View previous topic :: View next topic |
Author |
Message |
kosticn101 How do I cheat? Reputation: 0
Joined: 09 Aug 2017 Posts: 4
|
Posted: Wed Aug 09, 2017 10:34 am Post subject: Troubles with finding out a base address |
|
|
I'm trying to break a game called Hyper Battery Girl (dekedev[dot]itch[dot]io/ld39-hyper-battery-girl). I use Injection Copy (forum[dot]cheatengine[dot]org/viewtopic.php?t=572465) to get a base address for a player struct, but energy is stored somewhere else in a memory. The problem is that game crashes when I try AoB injection, even if I don't change the original code. That's probably because instruction accesses a lot of other addresses?
I've tried pointer scanning, but after some time all pointers are invalid.
Addresses change every time you die or you go to the next level.
Code: | "HBG.exe"+4ADB: 77 15 - ja HBG.exe+4AF2
|- "HBG.exe"+4ADD: FF 24 9D 20 4B 01 01 - jmp dword ptr [ebx*4+HBG.exe+4B20]
| "HBG.exe"+4AE4: 8B 07 - mov eax,[edi]
| "HBG.exe"+4AE6: 89 06 - mov [esi],eax
| |- "HBG.exe"+4AE8: EB 08 - jmp HBG.exe+4AF2
| | "HBG.exe"+4AEA: F2 0F 10 07 - movsd xmm0,[edi]
| | "HBG.exe"+4AEE: F2 0F 11 06 - movsd [esi],xmm0 << this writes to the energy address
|-> |-> "HBG.exe"+4AF2: 89 F0 - mov eax,esi << my idea is to inject here instead
"HBG.exe"+4AF4: 83 C4 04 - add esp,04
|
My idea is to do something like this:
Code: | [ENABLE]
aobscanmodule(base_energy,HBG.exe,89 F0 83 C4 04)
alloc(newmem,$1000)
label(code)
label(return)
label(energy_nequ)
globalalloc(bEnergy,4)
newmem:
code:
cmp [esi],xmm0 //obviously not valid
jne energy_nequ
mov [bEnergy],esi
energy_nequ:
mov eax,esi
add esp,04
jmp return
base_energy:
jmp newmem
return:
registersymbol(base_energy)
[DISABLE]
base_energy:
db 89 F0 83 C4 04
unregistersymbol(base_energy)
dealloc(newmem)
|
What should I do?
Tips for searching:
+ get a little bit more then a half of energy;
+ search for float value between 1.1 and 3.9;
+ search for a decreased value.
Also, it would be cool if someone finds out what formula is used to calculate energy value.
Code: | approximate number of blocks full
value (energy bar)
1.799999952 nearly empty
2.562500000 1
2.804687500 2
2.978124857 3
3.060937405 4
3.142578125 5
3.218359232 6
3.276367188 7
3.317773342 8
3.352929592 9
3.390625000 10
|
I don't see any relation here.
Last edited by kosticn101 on Wed Aug 09, 2017 11:18 am; edited 2 times in total |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Wed Aug 09, 2017 10:56 am Post subject: |
|
|
That value is a double equal to about 10 times the number of blocks full.
http://forum.cheatengine.org/viewtopic.php?t=583376
Also:
++METHOS wrote: | There are other things that you can try.
- You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
- You can use pointer trees inside of the data structure to find something viable.
- You can shift the data structure (+ or -) and/or expand its size to find something useful.
- You can use the structure spider to find workable strings and/or for comparative analysis.
- You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
- You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
- Et al.
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
kosticn101 How do I cheat? Reputation: 0
Joined: 09 Aug 2017 Posts: 4
|
Posted: Wed Aug 09, 2017 11:17 am Post subject: |
|
|
Omg 5sec reading "Invincibility Code Fixes - Target Unique Reads" and I realise that I forgot to try with "Find out what accesses this address" . Ok, I've found the instruction where I can inject my code.
Quote: | That value is a double equal to about 10 times the number of blocks full. |
Armm.. can you rephrase this?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Wed Aug 09, 2017 11:26 am Post subject: |
|
|
kosticn101 wrote: | Armm.. can you rephrase this? |
ParkourPenguin wrote: | That value is a double... | You think the value is a float. The value is actually a double. Click on the "Value type" box to change what type of value you're scanning for.
ParkourPenguin wrote: | ...equal to about 10 times the number of blocks full.
| If the "number of blocks full" is 5, the value you should search for is around 50. Search for a value between 40 and 60.
Alternatively, you could subtract 4 from the address of the values you found and change the type to double manually.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
kosticn101 How do I cheat? Reputation: 0
Joined: 09 Aug 2017 Posts: 4
|
Posted: Wed Aug 09, 2017 11:36 am Post subject: |
|
|
*aha moment*
Tnx.
|
|
Back to top |
|
|
The Dab Cheater Reputation: 0
Joined: 22 May 2017 Posts: 33
|
Posted: Wed Aug 09, 2017 1:53 pm Post subject: |
|
|
Can you post the original AOB template and maybe I can help find the pointer.
|
|
Back to top |
|
|
kosticn101 How do I cheat? Reputation: 0
Joined: 09 Aug 2017 Posts: 4
|
Posted: Wed Aug 09, 2017 3:40 pm Post subject: |
|
|
Energy base works currently but now my player base doesn't work. It worked on one level but not on the next. Instruction where I used AoB injection suddenly started to access multiple memory addresses. This game is reeeally subjective to changes . I've started learning not so long ago, maybe I needed to pick a simpler game to practice . But I'll try to fix this later, I'm gonna dissect the player structure, maybe I can find more suitable property to work with (currently I'm basing all of this on X Coord) or something else useful. I'm gonna also check out other methods for finding a base address. I'll ask for help if I get stuck.
|
|
Back to top |
|
|
|