] = ('%02X'):format(v)
end
return 'db ' .. table.concat(bytes, ' ')
{$asm}
db 48... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Bit Byte
Advanced Cheater
![]() Reputation: 0
Joined: 28 Nov 2022
Posts: 62
|
| Posted: Sat Aug 12, 2023 1:53 pm Post subject: |
|
|
I tried using lua in the middle but still getting error
| Code: | [ENABLE]
alloc(newmem,100,"game.exe"+48830B)
label(returnhere)
label(exit)
label(buffer1)
label(buffer2)
label(buffer3)
registerSymbol(newmem)
registerSymbol(buffer1)
{$lua}
local BytesToWrite ={0x83, 0xF9, 0x0F, 0x75, 0x3D, 0x52, 0x48, 0x8B, 0x15}
writeBytes(buffer1, BytesToWrite)
local baseAddress = getAddress('[game.exe+1CBBA78]')
local buffer2 = readBytes(((baseAddress) - (newmem + buffer1)) - 4)
{$asm}
newmem:
db buffer1
db buffer2
buffer3:
db 48 8B 92 08 03 00 00 48 8B 92 90 00 00 00 48 8B 92 60 01 00 00 48 8B 52 38 48 8B 92 E0 04 00 00 48 8B 52 08 C7 42 48 0B 00 00 00 5A C7 43 0C FF FF FF FF EB 0A 89 4B 08 C7 43 0C FF FF FF FF
exit:
jmp returnhere
"game.exe"+48830B:
jmp newmem
nop 5
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+48830B:
db 89 4B 08 C7 43 0C FF FF FF FF |
My trouble is getting the bytes out of this line:
(((("game.exe"+1CBBA78) - (newmem + buffer1)) - 4)
|
|
| Back to top |
|
|
Bit Byte
Advanced Cheater
![]() Reputation: 0
Joined: 28 Nov 2022
Posts: 62
|
| Posted: Sun Aug 13, 2023 10:40 am Post subject: |
|
|
I got this almost working except the last jump back.
Here is what I did:
Made first AA script table:
| Code: | [ENABLE]
alloc(newmem,100,"game.exe"+48830B)
registerSymbol(newmem)
label(returnhere)
"game.exe"+48830B:
jmp newmem
db 90 90 90 90 90
returnhere:
[DISABLE]
"game.exe"+48830B:
db 89 4B 08 C7 43 0C FF FF FF FF
unregistersymbol(newmem)
dealloc(newmem) |
Then made a second child AA script table of the first which activates on parent activation and does the byte writing into the allocated newmem:
| Code: | [ENABLE]
{$lua}
local buffer1 = { 0x83, 0xF9, 0x0F, 0x75, 0x3D, 0x52, 0x48, 0x8B, 0x15 }
local ModuleBase = getAddress('"game.exe" + 0x1CBBA78')
local newmem = getAddress('newmem')
local buffer2Value = (ModuleBase) - (newmem + #buffer1) - 4
local buffer2 = {}
for i = 1, 4 do
buffer2[i] = buffer2Value % 256
buffer2Value = math.floor(buffer2Value / 256)
end
local buffer3 = { 0x48, 0x8B, 0x92, 0x08, 0x03, 0x00, 0x00, 0x48, 0x8B, 0x92, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x92, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x52, 0x38, 0x48, 0x8B, 0x92, 0xE0, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x52, 0x08, 0xC7, 0x42, 0x48, 0x0B, 0x00, 0x00, 0x00, 0x5A, 0xC7, 0x43, 0x0C, 0xFF, 0xFF, 0xFF, 0xFF, 0xEB, 0x0A, 0x89, 0x4B, 0x08, 0xC7, 0x43, 0x0C, 0xFF, 0xFF, 0xFF, 0xFF }
writeBytes(newmem, buffer1)
writeBytes(newmem + #buffer1, buffer2)
writeBytes(newmem + #buffer1 + #buffer2, buffer3)
[DISABLE] |
This works as it is supposed to, It writes the correct bytes to allocated newmem. The only part that isn't being written is the jump back to returnhere:
What do I need to do? Help Please
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Sun Aug 13, 2023 11:29 am Post subject: |
|
|
Alright curiosity got me and I took a closer look at what you're doing. You're making this far more complicated than it needs to be.
First of all, stop writing everything in bytes. There's no need to do that.
Secondly, let CE handle RIP-relative addressing. There's no reason you have to do that.
Use the "Full Injection" template. Something like this:
| Code: | define(address,"game.exe"+48830B)
define(bytes,89 4B 08 C7 43 0C FF FF FF FF)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,address)
label(originalcode)
label(exit)
label(return)
newmem:
cmp ecx,0F
jne originalcode
push rdx
mov rdx,["game.exe"+1CBBA78] // this just works- no need for manual RIP-relative addressing shenanigans
mov rdx,[rdx+00000308]
mov rdx,[rdx+00000090]
mov rdx,[rdx+00000160]
mov rdx,[rdx+38]
mov rdx,[rdx+000004E0]
mov rdx,[rdx+08]
mov [rdx+48],0000000B
pop rdx
mov [rbx+0C],FFFFFFFF
jmp exit
originalcode:
mov [rbx+08],ecx
mov [rbx+0C],FFFFFFFF
exit:
jmp return
address:
jmp newmem
nop 5
return:
[DISABLE]
address:
db bytes
dealloc(newmem) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Bit Byte
Advanced Cheater
![]() Reputation: 0
Joined: 28 Nov 2022
Posts: 62
|
| Posted: Mon Aug 14, 2023 8:55 am Post subject: |
|
|
I tried doing that for another script but now I got error somewhere else
| Code: | define(address,"game.exe"+4883A6)
define(bytes,89 43 08 41 B1 01)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,address)
label(originalcode)
label(exit)
label(return)
newmem:
cmp byte ptr ["game.exe"+1CBC9F8]
jne originalcode
push rdx
mov rdx,["game.exe"+1CBBA78]
mov rdx,[rdx+00000308]
mov rdx,[rdx+00000090]
mov rdx,[rdx+00000160]
mov rdx,[rdx+38]
mov rdx,[rdx+000004E0]
mov rdx,[rdx+08]
mov [rdx+48],0000000B
pop rdx
mov r9l,01
jmp exit
originalcode:
mov [rbx+08],00000003
mov r9l,01
exit:
jmp return
address:
jmp newmem
nop 1
return:
[DISABLE]
address:
db bytes
dealloc(newmem) |
got error on first line at newmem:
cmp byte ptr ["game.exe"+1CBC9F8]
The instruction cant be compiled.
As like before this is what i'm convertiing from:
| Code: | byte[] buffer1 = { 0x80, 0x3d};
Memory.WriteBytes(Fire2AllocatedMemory, buffer1, buffer1.Length);
byte[] buffer2 = BitConverter.GetBytes((int)(((ulong)(ModuleBase + 0x1CBC9F8) - (ulong)(RapidFire2AllocatedMemory + buffer1.Length)) - 4));
Memory.WriteBytes(Fire2AllocatedMemory + buffer1.Length, buffer2, buffer2.Length);
byte[] buffer3 = { 0x1, 0x75, 0x39, 0x52, 0x48, 0x8b, 0x15 };
Memory.WriteBytes(Fire2AllocatedMemory + buffer1.Length + buffer2.Length, buffer3, 7);
-----
-----
|
The error is from converting the buffer2 part but dont know what
|
|
| Back to top |
|
|
LeFiXER
Grandmaster Cheater Supreme
![]() Reputation: 20
Joined: 02 Sep 2011
Posts: 1069
Location: 0x90
|
| Posted: Mon Aug 14, 2023 9:34 am Post subject: |
|
|
| a2z wrote: |
got error on first line at newmem:
cmp byte ptr ["game.exe"+1CBC9F8]
The instruction cant be compiled.
|
What are you comparing against? I suggest you follow ParkourPenguin's advice.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Mon Aug 14, 2023 10:28 am Post subject: |
|
|
The bytes `80 3d ?? ?? ?? ?? 01` should be `cmp byte ptr ["game.exe"+1CBC9F8],01`
You forgot the `,01` at the end
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Bit Byte
Advanced Cheater
![]() Reputation: 0
Joined: 28 Nov 2022
Posts: 62
|
| Posted: Wed Aug 16, 2023 1:27 am Post subject: |
|
|
Thank you for pointing that out. It works 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
