 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
 Posted: Thu Dec 29, 2016 10:02 am Post subject: got an AOB scan for an adress that lead to 3 more |
 |
|
hey guys, im kinda new in CE but i learn fast.
so i made a AOB scan to get an adress that write to 3 other - they are importent.
so i scan 89 01 48 8D 49 49 48 83 EA 01 75 8D 48 8D 0D
and then i do "Dissamble this memory region" which lead me to
- mov [rcx],eax
now when i do "find out what adress this instraction accress" to tit
i get those 3 dynamic address that keep changing everytime i restart the client.
but the AOB scan that lead to the mov [rcx],eax is always the same.
i need those 3 address, i know how to get the manuly, so my question is simple:
how i can auto asammble, or do a trainer that pull out those 3 address after the scan for the AOB so it can pull out those 3 address when i do "find out what adress this instraction accress" to the AOB address that lead me to those 3 address.
thanks
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Dec 29, 2016 10:22 am Post subject: |
|
|
After the addresses appear in the debug pop up
Highlight the address
Press Ctrl+R (Show register states)
Screenshot each address' registers for us
Does any register count (0, 1, 2) between the addresses?
Highlight the instruction
Press Ctrl+Alt+A (Auto Assemble)
Template > AOB Injection
Paste that code here
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Thu Dec 29, 2016 2:40 pm Post subject: |
|
|
| Zanzer wrote: | After the addresses appear in the debug pop up
Highlight the address
Press Ctrl+R (Show register states)
Screenshot each address' registers for us
Does any register count (0, 1, 2) between the addresses?
Highlight the instruction
Press Ctrl+Alt+A (Auto Assemble)
Template > AOB Injection
Paste that code here |
no its just droping 3 address that i need with values in them - my goal is to change the value they have.
listen i did what you said with CTRL R but i dont see the EAX
ht//tps://s30.postimg.org/9awqotx9d/help4.png
also what do i do with AOB injection:
| Code: | [ENABLE]
aobscanmodule(INJECT,MyGame.exe,FF 89 01 48 8D 49 49) // should be unique
alloc(newmem,$1000,"MyGame.exe"+8B7ACB)
label(code)
label(return)
newmem:
code:
mov [rcx],eax
lea rcx,[rcx+04]
jmp return
INJECT+01:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+01:
db 89 01 48 8D 49 04
unregistersymbol(INJECT)
dealloc(newmem)
|
so first i dont know how to give command to change one of the 3 addresss
second when i did the AOB injectionin the auto assambling to the address that lead to thoseanother 3 its only show part of the AOB which can lead to another address as well (,FF 89 01 48 8D 49 49)
can/should i edit it with the AOB i have that is more spesifide ?
what should i do
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Dec 29, 2016 3:43 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(INJECT,MyGame.exe,FF 89 01 48 8D 49 49)
alloc(newmem,$1000,"MyGame.exe"+8B7ACB)
label(code)
label(return)
label(myvar)
newmem:
push rbx
mov rbx,myvar
mov [rbx+rdx*8],rcx
pop rbx
code:
mov [rcx],eax
lea rcx,[rcx+04]
jmp return
myvar:
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
INJECT+01:
jmp newmem
nop
return:
registersymbol(INJECT)
registersymbol(myvar)
[DISABLE]
INJECT+01:
db 89 01 48 8D 49 04
unregistersymbol(INJECT)
unregistersymbol(myvar)
dealloc(newmem) |
Create memory records with the addresses:
[myvar+8]
[myvar+10]
[myvar+18]
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Thu Dec 29, 2016 4:43 pm Post subject: |
|
|
| Zanzer wrote: | | Code: | [ENABLE]
aobscanmodule(INJECT,MyGame.exe,FF 89 01 48 8D 49 49)
alloc(newmem,$1000,"MyGame.exe"+8B7ACB)
label(code)
label(return)
label(myvar)
newmem:
push rbx
mov rbx,myvar
mov [rbx+rdx*8],rcx
pop rbx
code:
mov [rcx],eax
lea rcx,[rcx+04]
jmp return
myvar:
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
INJECT+01:
jmp newmem
nop
return:
registersymbol(INJECT)
registersymbol(myvar)
[DISABLE]
INJECT+01:
db 89 01 48 8D 49 04
unregistersymbol(INJECT)
unregistersymbol(myvar)
dealloc(newmem) |
Create memory records with the addresses:
[myvar+8]
[myvar+10]
[myvar+18] |
i crated a memory 4byte of myvar+8 (without the [])
and the address i got was:
0600003C
and btw, can you explain please what have you done?
this part i dont understand
push rbx
mov rbx,myvar
mov [rbx+rdx*8],rcx
pop rbx
u created new rbx temp memory?
and also
myvar:
dq 0
dq 0
dq 0
why so many? i know its somthing to do with seting the aob adress to zero
edit:
looking over all the things:
so on this line: mov [rbx+rdx*8],rcx
first i dont know why, so if you can -
why did you choose rbx?
i understand that RDX is the number of the raw - 3,2,1 like in the pics i post above.
also why *8?
why i can just puse rcx (which is the address) to rbx then myvar will be rbx no?
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Dec 29, 2016 5:05 pm Post subject: |
|
|
The memory records need the [brackets].
| Code: | push rbx // backup the value of RBX in case the game needed it
mov rbx,myvar // move the address of "myvar" into RBX
mov [rbx+rdx*8],rcx // take the value of RCX (the address you want)
// and store it into our "myvar" address (which is now RBX)
// indexed by RDX * 8 (notice how RDX equals 1,2,3 in your screenshots)
// addresses are 8 bytes long, so multiplied by 8
pop rbx // restore the value of RBX for the game's normal flow |
I probably only needed 4 "dq 0" instructions.
Each one reserves 8 bytes under our "myvar" label to hold the addresses (RCX).
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Thu Dec 29, 2016 5:32 pm Post subject: |
|
|
| Zanzer wrote: | The memory records need the [brackets].
| Code: | push rbx // backup the value of RBX in case the game needed it
mov rbx,myvar // move the address of "myvar" into RBX
mov [rbx+rdx*8],rcx // take the value of RCX (the address you want)
// and store it into our "myvar" address (which is now RBX)
// indexed by RDX * 8 (notice how RDX equals 1,2,3 in your screenshots)
// addresses are 8 bytes long, so multiplied by 8
pop rbx // restore the value of RBX for the game's normal flow |
I probably only needed 4 "dq 0" instructions.
Each one reserves 8 bytes under our "myvar" label to hold the addresses (RCX). |
ok i understand what have you done but yet it doesn't work
i get 00000000 in all addresss of
[myvar+8]
[myvar+10]
[myvar+18]
after i tick the AH
also i tryied both 8 dq 0 and 4 , no deferent.
also, why not just copy the address of rcx to RBX and that's it?
i notice RDX is eqaul to 1,2,3 but if the RCX already is each one of those addresss what the point to tell make all the rbx+rdx+8?
for example:
RCX is bow
35690038
3569003C
35690040
and those are the address i also looking for
so i tried
so basicly on this line you just put the address of RCX into RBX+RDX*8
mov [rbx+rdx*8],rcx // take the value of RCX (the address you want)
also i tried to do
mov [rbx],rcx
as you said the value of RCX is the address im looking.
and rbx is our myvar.
but it doesn't work
all i get is 0000000 address and in the memory viewr
the opriginal opcode
mov [rcx],eax
lea rcx,[rcx+04]
change to
jmp 13FFFF0000
nop
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Dec 29, 2016 5:41 pm Post subject: |
|
|
After you enabled the script, did you go back into the game? 
You need to let the game run that injection so it populates the addresses.
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Thu Dec 29, 2016 6:10 pm Post subject: |
|
|
| Zanzer wrote: | After you enabled the script, did you go back into the game?
You need to let the game run that injection so it populates the addresses. |
hahaha first time
ya ur right it workS!!!!
thanks you so much
now can you expline me few things to understand so i can do it next time alnoe?
first why +8 +10 and +18? to the myvar?
second - mov [rbx+rdx*8],rcx
awhy we need to push RCX which is the addeess to a value of RBX+RDX*8
if rcx value is the address im looking for?
why can't only pusing rcx value to [rbx] adresss?
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Dec 29, 2016 7:21 pm Post subject: |
|
|
Since that instruction is accessing more than one address, you can't simply use mov [rbx],rcx
Otherwise, each execution would be overwriting the previous value you saved.
As we saw in your screenshot, RDX equaled 1, 2, or 3, depending on which address it was.
Normally the number starts at 0, but 1 works just as well.
So we were able to use the value of RDX to index our own variable.
[rbx+rdx*8] == our address + index * 8
Note that the offsets are in hexadecimal notation.
So, 1/2/3 multiplied by 8 is equal to 0x8/0x10/0x18.
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Sun Jan 01, 2017 1:11 pm Post subject: |
|
|
| Zanzer wrote: | Since that instruction is accessing more than one address, you can't simply use mov [rbx],rcx
Otherwise, each execution would be overwriting the previous value you saved.
As we saw in your screenshot, RDX equaled 1, 2, or 3, depending on which address it was.
Normally the number starts at 0, but 1 works just as well.
So we were able to use the value of RDX to index our own variable.
[rbx+rdx*8] == our address + index * 8
Note that the offsets are in hexadecimal notation.
So, 1/2/3 multiplied by 8 is equal to 0x8/0x10/0x18. |
hey some new questions if i may sir:
i look hard trying to find in the win clculator if how to make hexadecimal numbers to byte - like you did 1/2/3 which are 8/10/18
and i cant find, so if you can expline me the method so i can change any num please....
and another new question:
im trying to implant a text, i fond out the address that get the text i sent to public, and the address that have the text im writing and about to send.
both are pointing up to thise 2-3 other address that write to them one which is always show up is:
140406EB0 - C6 03 00 - mov byte ptr [rbx],00
the second is playing - once it- once the other 2 down him.
VCRUNTIME140.memmove+12D - 89 08
- mov [rax],ecx
again - one time the one above, some times those 2:
VCRUNTIME140.memmove+F7 - 66 89 08
- mov [rax],cx
VCRUNTIME140.memmove+FA - 44 88 40 02
- mov [rax+02],r8l
how the hack i can send one text i choose to?
and last quesion:
LUA scrpit for FREEZEE a value i just edit from a box of edit - in CE cheating trainner.
im building a trainner and i a hook up the scrpit you help me figer out
and i added a box to edit the value of those 3 address
now i dont know how to freeze it while the script it running thro the trainner im creating.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Jan 01, 2017 5:29 pm Post subject: |
|
|
With Windows Calculator, you can press Alt+3 to switch to programmer mode and see HEX and DEC values.
String manipulation might be a bit more difficult to figure out.
See if you can find where the game is getting the values of ECX, CX, and R8L, respectively.
Overwrite that entire string with a custom string.
So when the game copies that string to those instructions, it equals what you want.
If you still have a memory record in the table, you can freeze it with the following.
Replace the zero with the ID of your record. | Code: | | getAddressList().getMemoryRecordByID(0).Active = true |
Otherwise, you can create a timer and just keep writing a value to the address. | Code: | | writeInteger(address, value) |
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Sun Jan 08, 2017 9:58 pm Post subject: |
|
|
| Zanzer wrote: | With Windows Calculator, you can press Alt+3 to switch to programmer mode and see HEX and DEC values.
String manipulation might be a bit more difficult to figure out.
See if you can find where the game is getting the values of ECX, CX, and R8L, respectively.
Overwrite that entire string with a custom string.
So when the game copies that string to those instructions, it equals what you want.
If you still have a memory record in the table, you can freeze it with the following.
Replace the zero with the ID of your record. | Code: | | getAddressList().getMemoryRecordByID(0).Active = true |
Otherwise, you can create a timer and just keep writing a value to the address. | Code: | | writeInteger(address, value) |
|
few more questions:
first the freeze code, i can implant it in the lua script that i put for abutton that when you click it - it change the value of one of those 3 addresses
now as i said i want to also freeze it
secondly
im trying to understand better how to find offset.
for example those same 3 address that i was looking for
are those 3 address (one of my friends did it but never got to expline)
so basicly what we done here with AH and [myvar]+8,10,18
he did it with those address that keep updating even after restarting the game:
143411308 offset B48
143411308 offset B50
143411308 offset B4C
so how the hell he made it happen?
i dono how he got to 143411308 address or how its work with offset that it always keep been update even if those 3 address are change.
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Wed Jan 11, 2017 11:23 am Post subject: |
|
|
| bump?
|
|
| Back to top |
|
|
waltobc5
Newbie cheater
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 10
|
| Posted: Fri Jan 20, 2017 9:46 pm Post subject: |
|
|
please??
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
