Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to replace certain bytes in a byte array?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Erik9631
Newbie cheater
Reputation: 0

Joined: 24 Aug 2014
Posts: 10

PostPosted: Fri Jun 26, 2015 3:54 am    Post subject: How to replace certain bytes in a byte array? Reply with quote

Hello guys.
As the title says, in one game I am searching for byte array based on a signature... basically a bunch of values which are always the same, but between them the values change.
I look it up with cheat engine by using this array.

72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22

and replace the value with edited array:

72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 00

Which gives you speed boost for example.


I found an autoassembly code:

Code:
[ENABLE]
aobscan(nodamage, 2B C8 66 89 0D CC E6 49 00 8B 15 50 E6 49 00 81 E2 80 00 00 00 74 1C)
label(_nodamage)
registersymbol(_nodamage)

nodamage:
_nodamage:
db 90 90

[DISABLE]
_nodamage:
db 2B C8

unregistersymbol(_nodamage)


which I would like to use to speed up the process, but the issue is that I can not replace the values without keeping the ?? ones.

using db 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 00
simply gives me errors.

To clear things up. I only want to change the values that are not ??, for instance 32 to 00 and so on, without changing the values in between them.


My cheat engine coding skills totally suck, so I would appreciate if someone simply sent me a code sample which I would replace with my edited array.

Thank you.
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Fri Jun 26, 2015 6:51 am    Post subject: Reply with quote

Only change the bytes that are different ?, in your example both the sig and replace array are similar so i can't give an example. Or Do it like this (your example)

mem+0:
db 72

mem+5: (Notice the offset)
db 28

and so on.

Or write the instruction instead of byte code.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
Erik9631
Newbie cheater
Reputation: 0

Joined: 24 Aug 2014
Posts: 10

PostPosted: Fri Jun 26, 2015 8:46 am    Post subject: Reply with quote

So as far as I understand, if I wanted to change 28 to 20 in this array:
72 ?? ?? ?? ?? 28

I would have to do:
mem + 5
db 20

right?

EDIT:
It does not work. I used this code. The injection was successful but it made no changes. The hack did not work...



Code:
[ENABLE]
aobscan(speedboost, 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
label(_speedboost)
registersymbol(_speedboost)

speedboost+20:
_speedboost:
db 00

[DISABLE]
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Fri Jun 26, 2015 10:13 am    Post subject: Reply with quote

It is hex notation. +20 went over 32 bytes.
Code:
[ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
alloc(speedboost_save,1)
speedboost_save:
  readmem(speedboost+14,1)
speedboost+14:
  db 00
registersymbol(speedboost)
registersymbol(speedboost_save)

[DISABLE]
speedboost+14:
  readmem(speedboost_save,1)
unregistersymbol(speedboost)
unregistersymbol(speedboost_save)
dealloc(speedboost_save)
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Fri Jun 26, 2015 11:04 am    Post subject: Reply with quote

Erik9631 wrote:
So as far as I understand, if I wanted to change 28 to 20 in this array:
72 ?? ?? ?? ?? 28

I would have to do:
mem + 5
db 20

right?

EDIT:
It does not work. I used this code. The injection was successful but it made no changes. The hack did not work...



Code:
[ENABLE]
aobscan(speedboost, 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
label(_speedboost)
registersymbol(_speedboost)

speedboost+20:
_speedboost:
db 00

[DISABLE]


I just gave an example, didn't really calculate offsets. But yeah, its like Zanzer said, you have to take hexadecimal and numeric into consideration.

20decimal is 14 in hex so use 14 as hex like in Z's example.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
Erik9631
Newbie cheater
Reputation: 0

Joined: 24 Aug 2014
Posts: 10

PostPosted: Sat Jun 27, 2015 3:11 am    Post subject: Reply with quote

Zanzer wrote:
It is hex notation. +20 went over 32 bytes.
Code:
[ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
alloc(speedboost_save,1)
speedboost_save:
  readmem(speedboost+14,1)
speedboost+14:
  db 00
registersymbol(speedboost)
registersymbol(speedboost_save)

[DISABLE]
speedboost+14:
  readmem(speedboost_save,1)
unregistersymbol(speedboost)
unregistersymbol(speedboost_save)
dealloc(speedboost_save)


Tried it... used exactly this code and it did not work.

Maybe I am missing something more?
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sat Jun 27, 2015 11:39 am    Post subject: Reply with quote

I think I got why it don't work, given your aob is right.

The aob is to modify unity bytecode, in browser environment, there will be 2 copy of aob bytecode of the dll assembly in memory.
When the aa activated, it will find the 1st copy (in order), make the change, however, usually it is the second copy that has actual effect (ie. the jit-compiler read bytecode from 2nd copy but not 1st).

For this particular aa script, applying a second time still won't work, because the modification doesn't change the 1st copy of the aob, so a seconnd activation still find the 1st copy and miss the 2nd one.

Try this:
Code:

 [ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
speedboost+13:
  db 33 00
[DISABLE]


32 ?? in bytecode is a cil instruction for a short jump, the modification replace this with another type of short jump with zero offfset, so the 1st copy of aob will be changed, activating a 2nd time the aa should now modify the second copy of the aob in memory.
(check cil byecode/instruction here : https://en.wikipedia.org/wiki/List_of_CIL_instructions )

btw, [disable] part in most case is not necessary for modifying bytecode to to be jit-compiling (same for modern flash bytecode), unless there is a specially purpose (eg. restore assembly integrity in memory, for anti-anti-cheat )

_________________
- Retarded.
Back to top
View user's profile Send private message
Erik9631
Newbie cheater
Reputation: 0

Joined: 24 Aug 2014
Posts: 10

PostPosted: Sat Jun 27, 2015 12:03 pm    Post subject: Reply with quote

You are right with multiple addreses thing. There are 3 addreses that have to be changed in order for this to work, so unfortunatelly the code you posted does not work.

Is there a way to script is so basically cheat engine changes ALL The addreses at once without having to mess around with the instructions?
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Sat Jun 27, 2015 1:04 pm    Post subject: Reply with quote

I don't get what is the big issue here. You can write 3 aobscan in the same script and then change each one of them.

The 3 addresses all have different byte codes right ? or those 3 are all similar(copies) of eachother ?. If its the latter, i believe there was a code posted by someone here that outputs all the instances of the same aob/signature found.

I will post the code in a while if you can't find it, busy with something else atm.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sat Jun 27, 2015 1:13 pm    Post subject: Reply with quote

How about this?
Code:
[ENABLE]
{$lua}
local aob = AOBScan("72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22")
for i=0,aob.Count-1 do
  writeBytes(aob[i] .. "+14", 0)
end
aob.Destroy()
aob = nil
[DISABLE]
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sat Jun 27, 2015 1:46 pm    Post subject: Reply with quote

The following may consider an upgraded version AOBSWAP function used in DaSpamar's Easy Trainer, that patch multiple aob result in one scan.
It will make the AA entry behave as normal AA that 'crossed' only if success and modification is made in batch.

Code:
{$lua}
function AOB(skip,aob,...)
  if skip==true then return '' end
  local metatemp = [[<@@>+%X:
%s]]
  local offsetPairs = {...}
  local template = {}
  local script = {}
  assert(#offsetPairs % 2 == 0,'offset and modification should be paired')
  for i=1,#offsetPairs,2 do
    local s = string.format(metatemp,offsetPairs[i],offsetPairs[i+1])
    table.insert(template,s)
  end
  assert(#template > 0, 'nothing to modify')
  template = table.concat(template,"\n")
  local found = AOBScan(aob)
  if found~=nil then
    for i=0,found.Count - 1 do
      local s = template:gsub('<@@>',found[i])
      table.insert(script, s)
    end
    found.Destroy()
  end
  return assert(#script > 0) and table.concat(script,"\n")
end
{$asm}

[ENABLE]

{$lua}
return AOB(syntaxcheck,'11 22 55 88 99',
0x7,
"db ff",
0xc,
"readmem(<@@>-2,5)",
0x10,[[
mov  eax,#100
push edi
pop  edi
jmp  <@@>+6
]])

{$asm}
 
[DISABLE]



For Erik9631 your aob, I'll suggest you manually make the aob change first, and make sure the aob work as your expected.

_________________
- Retarded.
Back to top
View user's profile Send private message
Erik9631
Newbie cheater
Reputation: 0

Joined: 24 Aug 2014
Posts: 10

PostPosted: Sun Jun 28, 2015 2:02 am    Post subject: Reply with quote

Thanks for the help everyone.

I made a lua script that does what I expected. I will post the code in case anyone had simmilar issue.

Code:
AoB = AOBScan("72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 0A 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28")
if (AoB and AoB.getCount()==3) then
    print("Damage boost OK")
    writeBytes(tonumber(AoB[0],16)+18, 0x00)
    writeBytes(tonumber(AoB[1],16)+18, 0x00)
    writeBytes(tonumber(AoB[2],16)+18, 0x00)
   AoB.Destroy()
   AoB = nil
else
   print("Damage boost ERROR")
end
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites