|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
XaneXXXX Expert Cheater Reputation: 0
Joined: 29 Nov 2012 Posts: 212
|
Posted: Wed Mar 29, 2017 9:21 pm Post subject: Use Cheat Engine as an alarm for an MMORPG game? |
|
|
First of all I'm not asking on how to hack an onlinegame. What iam wondering if it is possible to use cheat engine as a kind of "alarm", for example:
1. I find the VISUAL health value of the game (since it is server based i can't change it and i don't want to either)
2. When the visual health value in CE get's below a certain value i would like CE to make a sound/some visual overlay so that i know that i need to get my attention to the game.
Is this possible? Thanks!!
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Mar 29, 2017 9:41 pm Post subject: |
|
|
Assuming that the developer has not implemented some anti-CE measures to detect and/or prohibit the use of CE etc., then it should be possible.
Simply inject a script that reads that value, then call kernel32.Beep if/when that value is below a certain point etc..
|
|
Back to top |
|
|
XaneXXXX Expert Cheater Reputation: 0
Joined: 29 Nov 2012 Posts: 212
|
Posted: Wed Mar 29, 2017 9:47 pm Post subject: |
|
|
++METHOS wrote: | Assuming that the developer has not implemented some anti-CE measures to detect and/or prohibit the use of CE etc., then it should be possible.
Simply inject a script that reads that value, then call kernel32.Beep if/when that value is below a certain point etc.. |
Thanks for your answer. Could you explain this a bit more? Never done anything similar to this.
Inject a script that reads the value etc i can do. But i don't know how/where to call kernel32.Beep.
Cheers
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
|
Back to top |
|
|
XaneXXXX Expert Cheater Reputation: 0
Joined: 29 Nov 2012 Posts: 212
|
Posted: Wed Mar 29, 2017 9:57 pm Post subject: |
|
|
++METHOS wrote: | https://www.google.com/#q=site:forum.cheatengine.org+call+kernel32.Beep&* |
Awesome gonna read that! Helpful as always, thank you!
EDIT:
So i just tried doing some things. Atm my code is this:
Code: | code:
push rax
mov rax,health
mov [rax],rdi
pop rax
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
call kernel32.Beep
jmp return |
In theory, that should make the script beep when i activate it, but instead the client just crashes. Tips? Thanks.
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Wed Mar 29, 2017 11:52 pm Post subject: |
|
|
XaneXXXX wrote: | ++METHOS wrote: | https://www.google.com/#q=site:forum.cheatengine.org+call+kernel32.Beep&* |
Awesome gonna read that! Helpful as always, thank you!
EDIT:
So i just tried doing some things. Atm my code is this:
Code: | code:
push rax
mov rax,health
mov [rax],rdi
pop rax
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
call kernel32.Beep
jmp return |
In theory, that should make the script beep when i activate it, but instead the client just crashes. Tips? Thanks. |
Read carefully, because it says that you have to push the values of the frequency and duration , first.
Try this
Code: | code:
push rax
mov rax,health
mov [rax],rdi
pop rax
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
push #300
push #750
call kernel32.Beep
jmp return |
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Thu Mar 30, 2017 8:36 am Post subject: |
|
|
x64 would use rcx and rdx, not the stack... eg
Code: | mov rcx, #750 // dwords so nothing larger than 0xFFFFFFFF
mov rdx, #300 // or would that be 0x7FFFFFFF due to signed?
// not sure how beep handles negative values |
Here's an example on the tutorial (step 2):
Code: | /*
https://msdn.microsoft.com/en-us/library/windows/desktop/ms679277(v=vs.85).aspx
BOOL WINAPI Beep(
_In_ DWORD dwFreq,
_In_ DWORD dwDuration
);
*/
[ENABLE]
aobscanmodule(INJECT,Tutorial-x86_64.exe,83 BB 90 07 00 00 00)
alloc(newmem,$1000,"Tutorial-x86_64.exe"+2AD8C)
label(code)
label(return)
newmem:
code:
// note rcx and rdx are not used so I just overwrite them
// could push/pop them to save their value
mov rcx, #700 // dwFreq
mov rdx, #300 // dwDuration
call beep
cmp dword ptr [rbx+00000790],00
jmp return
INJECT:
jmp newmem
db 90 90
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 83 BB 90 07 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Tutorial-x86_64.exe"+2AD8C
"Tutorial-x86_64.exe"+2AD87: E8 F4 9D 08 00 - call Tutorial-x86_64.exe+B4B80
// ---------- INJECTING HERE ----------
"Tutorial-x86_64.exe"+2AD8C: 83 BB 90 07 00 00 00 - cmp dword ptr [rbx+00000790],00
// ---------- DONE INJECTING ----------
"Tutorial-x86_64.exe"+2AD93: 7D 35 - jnl Tutorial-x86_64.exe+2ADCA
"Tutorial-x86_64.exe"+2AD95: 48 8B 0D 9C F8 16 00 - mov rcx,[Tutorial-x86_64.exe+19A638]
"Tutorial-x86_64.exe"+2AD9C: E8 7F C1 12 00 - call Tutorial-x86_64.exe+156F20
"Tutorial-x86_64.exe"+2ADA1: C7 83 90 07 00 00 64 00 00 00 - mov [rbx+00000790],00000064
"Tutorial-x86_64.exe"+2ADAB: 8B 93 90 07 00 00 - mov edx,[rbx+00000790]
} |
Here's an example script for both the i386 version and the x64 (v3.3)... there maybe a better way but my first attempt at it lol https://pastebin.com/NjBBL654
|
|
Back to top |
|
|
XaneXXXX Expert Cheater Reputation: 0
Joined: 29 Nov 2012 Posts: 212
|
Posted: Thu Mar 30, 2017 6:08 pm Post subject: |
|
|
@Viloresi, i just tried the code
Code: | code:
push rax
mov rax,health
mov [rax],rdi
pop rax
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
push #300
push #750
call kernel32.Beep
jmp return |
The client still crashes. Gonna try the other examples! Cheers.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Mar 30, 2017 7:10 pm Post subject: |
|
|
By the way, you might want to implement a timer or something if the instruction that you are hooking is being accessed constantly to avoid calling beep a million times.
Also, it might help to paste your script in its entirety.
I assume that you have executed a vanilla script that doesn't actually change anything, to verify that your injection location is good and no protection schemes are in place?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Thu Mar 30, 2017 7:27 pm Post subject: |
|
|
x64 calling conventions
TL;DR:
- Parameters go in rcx, rdx, r8, and r9. Any additional parameters go on the stack.
- Return value is in rax or xmm0 for floating point numbers.
- rax, rcx, rdx, r8-r12, XMM0-5, YMM0-5, and the x87 stack are volatile and should be preserved by the caller if necessary. Everything else is nonvolatile and must be preserved by the callee.
- The stack should be aligned on a 16-byte boundary before calling a function.
- The stack must have 32 bytes of scratch space for the 4 register parameters before calling a function. Additional parameters are stored below the 32 bytes of scratchspace on the stack.
- The caller is responsible for managing the stack.
Here's a really annoying example AA script that will beep every second it's activated:
Code: | [ENABLE]
alloc(newmem,2048,kernel32.dll)
label(shouldExit)
registersymbol(shouldExit)
createthread(newmem)
newmem:
push rbp
mov rbp,rsp
sub rsp,20
and spl,F0
@@:
xor ecx,ecx
call User32.MessageBeep
mov ecx,#1000
call kernel32.Sleep
cmp byte ptr[shouldExit],0
je @b
// free memory, return
mov rsp,rbp
pop rbp
mov rcx,newmem
xor rdx,rdx
mov r8d,8000
jmp kernel32.VirtualFree
shouldExit:
db 0
[DISABLE]
shouldExit:
db 1
unregistersymbol(shouldExit) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
XaneXXXX Expert Cheater Reputation: 0
Joined: 29 Nov 2012 Posts: 212
|
Posted: Fri Mar 31, 2017 7:43 pm Post subject: |
|
|
Thank you guys for all the answers and tips. Here is the originalcode for the visual health:
Code: | [ENABLE]
aobscan(asd,8B 74 8F 10 41 8B 55 0C)
alloc(newmem,$1000,2098D036A18)
label(code)
label(return)
newmem:
code:
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
jmp return
asd:
jmp newmem
nop
nop
nop
return:
registersymbol(asd)
[DISABLE]
asd:
db 8B 74 8F 10 41 8B 55 0C
unregistersymbol(asd)
dealloc(newmem) |
Health is a 4 byte value.
And this is what i have done so far:
Code: | [ENABLE]
aobscan(asd,8B 74 8F 10 41 8B 55 0C)
alloc(newmem,$1000,2098D036A18)
label(code)
label(return)
globalalloc(health,4)
newmem:
code:
push rax
mov rax,health
mov [rax],rdi
pop rax
mov esi,[rdi+rcx*4+10]
mov edx,[r13+0C]
jmp return
asd:
jmp newmem
nop
nop
nop
return:
registersymbol(asd)
[DISABLE]
asd:
db 8B 74 8F 10 41 8B 55 0C
unregistersymbol(asd)
dealloc(newmem) |
I then add Health with offset 1C as a pointer to get the health.
What i want is the PC to make a small beep when the health get's below 30.
@METHOS, I'm not really sure what you mean, But no i haven't really "Changed" anything in the game. I have just made a "read from opcode" script so that i can find my health easily. Other than that i haven't changed anything in the game itself.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Fri Mar 31, 2017 9:18 pm Post subject: |
|
|
What I mean, is, inject a script at that location (e.g. using AOB Injection template), but don't do anything to the script...just add it to your table and enable it to see if the game crashes after you return to the game and play for a bit. It is just a simple way to check if there are any memory integrity check routines or if your injection is breaking code somewhere.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|