Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Ultimap question
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 4:27 am    Post subject: Ultimap question Reply with quote

I'm trying to follow this tutorial and I'm using Windows 7 default game called Chess Titans. I'm trying to call the "About" window, however I'm having some issues: the game crashing right after I call the thread.

After filtering results I found one address related for the "About" window:

call chess.exe+41990

Code:
chess.exe+4AD5F - 0F8E 90F8FFFF         - jng chess.exe+4A5F5
chess.exe+4AD65 - 4C 8D 84 24 B0050000  - lea r8,[rsp+000005B0]
chess.exe+4AD6D - 48 8D 15 FCC6FDFF     - lea rdx,[chess.exe+27470] { ["open"] }
chess.exe+4AD74 - 45 33 C9              - xor r9d,r9d
chess.exe+4AD77 - 33 C9                 - xor ecx,ecx
chess.exe+4AD79 - 44 89 7C 24 28        - mov [rsp+28],r15d
chess.exe+4AD7E - 48 89 7C 24 20        - mov [rsp+20],rdi
chess.exe+4AD83 - FF 15 6767FBFF        - call qword ptr [chess.exe+14F0] { ->SHELL32.ShellExecuteW }
chess.exe+4AD89 - E9 67F8FFFF           - jmp chess.exe+4A5F5
chess.exe+4AD8E - E8 196BFFFF           - call chess.exe+418AC
chess.exe+4AD93 - E9 5DF8FFFF           - jmp chess.exe+4A5F5
>>>> chess.exe+4AD98 - E8 F36BFFFF           - call chess.exe+41990 <<<<<
chess.exe+4AD9D - E9 53F8FFFF           - jmp chess.exe+4A5F5
chess.exe+4ADA2 - 45 33 C0              - xor r8d,r8d
chess.exe+4ADA5 - 33 D2                 - xor edx,edx
chess.exe+4ADA7 - E9 28F8FFFF           - jmp chess.exe+4A5D4
chess.exe+4ADAC - 41 38 BA D89C0400     - cmp [r10+00049CD8],dil
chess.exe+4ADB3 - F3 0F10 15 D1E4FEFF   - movss xmm2,[chess.exe+3928C] { ["333?"] }
chess.exe+4ADBB - F3 0F10 0D 89D7FEFF   - movss xmm1,[chess.exe+3854C] { [0.00] }
chess.exe+4ADC3 - 0F94 C0               - sete al
chess.exe+4ADC6 - 49 8D 8A A89C0400     - lea rcx,[r10+00049CA8]
chess.exe+4ADCD - 41 88 82 D89C0400     - mov [r10+00049CD8],al
chess.exe+4ADD4 - E8 2769FFFF           - call chess.exe+41700


Then I've made this script (I assume it has some syntax errors?):

Code:
04820000: //The memory I allocated

call chess.exe+41990
retn


then I've created a new thread with argument 0



I can see "About" window, but my game is crashing as soon as I close it. So I assume I'm doing something wrong?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Mar 03, 2016 12:15 pm    Post subject: Reply with quote

...why is that jmp after the call jumping 8 bytes down from that?
Your allocated memory seems like it has a bunch of junk in it. To clear that out, write a bunch of 0s after the last instruction or just deallocate and reallocate it again.
Your [ENABLE] section should look something like this:
Code:
alloc(newmem,1024)
createthread(newmem)
newmem:
  call chess.exe+41990
  ret

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 12:33 pm    Post subject: Reply with quote

ParkourPenguin wrote:
...why is that jmp after the call jumping 8 bytes down from that?
Your allocated memory seems like it has a bunch of junk in it. To clear that out, write a bunch of 0s after the last instruction or just deallocate and reallocate it again.
Your [ENABLE] section should look something like this:
Code:
alloc(newmem,1024)
createthread(newmem)
newmem:
  call chess.exe+41990
  ret


Sorry. I'm a little big confused here.
What exactly do I need to do before / after running your script?
Because I just added your script to the table and my game is crashing right after I enable it.
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris

PostPosted: Thu Mar 03, 2016 12:48 pm    Post subject: Reply with quote

What is confusing is that you say this :
Quote:
04820000: //The memory I allocated

call chess.exe+41990
retn


But your screen shows :

Code:
call chess.exe+41990
jmp 8 bytes later

So we wanna know where is it jumping, what is it 8 bytes later ?
Also i am confused of why there is the intruction :
Quote:
call qword ptr [xxxxxxxx]

If i am not mistaken it's calling the value held at xxxxxxxx which happens to be right under your call, but well cheat engine confirms it is calling the right function regardless so that's okay.
what if you use his script with retn like this :
Code:
alloc(newmem,1024)
createthread(newmem)
newmem:
  call chess.exe+41990
  retn

?
Back to top
View user's profile Send private message
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 12:57 pm    Post subject: Reply with quote

ulysse3131 wrote:

what if you use his script with retn like this :
Code:
alloc(newmem,1024)
createthread(newmem)
newmem:
  call chess.exe+41990
  retn

?


If I'll open the "About" window before using your script it would call the "About" Window:

http://i.imgur.com/H7vLv87.png


But as soon as I click "OK" the game crashes
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Mar 03, 2016 12:58 pm    Post subject: Reply with quote

that jmp is part of the call instruction
he didn't specify the region for the alloc, so the address distance is bigger than 2GB
therefore, ce used this substitute:
Code:

call [RIP+2]   //dq destination
jmp short +8 //after dq destination
dq destination

that causes the return address to be after destination


As for the original question (Crashing)
Perhaps you didn't provide the correct parameters or used a wrong calling method.
e.g it looks like you're not allocating space on the stack for the scratchspace the function can use. It could therefore have overwritten the return address

Code:

sub rsp,20
call chess.exe+41990
add rsp,20
ret

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 1:09 pm    Post subject: Reply with quote

How do I specify region for the alloc to avoid the crash and what would be the final script then?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Mar 03, 2016 1:12 pm    Post subject: This post has 2 review(s) Reply with quote

Oh... I didn't notice this was a 64 bit process. Well that complicates things a bit. Do what DB said with the stack. From here:
Quote:
The caller is responsible for allocating space for parameters to the callee, and must always allocate sufficient space for the 4 register parameters, even if the callee doesn’t have that many parameters.

Also, set a breakpoint at chess.exe+4AD98 (the game's call) and post the values of all the registers (namely RCX, RDX, R8, and R9) when the breakpoint triggers. There might be arguments being passed to it like a callback after the window closes.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Mar 03, 2016 1:12 pm    Post subject: Reply with quote

Phokz wrote:
How do I specify region for the alloc to avoid the crash and what would be the final script then?


alloc(newmem,1024,chess.exe)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 1:19 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Oh... I didn't notice this was a 64 bit process. Well that complicates things a bit. Do what DB said with the stack. From here:
Quote:
The caller is responsible for allocating space for parameters to the callee, and must always allocate sufficient space for the 4 register parameters, even if the callee doesn’t have that many parameters.

Also, set a breakpoint at chess.exe+4AD98 (the game's call) and post the values of all the registers (namely RCX, RDX, R8, and R9) when the breakpoint triggers. There might be arguments being passed to it like a callback after the window closes.


http://i.imgur.com/6S4fXin.png
I need to open each of them in the memory viewer and post values?
http://i.imgur.com/GJqLuFt.png
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Mar 03, 2016 1:39 pm    Post subject: Reply with quote

Seems like RCX and RDX both point to some other address in the same module, so they might be important. To avoid doing more work than what's necessary, see if executing that code with the stack allocation fixes it. If it still crashes, then get the offset of RCX and RDX from the module chess.exe.

To do so, open up the Lua engine (Ctrl + Alt + Shift + L from main CE window) and paste this in:
Code:
print(getNameFromAddress("FFC6AD98"))

The location of the module in the virtual address space could change if you restart the process, so set a breakpoint at that address again, get the values of RCX and RDX, get the name from those addresses, and move those static addresses into their respective registers in your code.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 1:50 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Seems like RCX and RDX both point to some other address in the same module, so they might be important. To avoid doing more work than what's necessary, see if executing that code with the stack allocation fixes it. If it still crashes, then get the offset of RCX and RDX from the module chess.exe.

To do so, open up the Lua engine (Ctrl + Alt + Shift + L from main CE window) and paste this in:
Code:
print(getNameFromAddress("FFC6AD98"))

The location of the module in the virtual address space could change if you restart the process, so set a breakpoint at that address again, get the values of RCX and RDX, get the name from those addresses, and move those static addresses into their respective registers in your code.


I got this: http://i.imgur.com/gLoV4bj.png
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Mar 03, 2016 1:57 pm    Post subject: Reply with quote

So then just move that address (chess.exe+4AD98) into RCX before you call it. Maybe also assign chess.exe to RDX as well, if it still crashes. Continue on with R8 and R9 as well, but I doubt you'll need to.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
DeletedUser412833
How do I cheat?
Reputation: 1

Joined: 09 Feb 2017
Posts: 0

PostPosted: Thu Mar 03, 2016 2:52 pm    Post subject: Reply with quote

You mean like that? http://i.imgur.com/LVKHv74.png
It still crashing. I haven't assigned the rdx yet, because it has no address:

http://i.imgur.com/suG7psm.png
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Mar 03, 2016 3:11 pm    Post subject: Reply with quote

Except for the alloc(...), you didn't change anything. The alloc wasn't even the reason why your script was crashing.

RDX does have an address: chess.exe, or 0xFF2B0000. Then again, you didn't assign RCX nor did you give some space on the stack for the function call (which DB and I told you to do several times), so there's no guarantee you even need to assign any arguments.

All you need to do to try it is copy and paste what DB gave you:
Dark Byte wrote:
Code:
sub rsp,20
call chess.exe+41990
add rsp,20
ret

If that doesn't work, then move the address chess.exe+4AD98 into RCX (using the MOV instruction before the call) and see if it works.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites