|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sun Jan 28, 2018 1:14 am Post subject: cheat engine tutorial script |
|
|
32-Bit
Code: | {
Author: OldCheatEngineUser
Website: forum.cheatengine.org
About: cheat engine tutorial version 3.3 script for all steps
Attention: requires "Tutorial-i386.exe" from "cheat engine 6.6" directory
ExtraInfo: script wont work on other versions
}
define(StepOneAddress,"Tutorial-i386.exe"+23B00)
define(StepOneBytes,89 83 80 04 00 00)
define(StepOneIp,"Tutorial-i386.exe"+23B06)
define(StepOneReq,66 B8 E8 03)
define(StepTwoAddress,"Tutorial-i386.exe"+23FE6)
define(StepTwoBytes,29 9E 84 04 00 00)
define(StepTwoIp,"Tutorial-i386.exe"+23FEC)
define(StepTwoReq,66 BB 88 13 89 9E 84 04 00 00)
define(StepThreeAddressF,"Tutorial-i386.exe"+2481F)
define(StepThreeBytesF,D9 9E 94 04 00 00)
define(StepThreeIpF,"Tutorial-i386.exe"+24825)
define(StepThreeReqF,fld dword ptr [StepThreeValueF])
define(StepThreeFloat,dd 459C4000)
define(StepThreeAddressD,"Tutorial-i386.exe"+24643)
define(StepThreeBytesD,DD 9B 98 04 00 00)
define(StepThreeIpD,"Tutorial-i386.exe"+24649)
define(StepThreeReqD,fld qword ptr [StepThreeValueD])
define(StepThreeDouble,dq 40B3880000000000)
define(StepFourAddress,"Tutorial-i386.exe"+24AE8)
define(StepFourBytes,89 10)
define(StepFourReq,90 90)
define(StepFiveAddress,"Tutorial-i386.exe"+2505A)
define(StepFiveBytes,8B 00 8D 55 C0)
define(StepFiveIp,"Tutorial-i386.exe"+2505F)
define(StepFiveReq,C7 02 88 13 00 00)
define(StepSixAddress,"Tutorial-i386.exe"+2553D)
define(StepSixBytes,83 AB 78 04 00 00 01)
define(StepSixReq,83 83 78 04 00 00 02)
define(StepSevenAddress,"Tutorial-i386.exe"+262C8)
define(StepSevenBytes,81 78 18 88 13 00 00)
define(StepSevenIp,"Tutorial-i386.exe"+262CF)
define(StepSevenReq,66 C7 40 18 88 13)
define(StepEightAddress,"Tutorial-i386.exe"+26534)
define(StepEightBytes,8B 45 FC 89 43 04)
define(StepEightIp,"Tutorial-i386.exe"+2653A)
define(StepEightReq,66 83 FE 01)
[enable]
assert(StepOneAddress,StepOneBytes)
assert(StepTwoAddress,StepTwoBytes)
assert(StepThreeAddressF,StepThreeBytesF)
assert(StepThreeAddressD,StepThreeBytesD)
assert(StepFourAddress,StepFourBytes)
assert(StepFiveAddress,StepFiveBytes)
assert(StepSixAddress,StepSixBytes)
assert(StepSevenAddress,StepSevenBytes)
assert(StepEightAddress,StepEightBytes)
globalalloc(script,$90)
StepOneAddress:
jmp StepOne
nop
StepTwoAddress:
jmp StepTwo
nop
StepThreeAddressF:
jmp StepThreeF
nop
StepThreeAddressD:
jmp StepThreeD
nop
StepFourAddress:
db StepFourReq
StepFiveAddress:
jmp StepFive
StepSixAddress:
db StepSixReq
StepSevenAddress:
jmp StepSeven
nop
nop
StepEightAddress:
jmp StepEight
nop
script:
StepOne:
db StepOneReq
db StepOneBytes
jmp StepOneIp
StepTwo:
db StepTwoReq
jmp StepTwoIp
StepThreeF:
db DD D8
StepThreeReqF
db StepThreeBytesF
jmp StepThreeIpF
StepThreeD:
db DD D8
StepThreeReqD
db StepThreeBytesD
jmp StepThreeIpD
StepFive:
db StepFiveReq
db StepFiveBytes
jmp StepFiveIp
StepSeven:
db StepSevenReq
db StepSevenBytes
jmp StepSevenIp
StepEight:
db StepEightReq
jnz StepEightIp
db StepEightBytes
jmp StepEightIp
StepThreeValueF:
StepThreeFloat
StepThreeValueD:
StepThreeDouble
[disable]
StepOneAddress:
db StepOneBytes
StepTwoAddress:
db StepTwoBytes
StepThreeAddressF:
db StepThreeBytesF
StepThreeAddressD:
db StepThreeBytesD
StepFourAddress:
db StepFourBytes
StepFiveAddress:
db StepFiveBytes
StepSixAddress:
db StepSixBytes
StepSevenAddress:
db StepSevenBytes
StepEightAddress:
db StepEightBytes
|
64-Bit
Code: | {
Author: OldCheatEngineUser
Website: forum.cheatengine.org
About: cheat engine tutorial version 3.3 script for all steps
Attention: requires "Tutorial-x86_64.exe" from "cheat engine 6.6" directory
ExtraInfo: script wont work on other versions
}
define(here,"Tutorial-x86_64.exe"+2F000)
define(StepOneAddress,"Tutorial-x86_64.exe"+2AD67)
define(StepOneBytes,29 93 90 07 00 00 8B 93 90 07 00 00 48 8D 4D F8)
define(StepOneIp,"Tutorial-x86_64.exe"+2AD77)
define(StepOneReq,BA E8 03 00 00 89 93 90 07 00 00)
define(StepOne...,8B 93 90 07 00 00 48 8D 4D F8)
define(StepTwoAddress,"Tutorial-x86_64.exe"+2B355)
define(StepTwoBytes,29 9E 98 07 00 00 8B 86 98 07 00 00 67 8D 90 30 F8 FF FF)
define(StepTwoIp,"Tutorial-x86_64.exe"+2B368)
define(StepTwoReq,BB 88 13 00 00 89 9E 98 07 00 00)
define(StepTwo...,8B 86 98 07 00 00 67 8D 90 30 F8 FF FF)
define(StepThreeAddressF,"Tutorial-x86_64.exe"+2BDB3)
define(StepThreeBytesF,F3 0F 11 8E B8 07 00 00 C7 44 24 20 04 00 00 00)
define(StepThreeIpF,"Tutorial-x86_64.exe"+2BDC3)
define(StepThreeReqF,B9 88 13 00 00 F3 0F 2A C9)
define(StepThreeAddressD,"Tutorial-x86_64.exe"+2BB8C)
define(StepThreeBytesD,F2 0F 11 83 C0 07 00 00 C7 44 24 20 04 00 00 00)
define(StepThreeIpD,"Tutorial-x86_64.exe"+2BB9C)
define(StepThreeReqD,B9 88 13 00 00 F2 0F 2A C1)
define(StepFourAddress,"Tutorial-x86_64.exe"+2C130)
define(StepFourBytes,89 10)
define(StepFourReq,90 90)
define(StepFiveAddress,"Tutorial-x86_64.exe"+2C62A)
define(StepFiveBytes,74 02)
define(StepFiveReq,EB 02)
define(StepSixAddress,"Tutorial-x86_64.exe"+2CDAB)
define(StepSixBytes,83 AE 80 07 00 00 01)
define(StepSixReq,83 86 80 07 00 00 02)
define(StepSevenAddress,"Tutorial-x86_64.exe"+2DDB2)
define(StepSevenBytes,74 02)
define(StepSevenReq,EB 02)
define(StepEightAddress,"Tutorial-x86_64.exe"+2E0B7)
define(StepEightBytes,F3 0F 11 43 08 F3 0F 10 43 08 0F 2F 05 A8 4E 1D 00)
define(StepEightIp,"Tutorial-x86_64.exe"+2E0C8)
define(StepEightReq,40 80 FE 01)
[enable]
assert(StepOneAddress,StepOneBytes)
assert(StepTwoAddress,StepTwoBytes)
assert(StepThreeAddressF,StepThreeBytesF)
assert(StepThreeAddressD,StepThreeBytesD)
assert(StepFourAddress,StepFourBytes)
assert(StepFiveAddress,StepFiveBytes)
assert(StepSixAddress,StepSixBytes)
assert(StepSevenAddress,StepSevenBytes)
assert(StepEightAddress,StepEightBytes)
globalalloc(script,$9A,here)
StepOneAddress:
jmp StepOne
nop
nop
StepTwoAddress:
jmp StepTwo
nop
nop
nop
nop
nop
StepThreeAddressF:
jmp StepThreeF
nop
nop
StepThreeAddressD:
jmp StepThreeD
nop
nop
StepFourAddress:
db StepFourReq
StepFiveAddress:
db StepFiveReq
StepSixAddress:
db StepSixReq
StepSevenAddress:
db StepSevenReq
StepEightAddress:
jmp StepEight
nop
nop
nop
script:
StepOne:
db StepOneReq
db StepOne...
jmp StepOneIp
StepTwo:
db StepTwoReq
db StepTwo...
jmp StepTwoIp
StepThreeF:
db StepThreeReqF
db StepThreeBytesF
jmp StepThreeIpF
StepThreeD:
db StepThreeReqD
db StepThreeBytesD
jmp StepThreeIpD
StepEight:
db StepEightReq
jnz StepEightIp
db StepEightBytes
jmp StepEightIp
[disable]
StepOneAddress:
db StepOneBytes
StepTwoAddress:
db StepTwoBytes
StepThreeAddressF:
db StepThreeBytesF
StepThreeAddressD:
db StepThreeBytesD
StepFourAddress:
db StepFourBytes
StepFiveAddress:
db StepFiveBytes
StepSixAddress:
db StepSixBytes
StepSevenAddress:
db StepSevenBytes
StepEightAddress:
db StepEightBytes
|
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
Last edited by OldCheatEngineUser on Tue Jan 30, 2018 2:23 pm; edited 2 times in total |
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Sun Jan 28, 2018 5:56 pm Post subject: |
|
|
This works or the x32 Tutorial versions 3.3 and 3.4:
Code: | {$STRICT}
define(step2Bytes, 89 83 80 04 00 00)
define(step3OldBytes, 83 C0 01 89 C3 29)
// add eax,01
// mov ebx,eax
// sub // sub [esi+00000484],ebx
define(step3NewBytes, BB 88 13 00 00 89)
// mov ebx,00001388 // mov ebx,(int)5000
// mov // mov [esi+00000484],ebx
define(step4Bytes, D9 9E 94 04 00 00)
define(step5Bytes, 89 10)
define(step6Bytes, 89 02)
define(step7OldBytes, 83 AB 78 04 00 00 01)
// sub dword ptr [ebx+00000478],01
define(step7NewBytes, 83 83 78 04 00 00 02)
// add dword ptr [ebx+00000478],02
define(bytes, A1 60 C6 5F 00)
define(step8WrtBytes, 89 42 18 8B 45 DC)
define(step9Bytes, 8B 45 FC 89 43 04)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep2Hook, Tutorial-i386.exe, 8Dxxxx8Bxxxxxxxxxx29xx89xxxxxxxxxx8DxxxxE8xxxxxxxx8Bxxxx8BxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx)
define(injStep2Hook, aobStep2Hook+B)
assert(injStep2Hook, step2Bytes)
registerSymbol(injStep2Hook)
alloc(memStep2Hook, 0x400, injStep2Hook)
label(ptrStep2Hook)
registerSymbol(ptrStep2Hook)
label(step2n_code)
label(step2o_code)
label(step2exit)
label(step2return)
memStep2Hook:
ptrStep2Hook:
dd 0
align 10 CC
step2n_code:
mov [ptrStep2Hook],ebx
mov eax,(int)1000
step2o_code:
mov [ebx+00000480],eax
step2exit:
jmp step2return
////
//// ---------- Injection Point ----------
injStep2Hook:
jmp step2n_code
nop
step2return:
aobScanModule(aobStep3Hook, Tutorial-i386.exe, 83xxxx89xx29xxxxxxxxxx8Bxxxxxxxxxx8Dxxxxxxxxxx8BxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx)
define(injStep3Hook, aobStep3Hook)
assert(injStep3Hook, step3OldBytes)
registerSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
db step3NewBytes
aobScanModule(aobStep4Hook, Tutorial-i386.exe, DBxxxxDBxxxxxxxxD9xxxxD9xxxxD8xxxxxxxxxxD9xxxxxxxxxxFFxxxxxxxxxx8DxxxxxxB9xxxxxxxxBAxxxxxxxxB8xxxxxxxx)
define(injStep4Hook, aobStep4Hook+14)
assert(injStep4Hook, step4Bytes)
registerSymbol(injStep4Hook)
alloc(memStep4Hook, 0x400, injStep4Hook)
label(ptrStep4Hook)
registerSymbol(ptrStep4Hook)
label(step4n_code)
label(step4o_code)
label(step4exit)
label(step4return)
memStep4Hook:
dq (double)5000
align 10 CC
ptrStep4Hook:
dd 0
align 10 CC
step4n_code:
mov [ptrStep4Hook],esi
fstp st(0)
mov [esi+494],(float)5000
fld qword ptr [memStep4Hook]
fstp qword ptr [esi+498]
step4o_code:
// fstp dword ptr [esi+00000494]
step4exit:
jmp step4return
////
//// ---------- Injection Point ----------
injStep4Hook:
jmp step4n_code
nop
step4return:
aobScanModule(aobStep5Hook, Tutorial-i386.exe, 8Bxxxx8Bxxxxxxxxxx8Bxxxx89xx8Bxxxx8Bxxxxxxxxxx8Bxx3Bxxxx)
define(injStep5Hook, aobStep5Hook+C)
assert(injStep5Hook, step5Bytes)
registerSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
db 90 90
aobScanModule(aobStep6Hook, Tutorial-i386.exe, 8Bxxxx3Bxxxx74xxEBxx8Bxxxxxxxxxx8Bxxxx89xxA1xxxxxxxx8Bxx3Bxxxx)
define(injStep6Hook, aobStep6Hook+13)
assert(injStep6Hook, step6Bytes)
registerSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
db 90 90
aobScanModule(aobStep7Hook, Tutorial-i386.exe, 8Bxxxxxxxxxx83xxxxxxxxxxxx8Bxxxxxxxxxx8DxxxxE8xxxxxxxx8Bxxxx8BxxxxxxxxxxE8xxxxxxxx8Bxxxxxxxxxx)
define(injStep7Hook, aobStep7Hook+6)
assert(injStep7Hook, step7OldBytes)
registerSymbol(injStep7Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
db step7NewBytes
aobScanModule(aobStep8Hook, Tutorial-i386.exe, A1xxxxxxxx89xxxx8Bxxxx8Bxxxx8Bxx3Bxxxx74xxEBxx8Bxxxx8Bxxxx8Bxxxx3Bxxxx)
define(ptrStep8Hook, aobStep8Hook+1)
registerSymbol(ptrStep8Hook)
aobScanModule(aobStep8WrtHook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
define(injStep8WrtHook, aobStep8WrtHook+3)
assert(injStep8WrtHook, step8WrtBytes)
registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
label(ptrStep8WrtHook)
registerSymbol(ptrStep8WrtHook)
label(step8wrtn_code)
label(step8wrto_code)
label(step8wrtexit)
label(step8wrtreturn)
memStep8WrtHook:
ptrStep8WrtHook:
dd 0
align 10 CC
step8wrtn_code:
mov [ptrStep8WrtHook],edx
mov eax,(int)5000
step8wrto_code:
mov [edx+18],eax
mov eax,[ebp-24]
step8wrtexit:
jmp step8wrtreturn
////
//// ---------- Injection Point ----------
injStep8WrtHook:
jmp step8wrtn_code
nop
step8wrtreturn:
aobScanModule(aobStep9Hook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx89xxxxxxxxD9xxxxxxxxxxxxxx7Axx75xx8Bxxxx)
define(injStep9Hook, aobStep9Hook+6)
assert(injStep9Hook, step9Bytes)
registerSymbol(injStep9Hook)
alloc(memStep9Hook, 0x400, injStep9Hook)
label(ptrStep9Hook)
registerSymbol(ptrStep9Hook)
label(step9n_code)
label(step9o_code)
label(step9exit)
label(step9return)
memStep9Hook:
ptrStep9Hook:
dd 0
dd 0
align 10 CC
step9n_code:
pushfd
cmp [ebx+10],1
jne @f
mov eax,(float)5000
jmp step9o_code
@@:
mov eax,0
step9o_code:
// mov eax,[ebp-04]
mov [ebx+04],eax
step9exit:
popfd
jmp step9return
////
//// ---------- Injection Point ----------
injStep9Hook:
jmp step9n_code
nop
step9return:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep2Hook:
db step2Bytes
unregisterSymbol(injStep2Hook)
unregisterSymbol(ptrStep2Hook)
dealloc(memStep2Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
db step3OldBytes
unregisterSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep4Hook:
db step4Bytes
unregisterSymbol(injStep4Hook)
unregisterSymbol(ptrStep4Hook)
dealloc(memStep4Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
db step5Bytes
unregisterSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
db step6Bytes
unregisterSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
db step7OldBytes
unregisterSymbol(injStep7Hook)
unregisterSymbol(ptrStep8Hook)
////
//// ---------- Injection Point ----------
injStep8WrtHook:
db step8WrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)
////
//// ---------- Injection Point ----------
injStep9Hook:
db step9Bytes
unregisterSymbol(injStep9Hook)
unregisterSymbol(ptrStep9Hook)
dealloc(memStep9Hook) |
This works or the x64 Tutorial versions 3.3 and 3.4:
Code: | {$STRICT}
define(step2Bytes, 29 93 90 07 00 00)
define(step3OldBytes, 67 8D 40 01 89 C3 29)
define(step3NewBytes, BB 88 13 00 00 90 89)
define(step4Bytes, F3 0F 11 8E B8 07 00 00)
define(step5Bytes, 89 10)
define(step6Bytes, 89 02)
define(step7OldBytes, 83 AE 80 07 00 00 01)
// sub dword ptr [rsi+00000780],01
define(step7NewBytes, 83 86 80 07 00 00 02)
// add dword ptr [rsi+00000780],02
define(step8Bytes, 48 8B 05)
define(step8wrtBytes, 89 42 18 48 8B 45 B8)
define(step9Bytes, F3 0F 11 43 08)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep2Hook, Tutorial-x86_64.exe, 67xxxxxx29xxxxxxxxxx8Bxxxxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx)
define(injStep2Hook, aobStep2Hook+4)
assert(injStep2Hook, step2Bytes)
registerSymbol(injStep2Hook)
alloc(memStep2Hook, 0x400, injStep2Hook)
label(ptrStep2Hook)
registerSymbol(ptrStep2Hook)
label(step2n_code)
label(step2o_code)
label(step2exit)
label(step2return)
memStep2Hook:
ptrStep2Hook:
dq 0
align 10 CC
step2n_code:
mov [ptrStep2Hook],rbx
mov edx,(int)1000
mov [rbx+00000790],edx
step2o_code:
// sub [rbx+00000790],edx
step2exit:
jmp step2return
////
//// ---------- Injection Point ----------
injStep2Hook:
jmp step2n_code
nop
step2return:
aobScanModule(aobStep3Hook, Tutorial-x86_64.exe, 67xxxxxx89xx29xxxxxxxxxx8Bxxxxxxxxxx67xxxxxxxxxxxx48xxxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx7Dxx48xxxxxxxxxxxxE8xxxxxxxxB9xxxxxxxxE8xxxxxxxx89xxxxxxxxxx)
define(injStep3Hook, aobStep3Hook)
assert(injStep3Hook, step3OldBytes)
registerSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
db step3NewBytes
aobScanModule(aobStep4Hook, Tutorial-x86_64.exe, F2xxxxxxF2xxxxxxF2xxxxxxF3xxxxxxxxxxxxxxF3xxxxxxF3xxxxxxxxxxxxxxC7xxxxxxxxxxxxxxF3xxxxxxxxxxxxxx48xxxxxx41xxxxxxxxxx41xxxxxxxxxx)
define(injStep4Hook, aobStep4Hook+18)
assert(injStep4Hook, step4Bytes)
registerSymbol(injStep4Hook)
alloc(memStep4Hook, 0x400, injStep4Hook)
label(ptrStep4Hook)
registerSymbol(ptrStep4Hook)
label(step4n_code)
label(step4o_code)
label(step4exit)
label(step4return)
memStep4Hook:
dq (double)5000
align 10 CC
ptrStep4Hook:
dq 0
align 10 CC
step4n_code:
mov [ptrStep4Hook],rsi
mov [rsi+7B8],(float)5000
movsd xmm1,[memStep4Hook]
movsd [rsi+7C0],xmm1
step4o_code:
// movss [rsi+000007B8],xmm1
step4exit:
jmp step4return
////
//// ---------- Injection Point ----------
injStep4Hook:
jmp step4n_code
nop
nop
nop
step4return:
aobScanModule(aobStep5Hook, Tutorial-x86_64.exe, 48xxxxxx48xxxxxxxxxxxx8Bxxxx89xx48xxxxxx48xxxxxxxxxxxx8Bxx3Bxxxx)
define(injStep5Hook, aobStep5Hook+E)
assert(injStep5Hook, step5Bytes)
registerSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
db 90 90
aobScanModule(aobStep6Hook, Tutorial-x86_64.exe, 48xxxxxxxxxxxx8Bxxxx89xx48xxxxxxxxxxxx8Bxx3Bxxxx74xxEBxx48xxxxxx48xxxxxxxxxxxxBAxxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxx)
define(injStep6Hook, aobStep6Hook+A)
assert(injStep6Hook, step6Bytes)
registerSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
db 90 90
aobScanModule(aobStep7Hook, Tutorial-x86_64.exe, 8Bxxxxxxxxxx83xxxxxxxxxxxx8Bxxxxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx)
define(injStep7Hook, aobStep7Hook+6)
assert(injStep7Hook, step7OldBytes)
registerSymbol(injStep7Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
db step7NewBytes
aobScanModule(aobStep8Hook, Tutorial-x86_64.exe, 48xxxxxxxxxxxx48xxxxxx48xxxxxx48xxxxxx8Bxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxxxxxxxxE8xxxxxxxxE9xxxxxxxx48xxxxxx48xxxxxxxx74xxEBxxE9xxxxxxxx48xxxxxx48xxxxxx48xxxxxx48xxxxxx48xxxxxx8Bxx3Bxxxx)
define(injStep8Hook, aobStep8Hook)
assert(injStep8Hook, step8Bytes)
registerSymbol(injStep8Hook)
alloc(memStep8Hook, 0x400, injStep8Hook)
label(ptrStep8Hook)
registerSymbol(ptrStep8Hook)
label(instStep8Hook)
registerSymbol(instStep8Hook)
label(step8n_code)
label(step8o_code)
label(step8exit)
label(step8return)
memStep8Hook:
ptrStep8Hook:
dq 0
align 10 CC
step8n_code:
reassemble(injStep8Hook)
mov [ptrStep8Hook],rax
step8o_code:
// mov rax,[1002CAA70]
step8exit:
jmp step8return
instStep8Hook:
reassemble(injStep8Hook)
////
//// ---------- Injection Point ----------
injStep8Hook:
jmp step8n_code
nop
nop
step8return:
aobScanModule(aobStep8WrtHook, Tutorial-x86_64.exe, B9xxxxxxxxE8xxxxxxxx48xxxxxx89xxxx48xxxxxx8Bxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxx48xxxxxxxxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxxFFxxxxxxxxxxC7xxxxxxxxxxxx8Bxxxx48xxxxxxE8xxxxxxxx)
define(injStep8WrtHook, aobStep8WrtHook+E)
assert(injStep8WrtHook, step8wrtBytes)
registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
label(ptrStep8WrtHook)
registerSymbol(ptrStep8WrtHook)
label(step8wrtn_code)
label(step8wrto_code)
label(step8wrtexit)
label(step8wrtreturn)
memStep8WrtHook:
ptrStep8WrtHook:
dq 0
align 10 CC
step8wrtn_code:
mov [ptrStep8WrtHook],rdx
mov eax,(int)5000
step8wrto_code:
mov [rdx+18],eax
mov rax,[rbp-48]
step8wrtexit:
jmp step8wrtreturn
////
//// ---------- Injection Point ----------
injStep8WrtHook:
jmp step8wrtn_code
nop
nop
step8wrtreturn:
aobScanModule(aobStep9Hook, Tutorial-x86_64.exe, F3xxxxxxxxF3xxxxxxF3xxxxxxxxxxxxxx0F2Fxx7Axx72xx0F28xxF3xxxxxxxxF3xxxxxxxx0F2Fxxxxxxxxxx7Axx75xx48xxxxxx48xxxxxxxxxxxxE8xxxxxxxxEBxxF3xxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxx48xxxxxxxxxxxxxx)
define(injStep9Hook, aobStep9Hook+1B)
assert(injStep9Hook, step9Bytes)
registerSymbol(injStep9Hook)
alloc(memStep9Hook, 0x400, injStep9Hook)
label(ptrStep9Hook)
registerSymbol(ptrStep9Hook)
label(step9n_code)
label(step9o_code)
label(step9exit)
label(step9return)
memStep9Hook:
ptrStep9Hook:
dq 0
align 10 CC
step9n_code:
pushfq
mov [ptrStep9Hook],rbx
cmp dword ptr [rbx+14],1
jne @f
mov dword ptr [rbx+08],(float)5000
jmp step9o_code
@@:
mov dword ptr [rbx+08],0
step9o_code:
// movss [rbx+08],xmm0
step9exit:
popfq
jmp step9return
////
//// ---------- Injection Point ----------
injStep9Hook:
jmp step9n_code
step9return:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep2Hook:
db step2Bytes
unregisterSymbol(injStep2Hook)
unregisterSymbol(ptrStep2Hook)
dealloc(memStep2Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
db step3OldBytes
unregisterSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep4Hook:
db step4Bytes
unregisterSymbol(injStep4Hook)
unregisterSymbol(ptrStep4Hook)
dealloc(memStep4Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
db step5Bytes
unregisterSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
db step6Bytes
unregisterSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
db step7OldBytes
unregisterSymbol(injStep7Hook)
////
//// ---------- Injection Point ----------
injStep8Hook:
reassemble(instStep8Hook)
unregisterSymbol(injStep8Hook)
unregisterSymbol(ptrStep8Hook)
unregisterSymbol(instStep8Hook)
dealloc(memStep8Hook)
////
//// ---------- Injection Point ----------
injStep8WrtHook:
db step8wrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)
////
//// ---------- Injection Point ----------
injStep9Hook:
db step9Bytes
unregisterSymbol(injStep9Hook)
unregisterSymbol(ptrStep9Hook)
dealloc(memStep9Hook) |
_________________
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sun Jan 28, 2018 6:05 pm Post subject: |
|
|
thanks for sharing tim, appreciate it.
ill give it a try.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Sun Jan 28, 2018 9:38 pm Post subject: |
|
|
Oh are we sharing a single script to do the entire tutorial?
Here's mine, works on everything.
Code: | [ENABLE]
{$lua}
-- CE does not clear the symbol list when attaching to a new process, so we do it
onOpenProcess = function(pid)
autoAssemble[[
unregisterSymbol(bypassThread)
unregisterSymbol(info)
unregisterSymbol(quit)
]]
end
{$asm}
globalalloc(bypassThread, $1000)
createThread(bypassThread)
bypassThread:
cmp [quit], 0
je @f
ret // keeping it simple by just returning and leaking the memory
@@:
push #100
call mysleep
call getForegroundWindow
push nextCaption
push 0
push 0
push rax
call FindWindowEx
mov [info], rax
test rax,rax
jz bypassThread
push 1 // true
push rax // hwnd
call myEnableWindow
jmp bypassThread
nextCaption:
db 'Next',0
mysleep:
{$lua}
if targetIs64Bit() then
return [[
pop rax // return address
pop rcx
push rax
]]
end
{$asm}
jmp sleep
FindWindowEx:
{$lua}
if targetIs64Bit() then return [[
pop rax // return address
pop rcx
pop rdx
pop r8
pop r9
push rax
]]
end
{$asm}
jmp FindWindowExA
myEnableWindow:
{$lua}
if targetIs64Bit() then return [[
pop rax // return address
pop rcx
pop rdx
push rax
]]
end
{$asm}
jmp EnableWindow
quit:
dd 0
info:
resq 1
registerSymbol(info)
registerSymbol(quit)
[DISABLE]
{$lua}
-- if the process is still running then stop the thread by writing 1 to quit
if readInteger(process) ~= nil then return 'quit:\ndd 1' end
{$asm}
unregisterSymbol(info)
unregisterSymbol(quit)
unregisterSymbol(bypassThread) |
Yeah, I'm kind of cheating on the x64 code without any shadowspace but... I didn't have any issues so presumably none of those functions actually need it lol
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Mon Jan 29, 2018 12:11 am Post subject: |
|
|
So what is your code doing, all the "next" buttons where enabled but all the values where still effected, is it just enabling the buttons, or is it bypassing the checks? I couldn't really figure it out, but it's very clean and short.
_________________
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Mon Jan 29, 2018 12:25 am Post subject: |
|
|
tim, your code looks great and working.
about free he is enabling the button, just similar to assembly: mov dl, 01
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Mon Jan 29, 2018 12:51 am Post subject: |
|
|
Yeah, the caption label set to "Next", had me thinking that. But it's an interesting approach, never even thought about it. I think this punts the box I was in, right out the window. I say PROPs @FreeER, PROPs.
_________________
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Jan 29, 2018 6:45 am Post subject: |
|
|
Yep, it just enables the "Next" button. Which is really the goal of the "game"
With the windows API it should be the same for every OS version and architecture (x86/x64) as long as the Next button stays a child of the main window (with the same caption of course), though it may turn out that the shadowspace is required for some combination (unlikely but).
I managed to get that working in a C/CPP program after finding the dissect windows feature one day and wondering if I could use that to automatically enable the button I did some work in C to try and automatically find the tutorial window but it'd only work if it had just been opened since it was based on the window caption which is different for each step. When I saw this and decided to make it a single AA script I decided to just check if the foreground window had a child window with the caption "Next" instead so that it could work at any point and without the need for a callback from windows like EnumWindows does.
Part of the reason I shared it is that it does indeed account for everything, but it also uses several features (createThread, lua, globalalloc, "Win API" which isn't a feature but also isn't something you see too often in hacks, etc.) and achieves the result in such a drastically different way from what people often expect (actually changing the value as intended or changing the checks to pass) which I enjoy
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Mon Jan 29, 2018 8:45 am Post subject: |
|
|
FreeER wrote: | ... achieves the result in such a drastically different way from what people often expect (actually changing the value as intended or changing the checks to pass) which I enjoy |
I think this definitely shows there are many ways to reach a goal, which is one of the hardest things to teach about CE or any thing in life really. And like you said, when using CE all that maters is you reach your goal and get the desired effect.
I have to admit a small part of me was like "no way he cheated". Then it's like how do you cheat at cheating, and in the end I don't think any one can. I think I just wished I had come up with that, but such is life. And in the end I'm just fascinated by the approach more than anything.
_________________
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Jan 29, 2018 9:03 am Post subject: |
|
|
Yeah it can be difficult to explain that there are multiple approaches, especially when then tutorial asks for very specific settings to pass
And yeah, I can totally understand the "that's cheating" feeling, and in a way it could be in the sense that it doesn't solve each step anymore than clicking the skip button. For the most part what each task is doesn't matter, what the values are don't matter, how many sub-tasks there are don't matter, changing addresses don't matter, etc. the code itself does not matter with this approach Which could easily be considered cheating if you assumed that you were suppose to "beat" each challenge in some way that demonstrates something new (which is the point of the tutorial, introducing new concepts one step at a time).
Unfortunately games do not use Window's windows so this is never directly usable with any of them (there may be very rare exceptions)
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Mon Jan 29, 2018 9:15 am Post subject: |
|
|
Yeah, I liked it, would have given +Rep but you where the last person I gave +Rep to. It just sucks when you figure out you where thinking in a box that got booted out the window, and you can't even figure out why you where in the box to begin with.
_________________
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Tue Jan 30, 2018 2:10 pm Post subject: |
|
|
update:
- 64 bit version added
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|