|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
brisingr Cheater Reputation: 0
Joined: 23 Jan 2016 Posts: 39
|
Posted: Mon Mar 13, 2017 2:13 pm Post subject: AOB injection... help me! |
|
|
Hey there, I'm trying to assemble a script with aobscan, but unfortunatly it doesn't work.
the hardest part is in the fst command, I don't know how to disable it.
this is the script:
Code: |
[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)
newmem:
label(code)
label(return)
cmp [esi+08],0
jne code
mov [esi+08],ecx
code:
fst dword ptr [esi+08]
mov ecx,[esi+10]
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "game.dat"+284163
"game.dat"+28414D: 90 - nop
"game.dat"+28414E: 90 - nop
"game.dat"+28414F: 90 - nop
"game.dat"+284150: 83 EC 08 - sub esp,08
"game.dat"+284153: D9 44 24 0C - fld dword ptr [esp+0C]
"game.dat"+284157: 56 - push esi
"game.dat"+284158: 8B F1 - mov esi,ecx
"game.dat"+28415A: 8B 46 08 - mov eax,[esi+08]
"game.dat"+28415D: 89 46 0C - mov [esi+0C],eax
"game.dat"+284160: D8 46 08 - fadd dword ptr [esi+08]
// ---------- INJECTING HERE ----------
"game.dat"+284163: D9 56 08 - fst dword ptr [esi+08]
"game.dat"+284166: 8B 4E 10 - mov ecx,[esi+10]
// ---------- DONE INJECTING ----------
"game.dat"+284169: 89 4C 24 10 - mov [esp+10],ecx
"game.dat"+28416D: D8 5C 24 10 - fcomp dword ptr [esp+10]
"game.dat"+284171: DF E0 - fnstsw ax
"game.dat"+284173: F6 C4 41 - test ah,41
"game.dat"+284176: 75 05 - jne game.dat+28417D
"game.dat"+284178: 8B D1 - mov edx,ecx
"game.dat"+28417A: 89 56 08 - mov [esi+08],edx
"game.dat"+28417D: D9 46 08 - fld dword ptr [esi+08]
"game.dat"+284180: D8 1D A4 9D 93 00 - fcomp dword ptr [game.dat+539DA4]
"game.dat"+284186: DF E0 - fnstsw ax
} |
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Mon Mar 13, 2017 3:45 pm Post subject: |
|
|
For starters:
Skip the FST Code: | mov [esi+08],ecx
mov ecx,[esi+10]
jmp return |
|
|
Back to top |
|
|
gameplayer Advanced Cheater Reputation: 2
Joined: 26 Jun 2011 Posts: 97 Location: Vietnam
|
Posted: Mon Mar 13, 2017 8:07 pm Post subject: |
|
|
Let me explain Zanzer's solution. You should add two following lines just before the label "code:"
Code: | mov ecx,[esi+10]
jmp return |
|
|
Back to top |
|
|
brisingr Cheater Reputation: 0
Joined: 23 Jan 2016 Posts: 39
|
Posted: Wed Mar 15, 2017 2:23 pm Post subject: |
|
|
Unfortunatly the game crashes, this is my first aobscan and maybe I'm writing something wronge, here is the code:
Code: | [ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)
newmem:
label(code)
label(return)
cmp [esi+08],0
jne code
mov [esi+08],ecx
mov ecx,[esi+10]
jmp return
code:
fst dword ptr [esi+08]
mov ecx,[esi+10]
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "game.dat"+284163
"game.dat"+28414D: 90 - nop
"game.dat"+28414E: 90 - nop
"game.dat"+28414F: 90 - nop
"game.dat"+284150: 83 EC 08 - sub esp,08
"game.dat"+284153: D9 44 24 0C - fld dword ptr [esp+0C]
"game.dat"+284157: 56 - push esi
"game.dat"+284158: 8B F1 - mov esi,ecx
"game.dat"+28415A: 8B 46 08 - mov eax,[esi+08]
"game.dat"+28415D: 89 46 0C - mov [esi+0C],eax
"game.dat"+284160: D8 46 08 - fadd dword ptr [esi+08]
// ---------- INJECTING HERE ----------
"game.dat"+284163: D9 56 08 - fst dword ptr [esi+08]
"game.dat"+284166: 8B 4E 10 - mov ecx,[esi+10]
// ---------- DONE INJECTING ----------
"game.dat"+284169: 89 4C 24 10 - mov [esp+10],ecx
"game.dat"+28416D: D8 5C 24 10 - fcomp dword ptr [esp+10]
"game.dat"+284171: DF E0 - fnstsw ax
"game.dat"+284173: F6 C4 41 - test ah,41
"game.dat"+284176: 75 05 - jne game.dat+28417D
"game.dat"+284178: 8B D1 - mov edx,ecx
"game.dat"+28417A: 89 56 08 - mov [esi+08],edx
"game.dat"+28417D: D9 46 08 - fld dword ptr [esi+08]
"game.dat"+284180: D8 1D A4 9D 93 00 - fcomp dword ptr [game.dat+539DA4]
"game.dat"+284186: DF E0 - fnstsw ax
} |
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Wed Mar 15, 2017 5:33 pm Post subject: |
|
|
Looks like you wanted to flip the two instructions like so: Code: | mov ecx,[esi+10]
mov [esi+08],ecx |
|
|
Back to top |
|
|
brisingr Cheater Reputation: 0
Joined: 23 Jan 2016 Posts: 39
|
Posted: Thu Mar 16, 2017 7:59 am Post subject: |
|
|
yeah, I tried to flip the instructions, but maybe it's the wrong way to disable the instruction
Code: |
fst dword ptr [esi+08]
mov ecx,[esi+10]
|
How do I disable the instruction "fst dword ptr" ?
Into the memory viewer when I raplace with code that does nothing, 3 instructions changed with nop (90 in bytes), is there any way to write this in the autoassemble script?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Thu Mar 16, 2017 8:53 am Post subject: |
|
|
Code: | [ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
registersymbol(INJECT)
INJECT:
db 90 90 90
[DISABLE]
INJECT:
db D9 56 08
unregistersymbol(INJECT) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Mar 16, 2017 6:42 pm Post subject: |
|
|
edit: Don't just delete things from the template... Add NOP back.
By telling it to "jmp return" you are skipping fst dword ptr [esi+08]. Consider it disabled.
Code: | [ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
cmp [esi+08],0
jne code
mov ecx,[esi+10]
mov [esi+08],ecx
jmp return
code:
fst dword ptr [esi+08]
mov ecx,[esi+10]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem) |
Or give this a try... Code: | [ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
cmp [esi+08],0
jne code
fstp st(0)
fld dword ptr [esi+10]
code:
fst dword ptr [esi+08]
mov ecx,[esi+10]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
Back to top |
|
|
brisingr Cheater Reputation: 0
Joined: 23 Jan 2016 Posts: 39
|
Posted: Thu Sep 21, 2017 12:27 pm Post subject: |
|
|
Hey there, I tried all the options and the one that works is the ParkourPenguin script.
Now the issue is that the script affects also anemy units, I've used the dissect/data tools and the opcode [+1c] define the factions. 0 is for friendly units.
How should be the script to make it compared and for not equals value inject the db 90 90 90 script?
|
|
Back to top |
|
|
brisingr Cheater Reputation: 0
Joined: 23 Jan 2016 Posts: 39
|
Posted: Tue Sep 26, 2017 10:45 am Post subject: |
|
|
After more try nothing works, I can't find a opcode and value for friendly units.
Zanzer also your script works fine, unfortunately without the right value to compare it affects random units.
In the end I've found a script table written by recifense that works fine, unfortunately I don't understand how does it works, I'd like to learn how to make another script like this.
This is the code:
Code: | {
===========================================
Game Title : Command and Conquer - Generals Zero Hour (Cracked)
Game Version : 1.04
Proces Name : game.dat
Script Version: 1.0
CE Version : 6.2
Release date : 09-Jul-2012
Author : Recifense
History:
09-Jul-12: First Release
Features:
- Minimum Resources
- Minimum XP
- God Mode
- Unlimited Energy
===========================================
}
//=========================================
// Definitions
define(LUDO,"game.dat")
//=========================================
[ENABLE]
//=========================================
//LuaCall(CheckVersion())
//=========================================
// Check if script is compatible to this game version
// If false the script will not be loaded
assert(LUDO+0010a65d,8b 58 38 39 1d 68 69 9e 00) //_MR
assert(LUDO+00284163,d9 56 08 8b 4e 10 89 4c 24) //_GM
assert(LUDO+0014e802,8b b9 6c 01 00 00 8b 07 85) //_MI
//=========================================
alloc(MyCode,2048,LUDO)
//=========================================
// Declaration section
label(_MonRes)
label(_MonR0)
label(_MonR1)
label(_MonR2)
label(_BackMR)
label(_ExitMR)
label(_GodMode)
label(_GodM00)
label(_GodM01)
label(_BackGM)
label(_ExitGM)
label(_MonID)
label(_BackMI)
label(_ExitMI)
label(pUnit)
label(pRes)
label(pCommon)
label(iEnableGM)
label(iEnableGM1)
label(iEnableMR)
label(iEnableMX)
label(iEnableME)
label(iMinRes)
label(fGarbage)
//=========================================
// Registering Symbols
registersymbol(MyCode)
registersymbol(pUnit)
registersymbol(pRes)
registersymbol(pCommon)
registersymbol(iEnableGM)
registersymbol(iEnableGM1)
registersymbol(iEnableMR)
registersymbol(iEnableMX)
registersymbol(iEnableME)
registersymbol(iMinRes)
//=========================================
MyCode:
//=========================================
_MonRes:
mov [pRes],eax // Save pointer for debugging
mov ebx,[eax+00000160]
mov [pCommon],ebx
cmp dword ptr [iEnableMR],0
je _MonR0 // Jump if feature is disabled
mov ebx,[iMinRes] // Get minimum resource value
cmp ebx,[eax+38] // Current resource >= minimum?
jle _MonR0 // Jump if true
mov [eax+38],ebx // Update current resource
_MonR0:
cmp dword ptr [iEnableMX],0
je _MonR2 // Jump if feature is disabled
cmp dword ptr [eax+00000190],3
jge _MonR1
mov dword ptr [eax+00000190],3
_MonR1:
cmp dword ptr [eax+00000194],#5000
jg _MonR2
mov ebx,[eax+00000194]
dec ebx
mov [eax+0000018c],ebx
_MonR2:
cmp dword ptr [iEnableME],0
je _ExitMR // Jump if feature is disabled
xor ebx,ebx
mov [eax+88],ebx // Spent_Energy = 0
_ExitMR:
mov ebx,[eax+38] // Original code
cmp [LUDO+005e68e0],ebx // Original code
jmp _BackMR // Back to main code
//=========================================
_GodMode:
fst dword ptr [fGarbage]
mov ecx,[fGarbage]
test ecx,ecx
js _GodM00
cmp ecx,[esi+08]
jge _ExitGM
mov ecx,[esi+10]
cmp ecx,47c34f80
je _ExitGM
_GodM00:
cmp dword ptr [iEnableGM],0
je _ExitGM // Jump if feature is disabled
mov ecx,[esi-08] // Get ptr to Unit/Building
or ecx,ecx
jz _ExitGM // Jump if the pointer is Null
mov eax,[ecx+000001b0] // Get pCommon
cmp eax,[pCommon]
jne _ExitGM
mov al,[ecx+00000274]
movzx eax,al
or eax,[ecx+0000025c]
jz _ExitGM
cmp dword ptr [iEnableGM1],0
je _GodM01 // Jump if feature is disabled
cmp byte ptr [ecx+000001f4],01 // Is it a car bomb or similar?
je _ExitGM // Jump if true
_GodM01:
fstp st(0) // Discard value
fld dword ptr [esi+10] // Get max HP
_ExitGM:
fst dword ptr [esi+08] // Original code
mov ecx,[esi+10] // Original code
jmp _BackGM // Back to main code
//=========================================
_MonID:
mov [pUnit],ecx
_ExitMI:
mov edi,[ecx+0000016C] // Original code
jmp _BackMI // Back to main code
//=========================================
db '====================================>'
db 'CE6.2 Script by Recifense 070912'
//=========================================
// Variables
iEnableMR:
dd 0
iEnableMX:
dd 0
iEnableGM:
dd 0
iEnableGM1:
dd 0
iEnableME:
dd 0
iMinRes:
dd #50000
pRes:
dd 0
pUnit:
dd 0
pCommon:
dd MyCode
fGarbage:
dd 0
//=========================================
// Hacking Points
LUDO+0010a65d:
jmp _MonRes
nop
nop
nop
nop
_BackMR:
LUDO+00284163:
jmp _GodMode
nop
_BackGM:
LUDO+0014e802:
jmp _MonID
nop
_BackMI:
//=========================================
// Script for Restoring Original Codes
[DISABLE]
LUDO+0010a65d:
// mov ebx,[eax+38]
// cmp [game.dat+005e6968],ebx
db 8b 58 38 39 1d 68 69 9e 00
LUDO+00284163:
// fst dword ptr [esi+08]
// mov ecx,[esi+10]
db d9 56 08 8b 4e 10
LUDO+0014e802:
// mov edi,[ecx+0000016C]
db 8b b9 6c 01 00 00
//=========================================
// Unregistering Symbols
unregistersymbol(MyCode)
unregistersymbol(pHero)
unregistersymbol(pRes)
unregistersymbol(pCommon)
unregistersymbol(iEnableGM)
unregistersymbol(iEnableGM1)
unregistersymbol(iEnableMR)
unregistersymbol(iEnableMX)
unregistersymbol(iEnableME)
unregistersymbol(iMinRes)
//=========================================
dealloc(MyCode)
//============= Scripts End ===============
// ****************************************
// NOTES
// ****************************************
{
}
|
can someone explain me how this script found the value to compare with in the godmode script?
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|