Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Custom 'AOB Injection' Templates [ver. 1.3.6]
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions
View previous topic :: View next topic  
Author Message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Mar 06, 2016 12:44 pm    Post subject: Reply with quote

The only thing that I do not like about CE's generator, is that it is limited, so it will fail if no unique signature can be found within a certain number of bytes.

GH*master's generator for his AAMaker is clever, in that, it uses wildcards for every byte, after the first or second byte on every line, so that you're only defining the jumps/moves etc.., allowing you to mitigate potential pattern breaks if/when the target is patched. The downside, of course, is that the signatures need to be much larger in order for a unique signature to be found, therefore, increasing the possibility that your signature may break if a major change is seen from any future patches.

Personally, I welcome any improvements. I think, if you really wanted to improve the signature generator, you would have it generate multiple signatures, such as the following:

1. Simple signature with no wildcards that begins above the point of injection.
2. Simple signature with no wildcards that begins at the point of injection.
3. Simple signature with no wildcards that begins below the point of injection.
4. Advanced signature with wildcards that begins above the point of injection.
5. Advanced signature with wildcards that begins at the point of injection.
6. Advanced signature with wildcards that begins below the point of injection.

Then, have all of these signatures 'bundled' in to a large, multi-signature that CE could scan until something was found, thus giving us a greater chance that our injection will succeed. In other words, instead of having 1 signature to rely on, we now have 6 different signatures, for the same injection point - all, automatically generated, of course.

Code:
AOBSuperScanModule(aob_ammo,game.exe,00000000000, 00000000000, 00000000000, 00xxxxxx0xxxxxxx0xxxxxxx, 00xxxxxx0xxxxxxx0xxxxxxx, 00xxxxxx0xxxxxxx0xxxxxxx)
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sun Mar 06, 2016 1:13 pm    Post subject: Reply with quote

Quote:
GH*master's generator for his AAMaker is clever

Yes, something similar to pattern generator from AAMaker.

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Thu Apr 14, 2016 1:57 pm    Post subject: Reply with quote

While helping someone with a script today, I encountered this error:

Code:
Error:...Cheat Engine 6.5\autorun\customAOBInjectionTemplates.lua:723: bad argument #2 to 'gsub' (string/function/table expected)


I had to resort to CE's Injection template. Here is was CE generated:

Code:
{ Game   : HuniePop.exe
  Version:
  Date   : 2016-04-14
  Author : METHOS

  This script does blah blah blah
}

[ENABLE]

aobscan(traits,89 08 8B 43 30 40 89 43 30 8D 65 F4 5E 5F 5B C9 C3 6A) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [eax],ecx
  mov eax,[ebx+30]
  jmp return

traits:
  jmp code
return:
registersymbol(traits)

[DISABLE]

traits:
  db 89 08 8B 43 30

unregistersymbol(traits)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 04659BA7

04659B82: 8D 4F 01           -  lea ecx,[edi+01]
04659B85: 39 70 0C           -  cmp [eax+0C],esi
04659B88: 0F 86 36 00 00 00  -  jbe 04659BC4
04659B8E: 8D 44 B0 10        -  lea eax,[eax+esi*4+10]
04659B92: 89 08              -  mov [eax],ecx
04659B94: 8B 43 14           -  mov eax,[ebx+14]
04659B97: 39 78 0C           -  cmp [eax+0C],edi
04659B9A: 0F 86 18 00 00 00  -  jbe 04659BB8
04659BA0: 8D 44 B8 10        -  lea eax,[eax+edi*4+10]
04659BA4: 8B 4D 10           -  mov ecx,[ebp+10]
// ---------- INJECTING HERE ----------
04659BA7: 89 08              -  mov [eax],ecx
04659BA9: 8B 43 30           -  mov eax,[ebx+30]
// ---------- DONE INJECTING  ----------
04659BAC: 40                 -  inc eax
04659BAD: 89 43 30           -  mov [ebx+30],eax
04659BB0: 8D 65 F4           -  lea esp,[ebp-0C]
04659BB3: 5E                 -  pop esi
04659BB4: 5F                 -  pop edi
04659BB5: 5B                 -  pop ebx
04659BB6: C9                 -  leave
04659BB7: C3                 -  ret
04659BB8: 6A 2A              -  push 2A
04659BBA: 68 78 06 00 00     -  push 00000678
}


Any idea what could be causing the problem? I did notice that the script generation wasn't instant, but took a second or two to process...not sure if that matters. Perhaps a wait timer needs to be implemented or adjusted?

Thanks!
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Fri Apr 15, 2016 4:42 am    Post subject: This post has 1 review(s) Reply with quote

++METHOS wrote:
Code:
Error:...Cheat Engine 6.5\autorun\customAOBInjectionTemplates.lua:723: bad argument #2 to 'gsub' (string/function/table expected)

That line number, 723, doesn't tell me anything. I have vanilla script.

Could you copy paste that line here. Even better, post 5 lines: 2 before, one at 723, 2 after.

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Fri Apr 15, 2016 1:21 pm    Post subject: Reply with quote

Sorry...I didn't think about that.

Code:
  template = template:gsub('%%authorName%%', authorName)
  template = template:gsub('%%processName%%', processName)

  template = template:gsub('%%isModuleScan%%', isModuleScan)       --723

  template = template:gsub('%%searchPattern%%', searchPattern)
  template = template:gsub('%%CmoduleName%%', comma_moduleName)


This particular process did not display module addressing, as you can see above.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Fri Apr 15, 2016 3:43 pm    Post subject: This post has 1 review(s) Reply with quote

Test it again. Should be fixed.

Added:
%replacedInstructionsSize% - byte count of all original instructions that are overwritten., e.g. if there are three nops, it will be "8"

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Fri Apr 15, 2016 5:56 pm    Post subject: Reply with quote

Thanks. I will report back later. I need to grab the game again and figure out what changes you've made so that I can incorporate everything into my current script.

EDIT:
It's working now. Good work! Thank you.
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Sun May 15, 2016 1:19 pm    Post subject: Reply with quote

Thank you! This is really awesome and a time-saver
_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
predprey
Master Cheater
Reputation: 24

Joined: 08 Oct 2015
Posts: 486

PostPosted: Thu Aug 18, 2016 7:21 pm    Post subject: Reply with quote

Added support for mono method addresses.
New "Mono Inject" template for JIT-ting and injecting into mono methods.

New Keyword:
%monoAddress% - If mono data collector is active, and address is part of a method, it returns the method name+offset. Else it is empty.

Update 1: Fixed rare bug if target process crashes which causes monoAddress to be nil.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Sep 14, 2016 6:02 am    Post subject: Reply with quote

@predprey, thank you. I will also add a fix for CE6.6Alpha/Beta/RC/Final (don't know).


Edit:
Added.

_________________
Back to top
View user's profile Send private message MSN Messenger
Csimbi
I post too much
Reputation: 92

Joined: 14 Jul 2007
Posts: 3102

PostPosted: Wed Sep 14, 2016 1:40 pm    Post subject: Reply with quote

Hi guys,
any chance to create a template to generate exactly this?
Cheat name should be entered via popup.
Some bits and pieces are missing template-wise...
You can call it Csimbi's weird AOB Wink
Thank you!

Code:

[ENABLE]
aobscanmodule(aobCheatName,Game.exe,F3 41 0F 10 9C 24 ?? ?? 00 00 41 0F 28 D0 48 8D 95 ?? ?? 00 00)

alloc(newmem,4096,aobCheatName)

label(aobCheatName_r)
label(aobCheatName_i)
registersymbol(aobCheatName_r)
registersymbol(aobCheatName_i)

label(lblCheatName)
label(lblCheatNameSkip)
label(lblCheatNameRet)

label(bEnableCheatName)
registersymbol(bEnableCheatName)

newmem:
bEnableCheatName:
dd 1

lblCheatName:
//Alt: movss xmm3,[r12+0000034C]
//db F3 41 0F 10 9C 24 4C 03 00 00
readmem(aobCheatName,10)
cmp dword ptr [bEnableCheatName],1
jne short lblCheatNameSkip
// Place your code here
lblCheatNameSkip:
jmp lblCheatNameRet
aobCheatName_i:
readmem(aobCheatName,10)

//"Game.exe"+7D4FC3:
aobCheatName:
aobCheatName_r:
jmp lblCheatName
nop
nop
nop
nop
nop
lblCheatNameRet:

[DISABLE]
aobCheatName_r:
//"Game.exe"+7D4FC3:
//Alt: movss xmm3,[r12+0000034C]
//db F3 41 0F 10 9C 24 4C 03 00 00
readmem(aobCheatName_i,10)

unregistersymbol(aobCheatName_r)
unregistersymbol(aobCheatName_i)

unregistersymbol(bEnableCheatName)

dealloc(newmem)
Back to top
View user's profile Send private message
predprey
Master Cheater
Reputation: 24

Joined: 08 Oct 2015
Posts: 486

PostPosted: Wed Sep 14, 2016 2:01 pm    Post subject: Reply with quote

try adding this under myAOBInjectionTemplate.Templates. don't forget to trim trailing spaces after copying (i use notepad++ to do it), CEF add blank spaces after each line.

EDIT:
Code:
readmem() does not work for EIP/RIP relative addressing. Use mgr.inz updated extension on first page instead.


Last edited by predprey on Sat Sep 17, 2016 1:30 am; edited 7 times in total
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 92

Joined: 14 Jul 2007
Posts: 3102

PostPosted: Wed Sep 14, 2016 2:16 pm    Post subject: Reply with quote

That was quick, thanks!
But it'll miss the comments and the code will crash - it was really just a quick replace and keeping fingers crossed.
mgr.inz.Player will need to add new fields before it can be done correctly:
- original code in ASM, commented (may be multiple lines): //Alt: movss xmm3,[r12+0000034C]
- original code in byte code, comments: // db F3 41 0F 10 9C 24 4C 03 00 00
- number of bytes replaced during injection: readmem(aobCheatName,10)
- original hook, commented: //"Game.exe"+7D4FC3:
Back to top
View user's profile Send private message
predprey
Master Cheater
Reputation: 24

Joined: 08 Oct 2015
Posts: 486

PostPosted: Wed Sep 14, 2016 2:40 pm    Post subject: Reply with quote

- Added support for referencing hooking point by module name+offset.
- Fixed error if <<INFO>> section is omitted.
- Merged mgr.inz's "jmp newmem/code" fix for beta CE 6.6.
- Added support for commented original code.
- To change comment prefix, search for this line:
Code:
local commentPrefix = '//Alt: '


New Keyword:
%injectAddress% - Hooking point copied from comments in the line below "INJECTING HERE".
%CoriginalCodeLines% - Commented original code.

EDIT: Outdated, download removed. Use mgr.inz's update from first post which has a new keyword, %reassembleReplacedInstructions% - adds 1 or more reassemble() lines for original code.


Last edited by predprey on Wed Jan 25, 2017 2:30 pm; edited 5 times in total
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Sep 14, 2016 5:57 pm    Post subject: Reply with quote

Added %injectAddress% and Csimbi template (slightly modified).
_________________
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Extensions All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 2 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites