Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Scan Problem

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Freakfrash
Newbie cheater
Reputation: 0

Joined: 18 Nov 2013
Posts: 11

PostPosted: Sun Sep 06, 2015 8:02 pm    Post subject: AOB Scan Problem Reply with quote

Hello, so during my usual scripting, I realised that one of the aob scan scripts I wrote isn't working. I also realised (thanks to the label I did) that it is finding something, but it's the wrong opcode. Since I knew that, I decided to extend the current array of bytes I was using with a function above it. This time it found the correct opcode, but the script itself seems to be crashing the game.

Any advice?

I am also using AOB scan, because the game keeps making updates everyday.

That's the script with the problem I have:
Code:
/*DEFINES*/
define(bytes,F3 0F 10 83 80 46 00 00)
define(address,Aftermath.exe+5C25FA)
define(OFFSET,00004680)

[ENABLE]
//assert(address,bytes)
alloc(newmem,2048) //2k is enough
label(returnhere)
label(originalcode)
label(exit)
aobscan(InstantLoot, 60 0F 00 F3 0F 10 83 80 46 00 00 F3)

newmem:
       mov [ebx+OFFSET],(float)1

originalcode:
             movss xmm0,[ebx+OFFSET]

exit:
jmp returnhere


//address:
label(_InstantLoot)
registersymbol(_InstantLoot)
                            InstantLoot:
                            _InstantLoot:

jmp newmem
nop
nop
nop
nop
returnhere:




[DISABLE]
//address:
_InstantLoot:
db 60 0F 00 F3 0F 10 83 80 46 00 00 F3
movss xmm0,[ebx+00004680]
dealloc(newmem)
unregistersymbol(_InstantLoot)



I copied the list of all Opcodes/Bytes/Addresses from the Memory View, since I am not able to post pictures of it. Sorry Sad

Code:
Aftermath.exe+5C25BD - 8B 84 83 3C460000     - mov eax,[ebx+eax*4+0000463C]
Aftermath.exe+5C25C4 - F3 0F10 80 CC010000   - movss xmm0,[eax+000001CC]
Aftermath.exe+5C25CC - F3 0F11 44 24 68      - movss [esp+68],xmm0
Aftermath.exe+5C25D2 - E8 596E1300           - call Aftermath.exe+6F9430
Aftermath.exe+5C25D7 - F3 0F10 4C 24 68      - movss xmm1,[esp+68]
Aftermath.exe+5C25DD - F3 0F58 0D 64A3F200   - addss xmm1,[Aftermath.exe+B2A364]
Aftermath.exe+5C25E5 - 0F2F C8               - comiss xmm1,xmm0
Aftermath.exe+5C25E8 - 0F87 500B0000         - ja Aftermath.exe+5C313E
Aftermath.exe+5C25EE - 6A 00                 - push 00
Aftermath.exe+5C25F0 - E8 7B620F00           - call Aftermath.exe+6B8870
Aftermath.exe+5C25F5 - E8 36600F00           - call Aftermath.exe+6B8630

Aftermath.exe+5C25FA - F3 0F10 83 80460000   - movss xmm0,[ebx+00004680] // That's the opcode I can't find with my AOB scan. Why? It's also the one which crashes, if I add bytes of the opcode above it.

Aftermath.exe+5C2602 - F3 0F59 05 64A7F200   - mulss xmm0,[Aftermath.exe+B2A764]
Aftermath.exe+5C260A - F3 0F2C C0            - cvttss2si eax,xmm0
Aftermath.exe+5C260E - 50                    - push eax
Aftermath.exe+5C260F - E8 4C600F00           - call Aftermath.exe+6B8660
Aftermath.exe+5C2614 - F3 0F10 83 80460000   - movss xmm0,[ebx+00004680]
Aftermath.exe+5C261C - 0F2E 05 80A1F200      - ucomiss xmm0,[Aftermath.exe+B2A180]
Aftermath.exe+5C2623 - 9F                    - lahf
Aftermath.exe+5C2624 - F6 C4 44              - test ah,44
Aftermath.exe+5C2627 - 7A 48                 - jp Aftermath.exe+5C2671





And if I'd use it with just the bytes of the opcode. Then it links me to an opcode that is exactly as written as the one I use, just with the difference that it's not related to the address/function.

I am sorry, I might have fixed it on my own, but I am quite rusty. And I just don't seem to find the answer. I seriously stuck at the moment :/


Thanks in advance!


Last edited by Freakfrash on Sun Sep 06, 2015 8:45 pm; edited 2 times in total
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 342

Joined: 09 May 2003
Posts: 20062
Location: The netherlands

PostPosted: Sun Sep 06, 2015 8:30 pm    Post subject: Reply with quote

You should hook InstantLoot+3 instead, and only use 3 nops (the instruction is 8 and the jmp is 5, so 3 nops)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Zanzer
I post too much
Reputation: 120

Joined: 09 Jun 2013
Posts: 3260

PostPosted: Sun Sep 06, 2015 8:38 pm    Post subject: Reply with quote

Well, I'm concerned that your injection contains 4 NOPs.
I believe it should only be 3. If I'm wrong, fix my script.
Code:
[ENABLE]
aobscan(loot,6A 00 E8 * * * * E8 * * * * F3 0F 10 83 * * * * F3 0F 59 05)
alloc(newmem,$1000)

label(code)
label(return)
label(loot_save)

newmem:

code:
  db C7
  readmem(loot+F,5)
  dd (float)1
loot_save:
  readmem(loot+C,8)
  jmp return

loot+C:
  jmp code
  nop
  nop
  nop
return:
registersymbol(loot)
registersymbol(loot_save)

[DISABLE]
loot+C:
  readmem(loot_save,8)
unregistersymbol(loot)
unregistersymbol(loot_save)
dealloc(newmem)

You cannot reliably include bytes from a call statement, because they change each time the game loads.
Also, some things seems to be out of sync. Did you forget to bump the AOB label by the bytes you added?
Your disable script seems to be replacing bytes in the middle of the previous call.
So anyway, my AOB included the two function calls, which should make it unique.
I also used wildcards for the value offset since that is one huge offset and likely to change with a patch.
This required the use of READMEM to reproduce the possibly changing offset.
The instruction 'db C7' is the start of the MOV instruction.
The READMEM after fills in the [ebx+4680].
Followed up by the bytes to move a 1.0 into the address.
Back to top
View user's profile Send private message
Freakfrash
Newbie cheater
Reputation: 0

Joined: 18 Nov 2013
Posts: 11

PostPosted: Sun Sep 06, 2015 8:45 pm    Post subject: Reply with quote

Oh yea. Thanks for these replys. I'll be taking a look into it. I also will inform you if I get it fixed. And yes, I just realised I have 1 nop to much in it, lol.

Zanzer wrote:
Well, I'm concerned that your injection contains 4 NOPs.
I believe it should only be 3. If I'm wrong, fix my script.
Code:
[ENABLE]
aobscan(loot,6A 00 E8 * * * * E8 * * * * F3 0F 10 83 * * * * F3 0F 59 05)
alloc(newmem,$1000)

label(code)
label(return)
label(loot_save)

newmem:

code:
  db C7
  readmem(loot+F,5)
  dd (float)1
loot_save:
  readmem(loot+C,8)
  jmp return

loot+C:
  jmp code
  nop
  nop
  nop
return:
registersymbol(loot)
registersymbol(loot_save)

[DISABLE]
loot+C:
  readmem(loot_save,8)
unregistersymbol(loot)
unregistersymbol(loot_save)
dealloc(newmem)

You cannot reliably include bytes from a call statement, because they change each time the game loads.
Also, some things seems to be out of sync. Did you forget to bump the AOB label by the bytes you added?
Your disable script seems to be replacing bytes in the middle of the previous call.
So anyway, my AOB included the two function calls, which should make it unique.
I also used wildcards for the value offset since that is one huge offset and likely to change with a patch.
This required the use of READMEM to reproduce the possibly changing offset.
The instruction 'db C7' is the start of the MOV instruction.
The READMEM after fills in the [ebx+4680].
Followed up by the bytes to move a 1.0 into the address.



It's working fine without problems. I just got no clue what you basically did, due to the fact I never worked like that. Would you mind explaining me what else I could do in my version of script, to get it working? (Except for the fact that I had one nop to much) I'd really much appreciate it!! I assume, the problem is, that I am replacing some bytes of the call function as you explained already. This may causes the crash. How do I prevent that? Also, would you mind explaining me how you get your bytes for your aob scan?



Regards, Freakfrash.


//EDIT: FIXED!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites