View previous topic :: View next topic |
Author |
Message |
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 4:27 am Post subject: Ultimap question |
|
|
I'm trying to follow this tutorial and I'm using Windows 7 default game called Chess Titans. I'm trying to call the "About" window, however I'm having some issues: the game crashing right after I call the thread.
After filtering results I found one address related for the "About" window:
call chess.exe+41990
Code: | chess.exe+4AD5F - 0F8E 90F8FFFF - jng chess.exe+4A5F5
chess.exe+4AD65 - 4C 8D 84 24 B0050000 - lea r8,[rsp+000005B0]
chess.exe+4AD6D - 48 8D 15 FCC6FDFF - lea rdx,[chess.exe+27470] { ["open"] }
chess.exe+4AD74 - 45 33 C9 - xor r9d,r9d
chess.exe+4AD77 - 33 C9 - xor ecx,ecx
chess.exe+4AD79 - 44 89 7C 24 28 - mov [rsp+28],r15d
chess.exe+4AD7E - 48 89 7C 24 20 - mov [rsp+20],rdi
chess.exe+4AD83 - FF 15 6767FBFF - call qword ptr [chess.exe+14F0] { ->SHELL32.ShellExecuteW }
chess.exe+4AD89 - E9 67F8FFFF - jmp chess.exe+4A5F5
chess.exe+4AD8E - E8 196BFFFF - call chess.exe+418AC
chess.exe+4AD93 - E9 5DF8FFFF - jmp chess.exe+4A5F5
>>>> chess.exe+4AD98 - E8 F36BFFFF - call chess.exe+41990 <<<<<
chess.exe+4AD9D - E9 53F8FFFF - jmp chess.exe+4A5F5
chess.exe+4ADA2 - 45 33 C0 - xor r8d,r8d
chess.exe+4ADA5 - 33 D2 - xor edx,edx
chess.exe+4ADA7 - E9 28F8FFFF - jmp chess.exe+4A5D4
chess.exe+4ADAC - 41 38 BA D89C0400 - cmp [r10+00049CD8],dil
chess.exe+4ADB3 - F3 0F10 15 D1E4FEFF - movss xmm2,[chess.exe+3928C] { ["333?"] }
chess.exe+4ADBB - F3 0F10 0D 89D7FEFF - movss xmm1,[chess.exe+3854C] { [0.00] }
chess.exe+4ADC3 - 0F94 C0 - sete al
chess.exe+4ADC6 - 49 8D 8A A89C0400 - lea rcx,[r10+00049CA8]
chess.exe+4ADCD - 41 88 82 D89C0400 - mov [r10+00049CD8],al
chess.exe+4ADD4 - E8 2769FFFF - call chess.exe+41700
|
Then I've made this script (I assume it has some syntax errors?):
Code: | 04820000: //The memory I allocated
call chess.exe+41990
retn
|
then I've created a new thread with argument 0
I can see "About" window, but my game is crashing as soon as I close it. So I assume I'm doing something wrong?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Mar 03, 2016 12:15 pm Post subject: |
|
|
...why is that jmp after the call jumping 8 bytes down from that?
Your allocated memory seems like it has a bunch of junk in it. To clear that out, write a bunch of 0s after the last instruction or just deallocate and reallocate it again.
Your [ENABLE] section should look something like this:
Code: | alloc(newmem,1024)
createthread(newmem)
newmem:
call chess.exe+41990
ret |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 12:33 pm Post subject: |
|
|
ParkourPenguin wrote: | ...why is that jmp after the call jumping 8 bytes down from that?
Your allocated memory seems like it has a bunch of junk in it. To clear that out, write a bunch of 0s after the last instruction or just deallocate and reallocate it again.
Your [ENABLE] section should look something like this:
Code: | alloc(newmem,1024)
createthread(newmem)
newmem:
call chess.exe+41990
ret |
|
Sorry. I'm a little big confused here.
What exactly do I need to do before / after running your script?
Because I just added your script to the table and my game is crashing right after I enable it.
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Thu Mar 03, 2016 12:48 pm Post subject: |
|
|
What is confusing is that you say this :
Quote: | 04820000: //The memory I allocated
call chess.exe+41990
retn |
But your screen shows :
Code: | call chess.exe+41990
jmp 8 bytes later |
So we wanna know where is it jumping, what is it 8 bytes later ?
Also i am confused of why there is the intruction :
Quote: | call qword ptr [xxxxxxxx] |
If i am not mistaken it's calling the value held at xxxxxxxx which happens to be right under your call, but well cheat engine confirms it is calling the right function regardless so that's okay.
what if you use his script with retn like this :
Code: | alloc(newmem,1024)
createthread(newmem)
newmem:
call chess.exe+41990
retn |
?
|
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 12:57 pm Post subject: |
|
|
ulysse3131 wrote: |
what if you use his script with retn like this :
Code: | alloc(newmem,1024)
createthread(newmem)
newmem:
call chess.exe+41990
retn |
? |
If I'll open the "About" window before using your script it would call the "About" Window:
http://i.imgur.com/H7vLv87.png
But as soon as I click "OK" the game crashes
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Thu Mar 03, 2016 12:58 pm Post subject: |
|
|
that jmp is part of the call instruction
he didn't specify the region for the alloc, so the address distance is bigger than 2GB
therefore, ce used this substitute:
Code: |
call [RIP+2] //dq destination
jmp short +8 //after dq destination
dq destination
|
that causes the return address to be after destination
As for the original question (Crashing)
Perhaps you didn't provide the correct parameters or used a wrong calling method.
e.g it looks like you're not allocating space on the stack for the scratchspace the function can use. It could therefore have overwritten the return address
Code: |
sub rsp,20
call chess.exe+41990
add rsp,20
ret
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 1:09 pm Post subject: |
|
|
How do I specify region for the alloc to avoid the crash and what would be the final script then?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Thu Mar 03, 2016 1:12 pm Post subject: |
|
|
Phokz wrote: | How do I specify region for the alloc to avoid the crash and what would be the final script then? |
alloc(newmem,1024,chess.exe)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 1:19 pm Post subject: |
|
|
ParkourPenguin wrote: | Oh... I didn't notice this was a 64 bit process. Well that complicates things a bit. Do what DB said with the stack. From here: Quote: | The caller is responsible for allocating space for parameters to the callee, and must always allocate sufficient space for the 4 register parameters, even if the callee doesn’t have that many parameters. |
Also, set a breakpoint at chess.exe+4AD98 (the game's call) and post the values of all the registers (namely RCX, RDX, R8, and R9) when the breakpoint triggers. There might be arguments being passed to it like a callback after the window closes. |
http://i.imgur.com/6S4fXin.png
I need to open each of them in the memory viewer and post values?
http://i.imgur.com/GJqLuFt.png
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Mar 03, 2016 1:39 pm Post subject: |
|
|
Seems like RCX and RDX both point to some other address in the same module, so they might be important. To avoid doing more work than what's necessary, see if executing that code with the stack allocation fixes it. If it still crashes, then get the offset of RCX and RDX from the module chess.exe.
To do so, open up the Lua engine (Ctrl + Alt + Shift + L from main CE window) and paste this in:
Code: | print(getNameFromAddress("FFC6AD98")) |
The location of the module in the virtual address space could change if you restart the process, so set a breakpoint at that address again, get the values of RCX and RDX, get the name from those addresses, and move those static addresses into their respective registers in your code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
Posted: Thu Mar 03, 2016 1:50 pm Post subject: |
|
|
ParkourPenguin wrote: | Seems like RCX and RDX both point to some other address in the same module, so they might be important. To avoid doing more work than what's necessary, see if executing that code with the stack allocation fixes it. If it still crashes, then get the offset of RCX and RDX from the module chess.exe.
To do so, open up the Lua engine (Ctrl + Alt + Shift + L from main CE window) and paste this in:
Code: | print(getNameFromAddress("FFC6AD98")) |
The location of the module in the virtual address space could change if you restart the process, so set a breakpoint at that address again, get the values of RCX and RDX, get the name from those addresses, and move those static addresses into their respective registers in your code. |
I got this: http://i.imgur.com/gLoV4bj.png
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Mar 03, 2016 1:57 pm Post subject: |
|
|
So then just move that address (chess.exe+4AD98) into RCX before you call it. Maybe also assign chess.exe to RDX as well, if it still crashes. Continue on with R8 and R9 as well, but I doubt you'll need to.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
DeletedUser412833 How do I cheat? Reputation: 1
Joined: 09 Feb 2017 Posts: 0
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Mar 03, 2016 3:11 pm Post subject: |
|
|
Except for the alloc(...), you didn't change anything. The alloc wasn't even the reason why your script was crashing.
RDX does have an address: chess.exe, or 0xFF2B0000. Then again, you didn't assign RCX nor did you give some space on the stack for the function call (which DB and I told you to do several times), so there's no guarantee you even need to assign any arguments.
All you need to do to try it is copy and paste what DB gave you:
Dark Byte wrote: | Code: | sub rsp,20
call chess.exe+41990
add rsp,20
ret
|
|
If that doesn't work, then move the address chess.exe+4AD98 into RCX (using the MOV instruction before the call) and see if it works.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|