Cheat Engine

[ElaYes]

Problem solved, see last post if you are interested!

Hello CE Community,

Here's the problem. I will try to point the problem and ignore blablabla-ing!

1. I've managed to create a Auto Assemble script that runs with the way I want - jmp newmem, do things and come back.

2. I managed to create a script that uses VirtualAllocEx and VirtualProtectEx that do malloc and writes <<byte-by-byte>> the code that newmem includes, EXACTLY the same.
I also changed protection from Read/Write/Execute to Read-only/Execute, just like Cheat Engine do right?

3. Guess what's next, I did a test jumping to that new code. EXACTLY like Auto Assemble modification does.
Game freezes ... I've done something wrong with permissions/VirtualProtectEx.

What I guess that I actually need is the following:
What is the correct permission I have to set AFTER the byte-by-byte writing of the assembly code?

msdn{dot}microsoft{dot}com/en-us/library/windows/desktop/aa366890(v=vs.85){dot}aspx

Thanks for your attention.

[ParkourPenguin]

If you're using a relative operand (i.e. jmp rel32), copying the exact bytes isn't going to work if the memory you allocated is at a different address.

And AFAIK CE does not change permission of the pages it allocated from PAGE_EXECUTE_READWRITE. Otherwise, scripts like this would crash the target:

[ElaYes]

Thank you I can trust your words.

I am calculating the E9 blabla (jmp blabla) thing and put it correctly using

[ParkourPenguin]

I doubt there's that much anyone else can do with the little information you provided besides tell you to check what you've already done. The operands should be stored in little endian (i.e. jmp EIP+000012AB -> E9 AB 12 00 00), FRM should be the address of the jmp instruction itself, the injected code should jump back to a valid instruction (not in the middle of another instruction - CE uses NOPs to show this), etc.

What address is the injection point at and what do the bytes around the injection point look like before and after you run your code?
What is the address of the faulting instruction and what bytes are at that address?

PS: you could simplify the rel32 calculation by using DEST-FRM-5 for both negative and positive numbers.

[ElaYes]

Let me give you a comparison, it will be precise and simple, I am not going to exhaust you.

Thanks for your help, brb with a screenshot.

Update:

Here you have the comparison ...
Gonna try malloc by the script but inject using Auto Assemble.
The problem is on the malloc, but I tried 0x20, 0x40 and 0x10 access permissions :/.
(Almost all rights that do not fuck with memory protection)
What else can it be, malloc related? :/
Here it is the AHK (AutoHotKey) command of VirtualAllocEx
DllCall( "VirtualAllocEx", "uint", ProcessHandle, "uint", 0, "uint", bytesToUnprotect, "uint", 0x1000, "uint", 0x4)

[ParkourPenguin]

Well, one obvious difference is the operands in the cmp instruction: in CE's AA, ecx is compared against 06A09260, and in your code, ecx is compared against 063DD3F8. Why the difference? Does using CE crash if you use the operand 063DD3F8?

[ElaYes]

I tried my last chance, I know that that instruction cmp ... works well with zeros (00000000) .. ....
I have tried it anyway but nothing, I mean with a known scenario and crashed just like before with that not-right-indeed my-character's-target-address

Now the only left for me is to check what I am doing wrong with the memory allocation ... It CANNOT be anything else ...

Do you have any advices about how I can allocate memory with AutoHotKey language?

Edit 1:

YES! I allocated memory using CE and then I have added it to the AHK script and it works )
Problem spotted!

Edit 2 (SOLVED):

The problem was that when I was calling the OpenProcess, I was giving it as parameter of access 0x18, 0x10 + 0x8.
I had to give it full permissions, I am kinda confused just check the following quote, have a nice day.

[ParkourPenguin]

I'm glad you were able to solve it. Also of note:

[ElaYes]