 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
 Posted: Sat Dec 14, 2024 12:30 pm Post subject: [Need Help] Find the Static Address of the Instruction |
 |
|
Please help me, How to find the static address of the instruction? I want to get the RIP register since that register store the static address. I want to implement the address into cheat table like this:
* look at attachment file 1 *
to this:
* look at attachment file 2 *
i can't do that because the address changed when re-open the game.
*disclaimer* the address not only 100156CC nor 100156D0, but the address range is like 10015000-10015FFF(?).
Thank you
| Description: |
|
| Filesize: |
11.47 KB |
| Viewed: |
3478 Time(s) |
|
| Description: |
|
| Filesize: |
123.97 KB |
| Viewed: |
3479 Time(s) |
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Sat Dec 14, 2024 12:56 pm Post subject: |
|
|
Use Template -> AOB Injection
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
| Posted: Sat Dec 14, 2024 7:11 pm Post subject: |
|
|
How i can perform function like "find out what writes to this address" in cheat table code? Because AOB only appear when i did "find out what writes to this address" in health pointer.
* look at attachment file *
| Description: |
| AOB Scan no result ("find out what writes to this address" is not press yet) |
|
| Filesize: |
42.31 KB |
| Viewed: |
3427 Time(s) |
|
| Description: |
| The AOB Scan give a result when pressed "find out what writes to this address" |
|
| Filesize: |
72.78 KB |
| Viewed: |
3427 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Sat Dec 14, 2024 8:04 pm Post subject: |
|
|
Right click in the area with the checkboxes Writable, Executable, and CopyOnWrite. Clilck "Preset: scan all memory"
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
| Posted: Sat Dec 14, 2024 10:47 pm Post subject: |
|
|
Ok thank you, the scan worked now. But i have new issue now, the game crash when i used the aob injection (the injection only work on code injection, bit wierd or actually my cheat table code is not valid #cmiiw), how can i put the address result from aob scan into code injection address in cheat table framwork code?
| Code: |
[ENABLE]
// rev the code thank to DarkByte
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(INJECT,48 89 4A 78 4C 8B 44 24 10) // should be unique
alloc(newmem,$1000,INJECT)
label(code)
label(return)
newmem:
cmp [rdx+78+264], 0
jne code
mov [rdx+78],rcx
mov r8,[rsp+10]
jmp return
code:
mov [rdx+78],0
mov r8,[rsp+10]
jmp return
INJECT:
jmp newmem
nop 4
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db 48 89 4A 78 4C 8B 44 24 10
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 10C017C3
10C01780: 48 BB 78 B3 9B 44 FF 7F 00 00 - mov rbx,libil2cpp.so.1+2DC7378
10C0178A: 48 89 9D 60 01 00 00 - mov [rbp+00000160],rbx
10C01791: FF 25 19 E3 E1 FF - jmp qword ptr [10A1FAB0]
10C01797: C7 85 20 0B 00 00 78 BA 67 03 - mov [rbp+00000B20],libunity.so+2DBA78
10C017A1: 48 8B 95 08 01 00 00 - mov rdx,[rbp+00000108]
10C017A8: 48 8B B2 80 00 00 00 - mov rsi,[rdx+00000080]
10C017AF: 48 89 B5 B8 00 00 00 - mov [rbp+000000B8],rsi
10C017B6: 4C 89 F9 - mov rcx,r15
10C017B9: 4C 89 BD B0 00 00 00 - mov [rbp+000000B0],r15
10C017C0: 49 29 F7 - sub r15,rsi
// ---------- INJECTING HERE ----------
10C017C3: 48 89 4A 78 - mov [rdx+78],rcx
// ---------- DONE INJECTING ----------
10C017C7: 4C 8B 44 24 10 - mov r8,[rsp+10]
10C017CC: 4C 89 85 10 01 00 00 - mov [rbp+00000110],r8
10C017D3: 48 8B 54 24 18 - mov rdx,[rsp+18]
10C017D8: 48 89 95 08 01 00 00 - mov [rbp+00000108],rdx
10C017DF: 48 8B 7C 24 00 - mov rdi,[rsp+00]
10C017E4: 48 89 BD 60 01 00 00 - mov [rbp+00000160],rdi
10C017EB: 4C 8B 4C 24 08 - mov r9,[rsp+08]
10C017F0: 4C 89 8D 18 01 00 00 - mov [rbp+00000118],r9
10C017F7: 48 8D 64 24 20 - lea rsp,[rsp+20]
10C017FC: 48 89 F9 - mov rcx,rdi
}
|
| Description: |
|
| Filesize: |
123.97 KB |
| Viewed: |
3402 Time(s) |
|
Last edited by will354 on Sun Dec 15, 2024 11:45 am; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Sun Dec 15, 2024 11:23 am Post subject: |
|
|
where is exit ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
| Posted: Sun Dec 15, 2024 12:28 pm Post subject: |
|
|
Thank you for the correction, i fixed the code and work perfectly. I figure it out, the problem is my array of byte not static, i search it with this 48 89 ?? 78 ?? 8B ?? 24 10, it work, but the instruction is not same as static byte, i mean the register is changed, how to deal with this situation? what should i write to dynamic aob? should i use like this?
| Code: |
[ENABLE]
// rev the code thank to DarkByte
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(INJECT,48 89 ?? 78 ?? 8B ?? 24 10) // should be unique
alloc(newmem,$1000,INJECT)
label(code)
label(return)
newmem:
cmp [rdx+78+264], 0
jne code
mov [rdx+78],rcx
?? // mov r8,[rsp+10]; the game sometime change the r8 register to another type register like rsi or something. Should i put the "??" in this line?
jmp return
code:
mov [rdx+78],0
?? // mov r8,[rsp+10]; the game sometime change the r8 register to another type register like rsi or something. Should i put the "??" in this line?
jmp return
INJECT:
jmp newmem
nop 4
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db 48 89 ?? 78 ?? 8B ?? 24 10
unregistersymbol(INJECT)
dealloc(newmem)
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
|
| Back to top |
|
|
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
| Posted: Sun Dec 15, 2024 11:23 pm Post subject: |
|
|
ok thank you very much to @ParkourPenguin and @Dark Byte, the code is working now. My last question, how this number is calculated? because its look like nop the last 5 byte.
additional info if needed:
| Code: |
{
// ORIGINAL CODE - INJECTION POINT: 104C2F73-3 // old first inject point i got
104C2F30: 48 BB 78 73 BC 44 FF 7F 00 00 - mov rbx,libil2cpp.so.1+2DC7378
104C2F3A: 48 89 9D 60 01 00 00 - mov [rbp+00000160],rbx
104C2F41: FF 25 49 B1 E9 FF - jmp qword ptr [1035E090]
104C2F47: C7 85 20 0B 00 00 58 20 02 03 - mov [rbp+00000B20],03022058
104C2F51: 48 8B 95 08 01 00 00 - mov rdx,[rbp+00000108]
104C2F58: 48 8B B2 80 00 00 00 - mov rsi,[rdx+00000080]
104C2F5F: 48 89 B5 B8 00 00 00 - mov [rbp+000000B8],rsi
104C2F66: 4C 89 F9 - mov rcx,r15
104C2F69: 4C 89 BD B0 00 00 00 - mov [rbp+000000B0],r15
// ---------- SCAN PATTERN FROM HERE ---
104C2F70: 49 29 F7 - sub r15,rsi
// ---------- INJECTING HERE ----------
104C2F73: 48 89 4A 78 - mov [rdx+78],rcx
// ---------- DONE INJECTING ----------
104C2F77: 4C 8B 44 24 10 - mov r8,[rsp+10]
104C2F7C: 4C 89 85 10 01 00 00 - mov [rbp+00000110],r8 // looks like it nop this byte 85 10 01 00 00
// end to this byte, so from address 104C2F70 to 104C2F7C
104C2F83: 48 8B 54 24 18 - mov rdx,[rsp+18]
104C2F88: 48 89 95 08 01 00 00 - mov [rbp+00000108],rdx
104C2F8F: 48 8B 7C 24 00 - mov rdi,[rsp+00]
104C2F94: 48 89 BD 60 01 00 00 - mov [rbp+00000160],rdi
104C2F9B: 4C 8B 4C 24 08 - mov r9,[rsp+08]
104C2FA0: 4C 89 8D 18 01 00 00 - mov [rbp+00000118],r9
104C2FA7: 48 8D 64 24 20 - lea rsp,[rsp+20]
104C2FAC: 48 89 F9 - mov rcx,rdi
}
|
| Description: |
| how this nop calculation actually work? |
|
| Filesize: |
37.13 KB |
| Viewed: |
3259 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Mon Dec 16, 2024 12:24 pm Post subject: |
|
|
Looks like CE couldn't allocate memory nearby, so it used the 14-byte `jmp` instead. (or you told CE to do that)
Either way, `jmp newmem` should be `jmp far newmem` to guarantee a 14-byte `jmp`. If by random chance memory near `aobBaseAddress` is used, a 5-byte `jmp` would be automatically used and bad things happen.
`nop 5` is used to align the `return` label properly.
| Code: | 104C2F70: 49 29 F7 - sub r15,rsi - 3 bytes; not enough
104C2F73: 48 89 4A 78 - mov [rdx+78],rcx - 7 bytes; not enough
104C2F77: 4C 8B 44 24 10 - mov r8,[rsp+10] - 12 bytes; not enough
104C2F7C: 4C 89 85 10 01 00 00 - mov [rbp+00000110],r8 - 19 bytes; 19-14 = 5 bytes to `nop` |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
will354
How do I cheat?
![]() Reputation: 0
Joined: 14 Dec 2024
Posts: 6
|
| Posted: Tue Dec 17, 2024 1:49 am Post subject: |
|
|
thank you for the explanation @ParkourPenguin 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
