|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
ElaYes How do I cheat? Reputation: 0
Joined: 05 Apr 2017 Posts: 5
|
Posted: Sun Jun 25, 2017 1:58 pm Post subject: [Quick] Unable to execute by-hand written assembly code |
|
|
Problem solved, see last post if you are interested!
Hello CE Community,
Here's the problem. I will try to point the problem and ignore blablabla-ing!
1. I've managed to create a Auto Assemble script that runs with the way I want - jmp newmem, do things and come back.
2. I managed to create a script that uses VirtualAllocEx and VirtualProtectEx that do malloc and writes <<byte-by-byte>> the code that newmem includes, EXACTLY the same.
I also changed protection from Read/Write/Execute to Read-only/Execute, just like Cheat Engine do right?
3. Guess what's next, I did a test jumping to that new code. EXACTLY like Auto Assemble modification does.
Game freezes ... I've done something wrong with permissions/VirtualProtectEx.
What I guess that I actually need is the following:
What is the correct permission I have to set AFTER the byte-by-byte writing of the assembly code?
msdn{dot}microsoft{dot}com/en-us/library/windows/desktop/aa366890(v=vs.85){dot}aspx
Thanks for your attention.
Last edited by ElaYes on Sun Jun 25, 2017 5:29 pm; edited 5 times in total |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Jun 25, 2017 2:14 pm Post subject: |
|
|
If you're using a relative operand (i.e. jmp rel32), copying the exact bytes isn't going to work if the memory you allocated is at a different address.
And AFAIK CE does not change permission of the pages it allocated from PAGE_EXECUTE_READWRITE. Otherwise, scripts like this would crash the target:
Code: | alloc(newmem,4096)
label(number)
newmem:
mov [number],5
ret
number:
dd 0
createthread(newmem) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
ElaYes How do I cheat? Reputation: 0
Joined: 05 Apr 2017 Posts: 5
|
Posted: Sun Jun 25, 2017 2:19 pm Post subject: Thanks |
|
|
Thank you I can trust your words.
I am calculating the E9 blabla (jmp blabla) thing and put it correctly using
Quote: |
negative := 0 - (FRM - DEST) - 5
positive := 0xFFFFFFFF - (FRM - 4) + DEST
|
PAGE_EXECUTE_READWRITE is 0x40, let me see what I am doing wrong.
If you have any ideas feel free to give me your advice.
(I double checked the code that my script writes and Auto Assemble writes, on a X address)
Update:
Tried with both PAGE_EXECUTE_READWRITE and PAGE_EXECUTE_READ
and jmp X crashes.
The bytes are EXACTLY the same Auto Assemble writes |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Jun 25, 2017 2:52 pm Post subject: |
|
|
I doubt there's that much anyone else can do with the little information you provided besides tell you to check what you've already done. The operands should be stored in little endian (i.e. jmp EIP+000012AB -> E9 AB 12 00 00), FRM should be the address of the jmp instruction itself, the injected code should jump back to a valid instruction (not in the middle of another instruction - CE uses NOPs to show this), etc.
What address is the injection point at and what do the bytes around the injection point look like before and after you run your code?
What is the address of the faulting instruction and what bytes are at that address?
PS: you could simplify the rel32 calculation by using DEST-FRM-5 for both negative and positive numbers. _________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
ElaYes How do I cheat? Reputation: 0
Joined: 05 Apr 2017 Posts: 5
|
Posted: Sun Jun 25, 2017 3:03 pm Post subject: |
|
|
Let me give you a comparison, it will be precise and simple, I am not going to exhaust you.
Thanks for your help, brb with a screenshot.
Update:
Here you have the comparison ...
Gonna try malloc by the script but inject using Auto Assemble.
The problem is on the malloc, but I tried 0x20, 0x40 and 0x10 access permissions :/.
(Almost all rights that do not fuck with memory protection)
What else can it be, malloc related? :/
Here it is the AHK (AutoHotKey) command of VirtualAllocEx
DllCall( "VirtualAllocEx", "uint", ProcessHandle, "uint", 0, "uint", bytesToUnprotect, "uint", 0x1000, "uint", 0x4) |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Jun 25, 2017 3:42 pm Post subject: |
|
|
Well, one obvious difference is the operands in the cmp instruction: in CE's AA, ecx is compared against 06A09260, and in your code, ecx is compared against 063DD3F8. Why the difference? Does using CE crash if you use the operand 063DD3F8? _________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
ElaYes How do I cheat? Reputation: 0
Joined: 05 Apr 2017 Posts: 5
|
Posted: Sun Jun 25, 2017 3:50 pm Post subject: |
|
|
I tried my last chance, I know that that instruction cmp ... works well with zeros (00000000) .. ....
I have tried it anyway but nothing, I mean with a known scenario and crashed just like before with that not-right-indeed my-character's-target-address
Now the only left for me is to check what I am doing wrong with the memory allocation ... It CANNOT be anything else ...
Do you have any advices about how I can allocate memory with AutoHotKey language?
Edit 1:
YES! I allocated memory using CE and then I have added it to the AHK script and it works )
Problem spotted!
Edit 2 (SOLVED):
The problem was that when I was calling the OpenProcess, I was giving it as parameter of access 0x18, 0x10 + 0x8.
I had to give it full permissions, I am kinda confused just check the following quote, have a nice day.
Quote: | PROCESS_VM_OPERATION := 0x8
, PROCESS_VM_READ := 0x10
, PROCESS_VM_WRITE := 0x20 |
So it had to be 0x38!
IT WORKED I'M HACKER BITCHEZZZ X)
REQUEST FOR LOCK |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Jun 25, 2017 8:54 pm Post subject: |
|
|
I'm glad you were able to solve it. Also of note:
ElaYes wrote: | Here it is the AHK (AutoHotKey) command of VirtualAllocEx
DllCall( "VirtualAllocEx", "uint", ProcessHandle, "uint", 0, "uint", bytesToUnprotect, "uint", 0x1000, "uint", 0x4) |
I just noticed you passed 0x4 instead of 0x40. The value 4 is PAGE_READWRITE- trying to execute any address in that page will give an error.
PS: you can check the protection on a page of memory by going to an address in the hex view (bottom half of Memory Viewer) and looking at the top left part of the panel where it says "Protect:". _________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
ElaYes How do I cheat? Reputation: 0
Joined: 05 Apr 2017 Posts: 5
|
Posted: Sun Jun 25, 2017 11:19 pm Post subject: |
|
|
ParkourPenguin wrote: | I'm glad you were able to solve it. Also of note:
ElaYes wrote: | Here it is the AHK (AutoHotKey) command of VirtualAllocEx
DllCall( "VirtualAllocEx", "uint", ProcessHandle, "uint", 0, "uint", bytesToUnprotect, "uint", 0x1000, "uint", 0x4) |
I just noticed you passed 0x4 instead of 0x40. The value 4 is PAGE_READWRITE- trying to execute any address in that page will give an error.
PS: you can check the protection on a page of memory by going to an address in the hex view (bottom half of Memory Viewer) and looking at the top left part of the panel where it says "Protect:". |
You are the man! Thank you! The hard to detect bug was not that tho, it was the fact that my VM... Accesses was wrong. Check first post I have edited it and described the bug and the solution.
Request for lock! Thank you. Let me know if I can do something for you/ train myself. (Cheat/Assembly related).
I would like to master those techniques I am newbie.
EDIT: I mean the last post I made before this one.
EDIT 2: You've already seen it! anyway! Good morning!! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|