Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Code Injection TUT

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
soulx`
Cheater
Reputation: 0

Joined: 06 Jun 2006
Posts: 25

PostPosted: Fri Jun 09, 2006 7:23 am    Post subject: Code Injection TUT Reply with quote

Well bit bored so i thought id mess about with code injection and decided to write this to help beginner's to gamehacking learn more about code injection..

I will be using Windows Minesweeper to show this on as this saves my PC alot of ram and almost everyone has this on there PC Wink

In this tut i will be showing you how you can use code injection to get a specified game to do what ever you want it to do when you want it to do it.
I will be using Tsearch , not because i do not like CE i think CE is one of best memory scanners out there , but because ive always used Tsearch, i suggest you work with the tool you know best.

Ok let's start..

I load up minesweeper and tsearch, if you use CE which you most likely do, load that up. (dont let me put you off because i use Tsearch, it is just what im use to using)
Start playing you will notice your time is going up by 1 each time.. lets get the address for this value.. Now your probably saying, u cant enter in the exact value because it changes before you can do that.. so what we will do is peform a "Range" search, set your range search to scan for the value 10-20 , when your time hits 10 , peform the search.

You will get several address's, now let your time increase a bit and do a search has increased, do this until your down to 1 address which is the timer address, you will know it's the correct one because it will be increasing by 1 every second. Ok now lets see what is happening at this address, so lets Auto Hack (tsearch) / Find out what writes to this address (cheat engine, correct me if im wrong on this) . Ok once you do that, you will see almost straight away the following:

1002FF5: inc dword ptr [0x100579c]

Bingo , this is increment , meaning this is increasing the value stored at 100579c by 1 every second. Now, we could simply NOP this to stop the timer so our time will not increase, but that would be no fun and wouldnt really help you much with learning code injection..
So im going to show you how to add 400 to the timer using code injection.

Ok, now find a code cave, i use 0x10bb0 for most games, and will be using this code cave for minesweeper, you can find your own if you like, now to make our code injection script to add 400.

I use t search which uses Easywrite for code injection, so load up what ever CE uses to write scripts for code injection.

Since i choose 0x10bb0 for my code cave, this is the first thing i set in my script, i do this by typing:

Offset 0x10bb0

Now that this is done the next line of code is what will be writing 400 to our address, so that the timer will show 400, we do this by adding the following line to our script:

mov dword ptr [0x100579c],0x190

Now this is what writes 400 to our address 100579c , now your probably asking yourself where i get the 190 from? well since i wanted to add 400 to that address, i had to convert that to HEX which = 00000190 , there is many converter's out there which can do this for you.

next what we do is jump to the next procedure, the address to the next procedure is 1002ffb i found this out by looking at the address below are event 1002FF5: inc dword ptr [0x100579c] , if you dont do this , minesweeper will most likely freeze or close. So lets add this to our script :

jmp 0x1002ffb <- jump to the next procedure

Next we want the game to read our funtion mov dword ptr [0x100579c],0x190 and not inc dword ptr [0x100579c] , so we declare the offset 1002ff5 ( as this is where the event inc dword ptr [0x100579c] is taking place ) , what this really does is brings us to that offset and waits for you to tell it something to replace it with, we do this by adding the following to the script:

offset 0x1002ff5 <-- using this location now we will...
jmp 0x10bb0 <-- jump to our code cave to use our own function

That's it complete! Now your whole script should look like this:

offset 0x10bb0 <- using our code cave
mov dword ptr [0x100579c],0x190 <- write 400 to the address 100579c
jmp 0x1002ffb <- jump to the next procedure
offset 0x1002ff5 <- using the original procedure
jmp 0x10bb0 <- jump to our code cave

Trainer Making Kit Poke codes for my script:

Poke 10BB0 C7 05 9C 57 00 01 90 01 00 00 E9
Poke 10BBB 3C 24 FF 00
Poke 1002FF5 E9 B6 DB 00 FF

I use a converter to convert my script into Poke codes, so i can make a trainer with my script.

Now to get this back to normal we can write the following script:

offset 0x1002ff5 <- original procedure
inc dword ptr [0x100579c]

Poke code for this script:

Poke 1002FF5 FF 05 9C 57 00 01

Thats all there is to it.. this will set the original procedure's event back to what it was to begin with.


