 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
prosportal1
Newbie cheater
![]() Reputation: 0
Joined: 21 May 2015
Posts: 17
|
 Posted: Wed Jul 12, 2017 3:58 pm Post subject: Multi-Level Pointers Script |
 |
|
Hey, everyone
I was messing around with the CE tutorial practicing scripts and I'm having an issue with the pointers/Multi-Level pointers. I can find the base address with no problem and my AA script works just fine, but when you change the pointer, the tutorial won't allow you to click the button for a few seconds after you change the pointer. The address changes to 5000 even after the pointer has been changed, but because I can't press the button, the the value changes temporarily. Is there a different method?
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov eax,(int)5000
mov [esi+18],eax
lea edx,[ebp-2C]
jmp exit
originalcode:
mov [esi+18],eax
lea edx,[ebp-2C]
exit:
jmp returnhere
"Tutorial-i386.exe"+25EBC:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+25EBC:
mov [esi+18],eax
lea edx,[ebp-2C]
//Alt: db 89 46 18 8D 55 D4
|
[/code]
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Wed Jul 12, 2017 4:05 pm Post subject: |
|
|
| prosportal1 wrote: | | The address changes to 5000 even after the pointer has been changed, but because I can't press the button, the the value changes temporarily. |
can you explain this part, i didnt get it.
| prosportal1 wrote: | | Is there a different method? |
other methods to pass the step?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
prosportal1
Newbie cheater
![]() Reputation: 0
Joined: 21 May 2015
Posts: 17
|
| Posted: Wed Jul 12, 2017 7:29 pm Post subject: |
|
|
I made a video explaining what I'm trying to do.
youtu.be/Iwg5S8pwHVg
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Wed Jul 12, 2017 8:51 pm Post subject: |
|
|
That instruction is only run when you click on the "Change Value" button. Because that button is (more or less) disabled while it's checking to see if the value has been changed to 5000, that instruction isn't a suitable injection point to complete step 8.
Instead, you could modify the value the new address is initialized to:
| Code: | define(address,"Tutorial-i386.exe"+260FB)
define(bytes,B8 A0 0F 00 00 E8 EB 85 FE FF)
[ENABLE]
assert(address,bytes)
address:
db B8 // mov eax,dword
dd (int)5000 // dword = 5000 (dec)
db 90 90 90 90 90 // NOPs (fastcall; stack is ok)
[DISABLE]
address:
db bytes
// mov eax,00000FA0
// call Tutorial-i386.exe+E6F0
{
// ORIGINAL CODE
"Tutorial-i386.exe"+260DC: 8B 45 DC - mov eax,[ebp-24]
"Tutorial-i386.exe"+260DF: 8B 55 DC - mov edx,[ebp-24]
"Tutorial-i386.exe"+260E2: 8B 40 10 - mov eax,[eax+10]
"Tutorial-i386.exe"+260E5: 3B 42 14 - cmp eax,[edx+14]
"Tutorial-i386.exe"+260E8: 74 02 - je Tutorial-i386.exe+260EC
"Tutorial-i386.exe"+260EA: EB 0F - jmp Tutorial-i386.exe+260FB
"Tutorial-i386.exe"+260EC: A1 A4 F4 54 00 - mov eax,[Tutorial-i386.exe+14F4A4]
"Tutorial-i386.exe"+260F1: E8 1A 25 0F 00 - call Tutorial-i386.exe+118610
"Tutorial-i386.exe"+260F6: E9 FB 01 00 00 - jmp Tutorial-i386.exe+262F6
// ---------- INJECTING HERE ----------
"Tutorial-i386.exe"+260FB: B8 A0 0F 00 00 - mov eax,00000FA0
"Tutorial-i386.exe"+26100: E8 EB 85 FE FF - call Tutorial-i386.exe+E6F0
// ---------- DONE INJECTING ----------
"Tutorial-i386.exe"+26105: 8B 55 DC - mov edx,[ebp-24]
"Tutorial-i386.exe"+26108: 89 42 18 - mov [edx+18],eax
"Tutorial-i386.exe"+2610B: 8B 45 DC - mov eax,[ebp-24]
"Tutorial-i386.exe"+2610E: 8B 40 18 - mov eax,[eax+18]
"Tutorial-i386.exe"+26111: 8D 55 B0 - lea edx,[ebp-50]
"Tutorial-i386.exe"+26114: E8 F7 3B 01 00 - call Tutorial-i386.exe+39D10
"Tutorial-i386.exe"+26119: 8B 55 B0 - mov edx,[ebp-50]
"Tutorial-i386.exe"+2611C: 8B 45 F8 - mov eax,[ebp-08]
"Tutorial-i386.exe"+2611F: 8B 80 64 04 00 00 - mov eax,[eax+00000464]
"Tutorial-i386.exe"+26125: E8 16 D5 06 00 - call Tutorial-i386.exe+93640
} |
Note that the exact location of this instruction could differ depending on what version of the tutorial you have. If this script fails to enable, find this section of code and make any necessary modifications to the script.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
prosportal1
Newbie cheater
![]() Reputation: 0
Joined: 21 May 2015
Posts: 17
|
| Posted: Wed Jul 12, 2017 9:34 pm Post subject: |
|
|
Thanks for responding. That script works and changes the value, but when I change the pointer, it changes the value to something random and doesn't enable the button.
Why did you start the injection at B8 A0 0F 00 00 when the instruction changes at 89 42 18? Is that just to have more searchable bytes?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Wed Jul 12, 2017 9:56 pm Post subject: |
|
|
| prosportal1 wrote: | | That script works and changes the value, but when I change the pointer, it changes the value to something random and doesn't enable the button. |
When this script is activated and you click on the "Change pointer" button, the value the program is concerned with is set to 5000 and the "Next" button becomes enabled after 3 seconds. If you click on the "Change value" button, it'll still set the value to something random.
| prosportal1 wrote: | | Why did you start the injection at B8 A0 0F 00 00 when the instruction changes at 89 42 18? |
I chose that point because it was the easiest point to inject at. If you debug the process a little, you'll find the subroutine being called (Tutorial-i386.exe+E6F0) is a random number generator that returns a random number between 0 (inclusive) and the first parameter (exclusive). Instead of calling that, I just replaced that with nops and moved 5000 into eax. When the write at "Tutorial-i386.exe"+26108 is executed, it'll move 5000 into the new value the program is concerned with, and at the end of the three second period, the program will see the value is 5000 and allow you to progress.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jul 13, 2017 2:38 am Post subject: |
|
|
basically theres two values here, one related to change value, second related to change pointer.
once you click on change pointer, it wont use the same (op code / instruction)
try to find the base pointer, then see what writes to that pointer (not value or address pointed by a pointer) simply just nop it.
this is one way, and there is lot of ways to pass this step.
you can even use speed hack to slow the tutorial, and find the timer.
its a loop, it write the new value with new pointer after the loop is terminated.
in other words, when the timer hits 0 it write the new value and pointer.
so basically nop that.
and theres at least 5-7 ways to pass this step.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
prosportal1
Newbie cheater
![]() Reputation: 0
Joined: 21 May 2015
Posts: 17
|
| Posted: Thu Jul 13, 2017 3:36 pm Post subject: |
|
|
I found the base address and what writes to it
0040F04B - 89 03 - mov [ebx],eax <<
If I nop that, it crashes the tutorial.
I found the timer value, but CE didn't actually slow the tutorial down; even when I check pause while scanning. If I nop that, just hovering my mouse over the change pointer button crashes the game.
I know this is a silly request, but I'm still trying to figure it out.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Jul 13, 2017 4:09 pm Post subject: |
|
|
| OldCheatEngineUser wrote: | | basically theres two values here, one related to change value, second related to change pointer. |
That's incorrect. There's one value being pointed to that's important. Clicking on "Change value" just changes the value. Clicking on "Change pointer" will change the address of the value CE is looking at.
| OldCheatEngineUser wrote: | | once you click on change pointer, it wont use the same (op code / instruction) |
Also incorrect. This is evident in the video by the fact that clicking on "Change value" will still change the value of the new address to 5000 after "Change pointer" has been clicked and 3 seconds have passed.
| OldCheatEngineUser wrote: | | see what writes to that pointer (not value or address pointed by a pointer) simply just nop it. |
I have no idea why you think this would work and not crash the program.
| prosportal1 wrote: | | I know this is a silly request, but I'm still trying to figure it out. |
What are you still trying to figure out? If you're trying to get that AA script working, then as I said before, you can't. That instruction isn't a suitable injection point because it isn't run when the tutorial is checking to see if the value of the new address it's concerned with is 5000.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jul 13, 2017 6:19 pm Post subject: |
|
|
maybe i was bad in explanation, true im bad.
but, i disagree with you ParkourPenguin.
i have reversed engineer it, and found two functions controlling the value, one from pointer, second from change value button.
| OldCheatEngineUser wrote: | | once you click on change pointer, it wont use the same (op code / instruction) |
yes, this is not true. my bad and i apologize.
anyway, 1388 (5000 decimal) being moved into eax, then a call is made which is for randomizing the value. nop that call and you should have 5000 ready after clicking change pointer.
but hey, why i have to say much. check my patched ce tuts under my signature.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
