 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dark Byte
Site Admin
 Reputation: 26
Joined: 09 May 2003
Posts: 8397
Location: The netherlands
|
 Posted: Sun Jan 31, 2010 11:03 pm Post subject: Mass Effect 2 : Godmode and Infinite ammo |
 |
|
This is more a proof of concept that you can also do exception handling in auto assembler.
The pointers for ammo and health arn't 100% correct . during prolonged firing sequences (holding the firebutton on a high rate of fire weapon) the pointer goes bad. And a test to see if it's 0 doesn't work since a part of the broken pointer points to a non null invalid address. (that's why it's only being used as a read and not write)
anyhow, enjoy: (oh yes, XP and later only)
for the table:
http://forum.cheatengine.org/viewtopic.php?t=487945
health script:
| Code: |
[ENABLE]
//health script
globalalloc(healthexceptionhandler,4096)
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(notplayerhealth)
label(nrcounter)
label(lastsuccess)
label(handled)
label(nothandled)
label(try)
label(try_exit)
label(exception)
label(initialized)
label(initializedhealthexceptionhandler)
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//-= Exception handler to deal with possible invalid states -=
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
healthexceptionhandler:
nop
nop
mov eax,[esp+4]
mov eax,[eax+4]
lea eax,[eax+b8] //eax+b8=eip
cmp [eax],try
jb short nothandled
cmp [eax],try_exit
jae short nothandled
//not below try or or above try_exit, so inside the try block
mov [eax],exception
jmp short handled
nothandled:
mov eax,0
ret 4
handled:
mov eax,ffffffff
ret 4
initializedhealthexceptionhandler:
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
MassEffect2.exe+5066bb:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
pushfd
push eax
cmp [initializedhealthexceptionhandler],0
jne initialized
push healthexceptionhandler
push 0
call RtlAddVectoredExceptionHandler
mov [initializedhealthexceptionhandler],eax
initialized:
try:
mov eax,[MassEffect2.exe+00E8010C]
mov eax,[eax+0]
mov eax,[eax+4c]
mov eax,[eax+48]
mov eax,[eax+c]
lea eax,[eax+84]
cmp [eax],0 //causes an exception if an invalid address
nop
nop
nop
try_exit:
//save the last known address of the players health
mov [lastsuccess],eax
cmp eax,edi
jne short notplayerhealth
pop eax
popfd
jmp short exit //done here, so exit
cmp eax,edi
jne short notplayerhealth
pop eax
jmp short exit //don't decrease
exception:
//the pointer doesn't seem to be valid 100% of the time(e.g holstered, but then you usually won't fire)
//inc [nrcounter] //debug counter
mov eax,[lastsuccess]
cmp eax,edi
jne short notplayerhealth
pop eax
popfd
jmp exit
notplayerhealth:
pop eax
popfd
originalcode:
subss xmm0,[esp+10]
exit:
jmp returnhere
db 0 //just for fun (and speed)
nrcounter:
dd 0
lastsuccess:
dd 0
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
MassEffect2.exe+5066bb:
subss xmm0,[esp+10]
//Alt: db F3 0F 5C 44 24 10
|
ammo script:
| Code: |
[ENABLE]
//ammo script
//code from here to '[DISABLE]' will be used to enable the cheat
globalalloc(ammoexceptionhandler,4096)
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(notammo)
label(nrcounter)
label(lastsuccess)
label(handled)
label(nothandled)
label(try)
label(try_exit)
label(exception)
label(initialized)
label(initializedammoexceptionhandler)
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//-= Exception handler to deal with possible invalid states -=
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ammoexceptionhandler:
nop
nop
mov eax,[esp+4]
mov eax,[eax+4]
lea eax,[eax+b8] //eax+b8=eip
cmp [eax],try
jb short nothandled
cmp [eax],try_exit
jae short nothandled
//not below try or or above try_exit, so inside the try block
mov [eax],exception
jmp short handled
nothandled:
mov eax,0
ret 4
handled:
mov eax,ffffffff
ret 4
initializedammoexceptionhandler:
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
MassEffect2.exe+5065eb:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
pushfd
push eax
cmp [initializedammoexceptionhandler],0
jne initialized
push ammoexceptionhandler
push 0
call RtlAddVectoredExceptionHandler
mov [initializedammoexceptionhandler],eax
initialized:
try:
mov eax,[MassEffect2.exe+00E800F4]
mov eax,[eax+3c]
mov eax,[eax+4c]
mov eax,[eax+3cc]
lea eax,[eax+610]
cmp [eax],0 //causes an exception if an invalid address
nop
nop
nop
try_exit:
//save the last known address of the players ammo clip
mov [lastsuccess],eax
cmp eax,edi
jne short notammo
pop eax
popfd
jmp short exit //done here, so exit
exception:
//the pointer doesn't seem to be valid 100% of the time(e.g holstered, but then you usually won't fire)
//inc [nrcounter] //debug counter
mov eax,[lastsuccess]
cmp eax,edi
jne short notammo
pop eax
popfd
jmp exit
notammo:
pop eax
popfd
originalcode:
addss xmm0,[esp+10]
exit:
jmp returnhere
nrcounter:
dd 0
lastsuccess:
dd 0
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
MassEffect2.exe+5065eb:
addss xmm0,[esp+10]
//Alt: db F3 0F 58 44 24 10
|
_________________
You like Cheat Engine?
I like donations!
Do not ask me about online cheats. I don't know any and wont help finding them.
Last edited by Dark Byte on Tue Feb 02, 2010 7:49 pm; edited 2 times in total |
|
| Back to top |
|
 |
Psy
Grandmaster Cheater Supreme
Reputation: 0
Joined: 27 Mar 2008
Posts: 1376
|
| Posted: Mon Feb 01, 2010 12:35 pm Post subject: |
|
|
Nice script DB. I'm sure with all the talk of this game being hard, this will help a lot of people. To deal with fucking up pointer paths though you can do something like this.
Check at each level for validity:
| Code: |
<do whatever before>
push eax
mov eax,[MassEffect2.exe+00E8010C]
test eax,eax
jz break
mov eax,[eax+0]
test eax,eax
jz break
mov eax,[eax+4c]
test eax,eax
jz break
mov eax,[eax+48]
test eax,eax
jz break
mov eax,[eax+c]
test eax,eax
jz break
lea eax,[eax+84]
break:
pop eax
<do whatever after>
|
Original stacking:
| Code: |
mov eax,[MassEffect2.exe+00E8010C]
mov eax,[eax+0]
mov eax,[eax+4c]
mov eax,[eax+48]
mov eax,[eax+c]
lea eax,[eax+84]
|
Doing it that way won't lead to a crash as it will escape at the first sign of trouble 
~Psy
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 26
Joined: 09 May 2003
Posts: 8397
Location: The netherlands
|
| Posted: Mon Feb 01, 2010 2:43 pm Post subject: |
|
|
it will,
in some situations :"mov eax,[eax+48]" will load eax with the value 0x1210, which is an invalid address
the test if it's 0 will pass then and mov eax,[eax+c] will cause a crash
_________________
You like Cheat Engine?
I like donations!
Do not ask me about online cheats. I don't know any and wont help finding them. |
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
Reputation: 0
Joined: 27 Mar 2008
Posts: 1376
|
| Posted: Tue Feb 02, 2010 4:33 am Post subject: |
|
|
True, it will actually. Good point. At least it will add that little extra protection. Hopefully, most times when that opcode runs it will be referencing some sort of address. Just an idea that I used once in the past. This exception handling looks promising though. One of the joys of pointer-paths I suppose  And why a lot opt not to use them.
|
|
| Back to top |
|
|
Recifense
Master Cheater
Reputation: 6
Joined: 17 Mar 2008
Posts: 396
Location: Brazil - Pernambuco - Recife
|
| Posted: Tue Feb 02, 2010 6:29 am Post subject: |
|
|
Great!
I am going to use it as a reference/tutorial for handling axception.
Cheers!
|
|
| Back to top |
|
|
|
Dark Byte
Site Admin
Reputation: 26
Joined: 09 May 2003
Posts: 8397
Location: The netherlands
|
| Posted: Tue Feb 02, 2010 8:41 am Post subject: |
|
|
| Psy wrote: | | True, it will actually. Good point. At least it will add that little extra protection. Hopefully, most times when that opcode runs it will be referencing some sort of address. Just an idea that I used once in the past. This exception handling looks promising though. One of the joys of pointer-paths I suppose And why a lot opt not to use them. |
Pointers are useful when used in CE as a table entry. CE can see when something is an invalid pointer and then not write to it. So the health and ammo pointers work perfectly fine when you freeze them in ce.
But freezing isn't enough for the very few instant kill situations, in those cases you have to use code injection at the place that decreases health, and thats where pointers can be a pain in the ass(when they aren't perfect), and it's usually better to just inspect the memory regions instead of using pointers.
But in this case the same code is used for everything else (probably a very scripted engine) and I couldn't be bothered to inspect the affected structures or callstack
_________________
You like Cheat Engine?
I like donations!
Do not ask me about online cheats. I don't know any and wont help finding them. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
