View previous topic :: View next topic |
Author |
Message |
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Mon Jun 30, 2014 3:05 am Post subject: Game crushes when i run the code! [SOLVED] |
|
|
Hey! I was trying to make a multihack (like Recifense usually do, with registersymbols, and then 0/1 in the table to toggle the script)
Tried to hack game Peggle.
so my problem is:
- when i enable/disable everything is normal.
- when the code is executed -> the game crashes.
- tried adding pushfd,popfd to the code -> but it didnt helped
The code till now:
Code: |
[enable]
//========================= LABELS, SYMBOLS, AOBSCANS, ETC'
alloc(allocMem,1024)
label(code_balls)
label(exit_balls)
label(done_balls)
label(code_score)
label(exit_score)
label(done_score)
label(i_balls)
label(i_score)
registersymbol(allocMem)
registersymbol(i_balls)
registersymbol(i_score)
aobscan(aob_balls,01 8c 86 7c 01 00 00)
registersymbol(aob_balls)
aobscan(aob_score,01 84 91 74 01 00 00)
registersymbol(aob_score)
//========================= ALLOC ADDRESS
allocMem:
//========================= BALLS HACK
code_balls:
pushfd
cmp [i_balls],0
je done_balls
push ecx
mov ecx,#99
cmp [esi+eax*4+17C],ecx
ja done_balls
mov [esi+eax*4+17C],ecx
jmp done_balls
done_balls:
pop ecx
popfd
jmp exit_balls
//========================= SCORE HACK
code_score:
pushfd
cmp [i_score],0
je done_score
push eax
mov eax,#9999999
cmp [ecx+edx*4+174],eax
ja done_score
mov [ecx+edx*4+174],eax
jmp done_score
done_score:
pop eax
popfd
jmp exit_score
//========================= DECLARING DEFAULT VARIABLES
i_balls:
dd 0
i_score:
dd 0
//========================= INJECTION POINTS
aob_balls:
jmp code_balls
exit_balls:
aob_score:
jmp code_score
exit_score:
[disable]
//========================= GIVE BACK THE ORIGINAL INSTRUCTIONS
aob_score:
add [ecx+edx*4+174],eax
aob_balls:
add [esi+eax*4+17C],ecx
//========================= UN-SYMBOL, DEALLOC, ETC'
unregistersymbol(allocMem)
unregistersymbol(aob_balls)
unregistersymbol(aob_score)
unregistersymbol(i_balls)
unregistersymbol(i_score)
dealloc(allocMem) |
P.S
I used Recifeinse's tutorial as a base to the script (http://forum.cheatengine.org/viewtopic.php?t=529802)
Thanks to all answers!
Description: |
|
Download |
Filename: |
Peggle.CT |
Filesize: |
4.99 KB |
Downloaded: |
544 Time(s) |
Last edited by Rissorr on Mon Jun 30, 2014 5:59 am; edited 1 time in total |
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Mon Jun 30, 2014 3:29 am Post subject: |
|
|
Start debugging.
First you should figure out which injection point is causing the crash, because you have 2 of them.
Then try to make an empty code injection to see if code injection at that code is not causing any problem.
If you are already sure that the problem is caused by the script itself, set a breakpoint at your own code and watch how is it executed step by step or use break and trace and go through the log to see where is the error.
And if you are doing your own script, make sure that you don't screw up the injection point. The jump takes up 5 bytes. If the codes that you are replacing take more than 5 bytes, you need to add nops to the injection point. As it is done in the templates, made by CE.
_________________
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Mon Jun 30, 2014 5:06 am Post subject: |
|
|
Ok Thanks!! i understand.. but what could cause the problem?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Jun 30, 2014 5:50 am Post subject: |
|
|
Read through your code and try to follow all possible paths
hint: What will happen when i_balls or i_score are 0 (watch that register)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Mon Jun 30, 2014 6:03 am Post subject: |
|
|
Ok thanks to Geri and to Dark Byte !!!
I found the error:
I injected:
Code: | //========================= INJECTION POINTS
aob_balls:
jmp code_balls // <--- HERE
exit_balls:
aob_score:
jmp code_score
exit_score: |
i forgot that i need to fill it with NOP's , the original opcode was 7 Bytes
And when i fill it with NOP NOP (after the JMP) it worked!!
|
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Mon Jun 30, 2014 10:23 am Post subject: |
|
|
Also fix the bug that Dark Byte has pointed out, because it is a very serious bug.
_________________
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Mon Jun 30, 2014 3:12 pm Post subject: |
|
|
also a small question:
if in my code there is an insruction like this:
Code: | cmp [i_balls],0
je done_balls |
do i need to use:
PUSHFD
POPFD
for this?
(or maybe it not necessery?)
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Jun 30, 2014 3:18 pm Post subject: |
|
|
Yes, cmp changes the flags register
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Tue Jul 01, 2014 2:20 pm Post subject: |
|
|
All this talk about balls, this thread is very dirty
I don't get what this multihack thing is, just let CE injection template do the work...i find it wonderful because i am lazy and CE fills up the redundant data for me.
There is a lot of wrong in your code, i am just going to point them out because it looks like you are not a total noob
code_balls:
pushfd
cmp [i_balls],0
je done_balls -- oh hi i just jumped and the push below can go cry to mama
push ecx
mov ecx,#99
cmp [esi+eax*4+17C],ecx
ja done_balls
mov [esi+eax*4+17C],ecx
jmp done_balls
done_balls:
pop ecx -- mama popped the wrong balls
popfd
jmp exit_balls
Its the same mistake you have done with your score code.
And NO you don't need to write pushfd/popfd, thats a waste of two perfect CPU cycles. They are only needed if you are going to modify code in your game that you know will mess up the EFLAGS and the game needs the EFLAGS a certain way at that point and your injection can fuck em up. What this means is basically 99.9% of the time you don't need them, i have only ever needed to use them only once. To give you an example
Game code
address1 mov eax, deadbeef
address2 cmp eax, head
je 92ace
you jump at address2 to your injection and you want to do a compare in your injection that is when you can mess up game's eflags when it needs them (if compares if eax has head or not) so if your injection was like this
fancy injection:
cmp eax, head // original game code
mov edx,ecx
cmp edx, 34 // this be where you mess up game's eflags because now the value is going to be of the compare of cmp edx, 34 not the cmp eax, head
je exit
exit:
jmp backtogame
the solution (two)
lazy way aka the stn way
fancyinjection:
mov edx, ecx
cmp edx, 34
je ext
exit:
cmp eax, head
jmp backtogame
or you could just pushfd/popfd after the game's cmp and it will be still goo.
_________________
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
|
Back to top |
|
|
|