I made a trainer out of the script in TMK, you can download here if you wish to see it in action.

http://rapidsharing.com/download.php?id=719D3E1A

Now this was only a demonstration, obviously adding 400 to your timer in minesweeper has a very bad effect, but in other games this method can be very helpfull to you, ie: you have 100 health, with this method you could change it to what ever you like , same with ammo, and lots of other things, im not saying this script will work with other games, as it will not but it will lead you in the right direction to start making your own code injection scripts for other games.

There is much much more things you can do with code injection , i hope this has helped some beginner's learn more about code injection, i recommend you try making your own scripts and practice on different games, practice makes perfect Smile


Enjoy
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Jun 10, 2006 5:31 am    Post subject: Reply with quote

Just one caution to add to this:
If you have a recent cpu (bought within the last year) and have sp2 and no modified bios settings or boot.ini, then codecaves like 0x10bb0 will not work since they arn't marked as executable and will cause a access violation when executed.

In ce you can use the fullaccess(10bb0) command to make it executable as well

also, for those that don't know how to use ce and the assembler, I have converted the script for tsearch to a ce assembler script
Code:

alloc(mycave,32)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave


and to put it in a trainer made by ce:
Code:

[enable]
alloc(mycave,2048)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave

[disable]
dealloc(mycave)

1002ff5:
inc dword ptr [100579c]

Then just click on file->assign to cheat table, and then you can use it in the trainer maker section, enabling and disabling as you like

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
dEagle
Expert Cheater
Reputation: 0

Joined: 17 Jun 2006
Posts: 225
Location: CheatEngine Forum

PostPosted: Sun Jun 18, 2006 4:14 am    Post subject: Reply with quote

Is it possible to Inject codes with Cheat Engine?
I don't know how to write scripts with Cheat engine
And also im not good at T-Search
Back to top
View user's profile Send private message
chelvan
Newbie cheater
Reputation: 0

Joined: 20 Jun 2006
Posts: 12

PostPosted: Tue Jun 20, 2006 7:39 pm    Post subject: Reply with quote

sorry, i am a complete noob .. can i ask . how u find the next process in ce ?

jmp 1002ffb
// where did u find that?? i can only do a ctrl g to find 100579c but if i know that already .. i don't need to search for it if i am making one
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Jun 21, 2006 1:10 am    Post subject: Reply with quote

find the timer and then find out what writes to that address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Xion9
How do I cheat?
Reputation: 0

Joined: 02 Jul 2006
Posts: 7

PostPosted: Sun Jul 02, 2006 4:58 am    Post subject: Reply with quote

thx alot...what a got tut
pushhhhhhhh
Back to top
View user's profile Send private message
ZeroTech
How do I cheat?
Reputation: 0

Joined: 13 Jan 2008
Posts: 7

PostPosted: Sun Jan 13, 2008 8:14 pm    Post subject: Reply with quote

wow thanks man works fine for me.
tho it was a little confusing trying to find how to add the code cave using CE.
If anyone else is having that problem like i did.

just after u "Find Out What Writes To This Address"
Select "Show Disassembler"

Then Right Click the Address You Found and Pick the Last Option
"Create Jump and initialize Code-Cave"
Then input (If using The Guide) "010bb0" and "32" for space i think it was.

Then Select "Tools" Tab and Select "Auto Assembler"

add

alloc(mycave,32)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave

and Press Execute.
Done.

Smile

1 question i do have concerning the guide.

im bad with the calc could someone post how to convert using the calc

i no its Scientific Calc. and Hex Box checked. but i dont understand how 400 = 190

thx.

again nice tut help alot
Back to top
View user's profile Send private message Send e-mail AIM Address
Slugsnack
Grandmaster Cheater Supreme
Reputation: 71

Joined: 24 Jan 2007
Posts: 1857

PostPosted: Mon Jan 21, 2008 10:54 am    Post subject: Reply with quote

Go to calculator, and scientific view, and make sure the decimal box is checked. Type in 400 and press the hex box and it should convert it to 190.

If you don't understand where it got that number from then remember decimal is base 10 and hexadecimal, base 16. So 190h = 1*16^2 + 9*16^1 + 0*16^0 = 256 + 144 + 0 = 400d.
Back to top
View user's profile Send private message
Kapps
Expert Cheater
Reputation: 0

Joined: 20 May 2006
Posts: 219

PostPosted: Sat Jan 26, 2008 12:46 am    Post subject: Reply with quote

Easier to tick Hex in the value search thingy part of CE, put in the number, then untick Hex to convert from Hex to Decimal, or vice-versa.
Back to top
View user's profile Send private message
tornarrow
Master Cheater
Reputation: 0

Joined: 29 Jan 2008
Posts: 289

PostPosted: Tue Jan 29, 2008 11:16 pm    Post subject: Reply with quote

Nice. thanks
Back to top
View user's profile Send private message
Dizzle342
Cheater
Reputation: 0

Joined: 26 Feb 2008
Posts: 46
Location: Under Your Bed!!!

PostPosted: Thu Feb 28, 2008 3:25 am    Post subject: Reply with quote

this helps thanks
_________________
Dizzle's 1337 Trainer is currently in final stages. Looks very promising =D
Back to top
View user's profile Send private message
SILENT_SUFFERER
Cheater
Reputation: 0

Joined: 28 Mar 2012
Posts: 28

PostPosted: Mon Jul 09, 2012 10:29 am    Post subject: Reply with quote

Quote:
I use a converter to convert my script into Poke codes, so i can make a trainer with my script.
What program do you use to conver the scripts to poke codes?
Back to top
View user's profile Send private message
Viajante759
How do I cheat?
Reputation: 0

Joined: 24 Nov 2012
Posts: 4

PostPosted: Sun Nov 25, 2012 9:20 am    Post subject: How to Scan Timers? Reply with quote

Hello guys;

Im playin at the moment "War Commander", Its a app game from Facebook.

Ive already changed the easiest things using "Cheat Engine" and im trying for some days to "Scan" the timer from the buildings so I can do like a "Instant Building" turn 01d11h30m into 00d00h00m.

My problem is, I dont have the knowledge to do it, and It might be quite hard to Scan aswell.

Will w8 for some answers to see if I can get my answer ^^

Cya around Guys, Ty!
Back to top
View user's profile Send private message
sullx
Cheater
Reputation: 0

Joined: 03 Jan 2013
Posts: 37

PostPosted: Tue Jan 08, 2013 10:18 pm    Post subject: Reply with quote

Dark Byte wrote:
Just one caution to add to this:
If you have a recent cpu (bought within the last year) and have sp2 and no modified bios settings or boot.ini, then codecaves like 0x10bb0 will not work since they arn't marked as executable and will cause a access violation when executed.

In ce you can use the fullaccess(10bb0) command to make it executable as well

also, for those that don't know how to use ce and the assembler, I have converted the script for tsearch to a ce assembler script
Code:

alloc(mycave,32)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave


and to put it in a trainer made by ce:
Code:

[enable]
alloc(mycave,2048)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave

[disable]
dealloc(mycave)

1002ff5:
inc dword ptr [100579c]

Then just click on file->assign to cheat table, and then you can use it in the trainer maker section, enabling and disabling as you like


Hi DarkByte:

Your translation of this code doesn't seem to be exactly equivalent. In his case he is using a code cave already created by the game, in your case (the CE way you have written), you are just allocating a new memory cave for our code. How can I write some code to an already existing memory cave? My hope is that this will avoid a CRC fail.

Thanks!
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Jan 09, 2013 5:31 am    Post subject: Reply with quote

I know, and using that cave will cause crashes on XP sp2 and later, as that isn't a game allocated address, but a default windows allocated region, (The environment) which have been set to non executable

Also, writing memory to an existing memory cave will increase the chances for a CRC fail since you're changing bytes that the game knows the initial state of

Anyhow, the part that triggers the crc failure is the part where you're modifying the memory
In this example, writing the jmp instruction at 1002ff5 will trigger it, as 1002ff5 would certainly be checked

But this topic isn't about crc bypasses, I recommend looking up the stealthedit plugin for ce, or using the change register on breakpoint method and change eip to your code

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites