Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Making Cheat with Mono Feature

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Thu Aug 06, 2015 4:26 am    Post subject: Making Cheat with Mono Feature Reply with quote

One issue on making assembler cheat on jit bytecode (unity/flash) game is that piece of assembler code to be injected may not existed until the related bytecode got executed and jit compiled. So that invincible cheat has to be activated after being hit, for example.


I remembered a master has even written a complex hooking code into the mono.dll so that the cheats is automatic activated when the related byecode being compiled.

Not sure from which version of 6.4+, it seems the issue is solved, probably by the work starting from these post? (ie. search result of getmonostruct)
http://forum.cheatengine.org/viewtopic.php?p=5589255&sid=542b8b456e35c33dd8616532115b2f71
http://forum.cheatengine.org/viewtopic.php?p=5565915&sid=8d234bca3e755b4b7f8fb3dd3cecaff0
http://forum.cheatengine.org/viewtopic.php?t=575692

Forgive my ignorance if those are well known fact, but it seems not many making cheats with the mono feature. Here allow me present a way of efficiency use of mono feature in a certain type of cheat.

Some of the cheats may called 'function parameter hijacking'.

The example script is here: http://forum.cheatengine.org/viewtopic.php?p=5606528#5606528

The three Jit cheats all made by modifying the input parameters ie. [ebp+0c].

But 1st, the mono feature is used to instantiate the target functions.

Code:
globalalloc(__,$4000)
__:
dq __
usemono()
getmonostruct(InteractionInstance_Base)
getmonostruct(BehaviourStat)
getmonostruct(CraftingManager)

__+40:
dd "CraftingManager:CanCraftRecipe"
dd "CraftingManager:RemoveItemsFromInventory"
dd "CraftingManager:HasTheseIngredients"
dd "BehaviourStat:Modify"
dd "InteractionInstance_Base:ModifyInteractionDuration"
dd "InteractionInstance_Base:ResetInteractionTimer"


The command 'usemono' is the aa equivalent of lua function LaunchMonoDataCollector(). It establish a monopipe between the target process and ce. Note, if some debugging function is made, the pipe will be broken and need re-connecting.

Then getmonostruct bring the class information and the symbols "class:function" made the respective target functions being jit compiled. Note , sometime an extra namespace may be need, refer it like "namespace:class:function".

Now the starting address of the respective functions is ready and can be refer by the symbol form as "class:function".

This is the code that make the functions always return true in 'crafting consume none' cheat:

Code:
define(can,"CraftingManager:CanCraftRecipe")
define(del,"CraftingManager:RemoveItemsFromInventory")
define(has,"CraftingManager:HasTheseIngredients")

[ENABLE]
assert(can,55 8b ec 57 56)
assert(del,55 8b ec 57 56)
assert(has,55 8b ec 57 56)
can:
xor eax,eax
inc eax
ret
del:
xor eax,eax
inc eax
ret
has:
xor eax,eax
inc eax
ret


[DISABLE]
can:
db 55 8b ec 57 56
del:
db 55 8b ec 57 56
has:
db 55 8b ec 57 56



Since the initial few byte of the function of a fixed calling convention and signature is pretty constant, it make the cheat almost fail-save.

Here another example by making a code cave to examine the input parameter and change it if need:

Code:
define(mod,"BehaviourStat:Modify")

[ENABLE]
__+0f4:
dd (float)8

assert(mod+04,83 ec 04 8b 7d 08)
__+1300:
readmem(mod+04,6)
cmp dword ptr [ebp+0c],0
jle  @f
fld  dword ptr [ebp+0c]
fdiv dword ptr [__+0f4]
fstp dword ptr [ebp+0c]
jmp mod+0a
@@:
fld  dword ptr [ebp+0c]
fmul dword ptr [__+0f4]
fstp dword ptr [ebp+0c]
jmp mod+0a

mod+04:
jmp __+1300
nop


[DISABLE]
assert(mod+04,e9)
mod+04:
db 83 ec 04 8b 7d 08



--

Although I've not actually used in cheat. The offset of property can also be refer. But it has to include the getmonostruct command in the script to bring in the struct info. ie. (not actual code)

Code:
GETMONOSTRUCT(BehaviourStat)
...
mov  [edi+BehaviourStat.fatigue],0
...



Further with an extended version aobscan with range specification, more update resisting and efficient cheat can be made on mono game.

sorry if it cause more confusion...probably not for beginner.

bye~


ADDED:
some property is using getter or setter. For example for HEALTH, refer the getter function as get_HEALTH. Note that the jit de-compiled code may or may not use a getter function but just an offset, it can be randomly either case in different running of the same version of game. function hijacking likely won't work for these cases.

_________________
- Retarded.
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Fri Aug 28, 2015 2:50 am    Post subject: Reply with quote

Beside hacking the input parameter, it is also possible to hack the output result, if any.

With mono-feature, it is possible to locate the beginning address of a function/method instantly. then there are 2 way to hack the output result, I so called Tail Cave.

1. use a RANGED custom aobscan scan to locate the end of the function, it can be using lua memscan or make it as a custom aa command, it is simpler, but not this time;

2. seemly more complicated;
a. make a code cave to manipulate the stack so that when the target function finished,
b. it will jump to 2nd part of the code cave,
c. manipulate the stack again, and
d. do our hack, and
e. return to the caller with a 'ret'

here how the stack being manipulated, a object method with this ptr and 2 extra parameter as example:
Code:

legend: ORET - original return address to the caller
      : KRET - the 2nd part of code code which be return after target function done

before enter        after part 1       just before part 2    just finished part 2
  function            of codecave        of code cave        and beginning of hack
                         KRET (*)           KRET(popped)        EBP ()       <-esp     
->esp  ORET              this               this                ORET         
       this              param1             param1              this     
       param1            param2             param2              param1               
       param2            ORET               ORET                param2
(*) the Kret will be popped after finished target function, and return to
    part 2 of the code cave       


With the different number of input parameter, the assembler script will be difference, but can be scripted. So a custom aa command is made to construct this assembler.

The command:
Code:

monoTailCave32(N,Address,L)

N   = number of input parameter on stack, note that the inst __THIS__ pointer is the 1st parameter; static method will have no __THIS__ ptr. So in above example, N = 3 (this + 2 extra parameter)

Address = the function beginning address, by the mechanic of the script parsing, the address cannot use __DEFINE__ symbol. Since it is a mono feature, it has to be enter as "classname:methodname" (with quote);

L = the hack length that occupy by the code cave jump command;

N and L and number in decimal.


The cheat code SellPrice Multiplier of this game http://forum.cheatengine.org/viewtopic.php?t=583754 is like this:
Code:

define(sell,"EconomyGoods:get_PriceSell")
assert(sell,55 8b ec 57 83 ec ?? 8b 7d 08)

alloc(_sell,$100,sell)

_sell:
dq _sell

_sell+10:
dd (float)10

_sell+20:     // save
readmem(sell,7)

_sell+40: //free eax edi

monoTailCave32(1,"EconomyGoods:get_PriceSell",7)

//   hack start
fmul dword ptr [_sell+10]

pop  ebp   //--- must use these to return original caller
ret           //---

sell:
jmp _sell+40
nop
nop

registersymbol(_sell)



Note: It must be return to the caller with
Code:
pop  ebp   //--- must use these to return original caller
ret           //---
 



The command is limit only to 32-bit, mono-function alike calling convension.

sorry for the poor explanation.

bye~

_________________
- Retarded.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites