Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Scan problem

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Kawaii desu ne
How do I cheat?
Reputation: 0

Joined: 13 Sep 2016
Posts: 7

PostPosted: Thu Sep 15, 2016 8:52 am    Post subject: AOB Scan problem Reply with quote

So I have a problem. I want this script to work but its just crashing after disabling the script. Enabling works just perfect and the script also does what it should do. The only bytes that change are the 53 and 01 the rest stays the same. What should I put into the disable so that it wont crash?

Code:

[ENABLE]

aobscanmodule(INJECT,Game.exe,F3 0F 11 05 58 4B ?? ??)
alloc(newmem,$1000)
alloc(backup,16)
registersymbol(backup)

label(code)
label(return)

newmem:

code:
  push eax
  mov eax,(float)26
  movd xmm0,eax
  pop eax
  movss [Game.exe+534B58],xmm0
  jmp return

INJECT:
  jmp code
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 05 58 4B 53 01

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Game.exe"+14C17F

"Game.exe"+14C15A: F3 0F 58 05 50 47 4B 01  -  addss xmm0,[Game.exe+4B4750]
"Game.exe"+14C162: 5F                       -  pop edi
"Game.exe"+14C163: 5E                       -  pop esi
"Game.exe"+14C164: 5B                       -  pop ebx
"Game.exe"+14C165: F3 0F 58 C8              -  addss xmm1,xmm0
"Game.exe"+14C169: F3 0F 10 44 24 14        -  movss xmm0,[esp+14]
"Game.exe"+14C16F: F3 0F 58 C1              -  addss xmm0,xmm1
"Game.exe"+14C173: 66 0F 6E 48 2C           -  movd xmm1,[eax+2C]
"Game.exe"+14C178: 0F 5B C9                 -  cvtdq2ps xmm1,xmm1
"Game.exe"+14C17B: F3 0F 58 C1              -  addss xmm0,xmm1
// ---------- INJECTING HERE ----------
"Game.exe"+14C17F: F3 0F 11 05 58 4B 53 01  -  movss [Game.exe+534B58],xmm0
// ---------- DONE INJECTING  ----------
"Game.exe"+14C187: 8B E5                    -  mov esp,ebp
"Game.exe"+14C189: 5D                       -  pop ebp
"Game.exe"+14C18A: C2 08 00                 -  ret 0008
"Game.exe"+14C18D: CC                       -  int 3
"Game.exe"+14C18E: CC                       -  int 3
"Game.exe"+14C18F: CC                       -  int 3
"Game.exe"+14C190: 55                       -  push ebp
"Game.exe"+14C191: 8B EC                    -  mov ebp,esp
"Game.exe"+14C193: 83 EC 08                 -  sub esp,08
"Game.exe"+14C196: FF 75 0C                 -  push [ebp+0C]
}
[/code]
Back to top
View user's profile Send private message
hhhuut
Grandmaster Cheater
Reputation: 6

Joined: 08 Feb 2015
Posts: 606

PostPosted: Thu Sep 15, 2016 9:09 am    Post subject: Reply with quote

Code:
[ENABLE]

aobscanmodule(INJECT,Game.exe,F3 0F 11 05 58 4B ?? ??)
alloc(originalBytes,20)
alloc(newmem,$1000)
alloc(backup,16)
registersymbol(originalBytes)

label(code)
label(return)

originalBytes:
readMem("Game.exe"+14C17F, 8)

newmem:

code:
  push eax
  mov eax,(float)26
  movd xmm0,eax
  pop eax
  //movss [Game.exe+534B58],xmm0
  readMem(originalBytes, 8)
  jmp return

INJECT:
  jmp code
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
//db F3 0F 11 05 58 4B 53 01
readMem(originalBytes, 8)

unregistersymbol(INJECT)
unregistersymbol(originalBytes)
dealloc(newmem)
dealloc(originalBytes)

{
// ORIGINAL CODE - INJECTION POINT: "Game.exe"+14C17F

"Game.exe"+14C15A: F3 0F 58 05 50 47 4B 01  -  addss xmm0,[Game.exe+4B4750]
"Game.exe"+14C162: 5F                       -  pop edi
"Game.exe"+14C163: 5E                       -  pop esi
"Game.exe"+14C164: 5B                       -  pop ebx
"Game.exe"+14C165: F3 0F 58 C8              -  addss xmm1,xmm0
"Game.exe"+14C169: F3 0F 10 44 24 14        -  movss xmm0,[esp+14]
"Game.exe"+14C16F: F3 0F 58 C1              -  addss xmm0,xmm1
"Game.exe"+14C173: 66 0F 6E 48 2C           -  movd xmm1,[eax+2C]
"Game.exe"+14C178: 0F 5B C9                 -  cvtdq2ps xmm1,xmm1
"Game.exe"+14C17B: F3 0F 58 C1              -  addss xmm0,xmm1
// ---------- INJECTING HERE ----------
"Game.exe"+14C17F: F3 0F 11 05 58 4B 53 01  -  movss [Game.exe+534B58],xmm0
// ---------- DONE INJECTING  ----------
"Game.exe"+14C187: 8B E5                    -  mov esp,ebp
"Game.exe"+14C189: 5D                       -  pop ebp
"Game.exe"+14C18A: C2 08 00                 -  ret 0008
"Game.exe"+14C18D: CC                       -  int 3
"Game.exe"+14C18E: CC                       -  int 3
"Game.exe"+14C18F: CC                       -  int 3
"Game.exe"+14C190: 55                       -  push ebp
"Game.exe"+14C191: 8B EC                    -  mov ebp,esp
"Game.exe"+14C193: 83 EC 08                 -  sub esp,08
"Game.exe"+14C196: FF 75 0C                 -  push [ebp+0C]
}

Not tested but should do what you want to achieve.

In general, don't try to inject your scripts on instructions with absolute addresses, because potentially the last four bytes could change (not only 53 and 01), which would also render your AOB pattern useless.

_________________
I hacked 127.0.0.1 Very Happy
Back to top
View user's profile Send private message
Kawaii desu ne
How do I cheat?
Reputation: 0

Joined: 13 Sep 2016
Posts: 7

PostPosted: Thu Sep 15, 2016 9:37 am    Post subject: Reply with quote

Well the script does not activate at all now.
Can you explain what you did with ReadMem and why you "removed" the movss and db?

Sadly I didnt found another way to do the thing I want without injecting the instruction with the absolute address.

The instruction is always changing the red part: movss [Game.exe+534B5B],xmn[41DC3051]

Also is there not an easier solution?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 74

Joined: 29 Oct 2010
Posts: 3601

PostPosted: Thu Sep 15, 2016 9:56 am    Post subject: Reply with quote

You can try injecting above/below the injection point. You should not use wildcard variables at the end of your AOB signature, otherwise, they are meaningless. You need to have something defined at the end, or you could literally have 1000 wildcard variables that do nothing.

Also, what are these for? (remove them):

Code:
alloc(backup,16)
registersymbol(backup)
Back to top
View user's profile Send private message
Kawaii desu ne
How do I cheat?
Reputation: 0

Joined: 13 Sep 2016
Posts: 7

PostPosted: Thu Sep 15, 2016 10:17 am    Post subject: Reply with quote

Well that works.

Code:
[ENABLE]

aobscanmodule(INJECT,Game.exe,0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  push eax
  mov eax,(float)26
  movd xmm0,eax
  movss [Game.exe+534B58],xmm0
  pop eax
  jmp return

code:
  cvtdq2ps xmm1,xmm1
  addss xmm0,xmm1
  jmp newmem

INJECT:
  jmp code
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 0F 5B C9 F3 0F 58 C1

unregistersymbol(INJECT)
dealloc(newmem)


But why does it work? If my understanding is right shouldnt the value I just wrote in [Game.exe+534B58] be overwritte by the movss [Game.exe+534B58],xmm0 that comes after I jumped to return?

And can I optimize the script in any way?

Edit: Didnt look at it too much now I understand why it works because its obvious Very Happy


Last edited by Kawaii desu ne on Thu Sep 15, 2016 10:41 am; edited 1 time in total
Back to top
View user's profile Send private message
sbryzl
Advanced Cheater
Reputation: 3

Joined: 25 Jul 2016
Posts: 99

PostPosted: Thu Sep 15, 2016 10:31 am    Post subject: Reply with quote

Code:
[ENABLE]

aobscanmodule(INJECT,Game.exe,0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58 4B)
alloc(newmem,$1000,"Game.exe"+14C178)

label(code)
label(return)
registersymbol(INJECT)

newmem:
code:
  cvtdq2ps xmm1,xmm1
  push eax
  mov eax,(float)26
  movd xmm0,eax
  pop eax
  jmp return

INJECT:
  jmp code
  nop
  nop
return:

[DISABLE]

INJECT:
  db 0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58 4B

unregistersymbol(INJECT)
dealloc(newmem)


some kind of forum error, 3rd post was the last post that showed to me

You don't need to include movss [Game.exe+534B58],xmm0 , that will be the instruction you return to in the game.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites