Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Auto assembler scripts in trainers
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Dec 07, 2005 10:56 pm    Post subject: Auto assembler scripts in trainers Reply with quote

I am assuming you have read http://forum.cheatengine.org/viewtopic.php?t=4868 and understand it (most of it)

If you want to make a trainer using auto assembler scripts it's quite easy.
Just have a table with a auto assembler script and add it to your trainer. When selecting a auto assembler script your options will be limited to only enable and disable, but you can combine it with other cheats

here is a table and a resulting trainer

infinite balls script:
Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough

label(returnhere)
label(originalcode)
label(exit)

Pinball.exe+175b7:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
mov [esi+00000146],3

exit:
jmp returnhere
 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)


Pinball.exe+175b7:
mov [esi+00000146],eax



The Extension 'zip' was deactivated by an board admin, therefore this Attachment is not displayed.


pinballassemblereasy.CT
 Description:

Download
 Filename:  pinballassemblereasy.CT
 Filesize:  617 Bytes
 Downloaded:  3706 Time(s)


_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping


Last edited by Dark Byte on Thu Dec 08, 2005 12:20 am; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Dec 07, 2005 11:53 pm    Post subject: Reply with quote

In this tutorial I am assuming you uderstand the above tutorial, and http://forum.cheatengine.org/viewtopic.php?t=4869

Also, if you downloaded Cheat Engine 5.2 before the date this was posted I recommend redownloading it. (fixes a delayed update of the userdefined symbol, and the problem of never deallocating memory in scripts)

You know how to make a trainer with auto assembler scripts, but you want to let your users fill in values for certain stuff. In that case registersymbol is usefull.

I have manipulated the script in http://forum.cheatengine.org/viewtopic.php?t=4869 to do something more usefull:
Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
registersymbol(ballsiwant) //add "ballsiwant" to the userdefined symbollist

alloc(newmem,2048) //2kb should be enough
alloc(ballsiwant,4)


label(returnhere)
label(originalcode)
label(exit)

ballsiwant:
db 3  //initialize this var to 3

Pinball.exe+175b7:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov eax,[ballsiwant] //plase in eax the value of ballsiwant

originalcode:
mov [esi+00000146],eax

exit:
jmp returnhere
 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
unregistersymbol(ballsiwant)
dealloc(newmem)
dealloc(ballsiwant)

Pinball.exe+175b7:
mov [esi+00000146],eax


as you see I have created a variable called "ballsiwant" that gets the default value of 3 (in case you forget to update your symbol list, or the trainer has some delay problem, shouldn't be possible though, but just to be safe)

I have created a cheat table with 2 items, the auto assembler script, and the entry with as address "ballsiwant"
now create the table, first add the infinite balls script as a cheat, and IN THE SAME CHEAT , add the "ballsiwant" address, setit to only set a value, and allow user input

give it a hotkey, description etc....
and create the rest of the trainer, e.g usedefined window, images, icons, etc....

when done and you've created the trainer you should be able to use it and fill in how many balls you want to get when you lose a ball. (it is infinite, but you could probably add som code so it only executes it once after setting the balls...)



pinballwithuserdefinedballs.CT
 Description:

Download
 Filename:  pinballwithuserdefinedballs.CT
 Filesize:  948 Bytes
 Downloaded:  3294 Time(s)


_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Bepetemish
Grandmaster Cheater
Reputation: 0

Joined: 12 Apr 2006
Posts: 564
Location: The Netherlands, GreenMile

PostPosted: Thu Apr 20, 2006 12:31 pm    Post subject: !! Reply with quote

Exclamation Exclamation OHHHHHHHHH the site admin makes a dubble post Twisted Evil Twisted Evil
_________________
CE Forum is so much fun ;D
Back to top
View user's profile Send private message
cparty
Expert Cheater
Reputation: 0

Joined: 01 Dec 2005
Posts: 219

PostPosted: Thu Apr 20, 2006 12:49 pm    Post subject: Re: !! Reply with quote

Bepetemish wrote:
Exclamation Exclamation OHHHHHHHHH the site admin makes a dubble post Twisted Evil Twisted Evil

Actually, if you would have read and understood the two posts you'd have recognized that its 2 different posts, the later being a refinement of the first one.
Back to top
View user's profile Send private message
Bepetemish
Grandmaster Cheater
Reputation: 0

Joined: 12 Apr 2006
Posts: 564
Location: The Netherlands, GreenMile

PostPosted: Thu Apr 20, 2006 12:50 pm    Post subject: .. Reply with quote

hahaha ok.. i didnt took time to read the posts Laughing
_________________
CE Forum is so much fun ;D
Back to top
View user's profile Send private message
Xblade Of Heaven
Master Cheater
Reputation: 0

Joined: 16 Oct 2005
Posts: 394
Location: DEAD

PostPosted: Wed May 10, 2006 4:07 am    Post subject: Reply with quote

I do not understand that it is this Pinball.exe+175b7, you can explain to find like the correct value in other games?, thank you
_________________
Welcome to the Hell.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
N-Y-M
Master Cheater
Reputation: 0

Joined: 13 Jul 2006
Posts: 475
Location: Emergency

PostPosted: Mon Aug 21, 2006 11:35 am    Post subject: Re: Auto assembler scripts in trainers Reply with quote

I was quite confused with the script, could you explain these for me?

Code:
Pinball.exe+175b7:
jmp newmem
nop
returnhere:

what is the rationale of putting "nop" and "return here:"? can i remove them?

Code:
exit:
jmp returnhere

so this function is not being executed in the script?

EDIT:
another question, do we need to jmp back to execute the remaining function?

thanks.

_________________

---| Powered by Dark Byte |---
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
linosal
Grandmaster Cheater
Reputation: 1

Joined: 27 Jun 2006
Posts: 821
Location: http://www.thedarkalliance.org

PostPosted: Mon Aug 21, 2006 1:15 pm    Post subject: Re: Auto assembler scripts in trainers Reply with quote

N-Y-M wrote:
I was quite confused with the script, could you explain these for me?

what is the rationale of putting "nop" and "return here:"? can i remove them?

NOP is a filler code, does nothing except keep the bytes in sync.

N-Y-M wrote:
Code:
exit:
jmp returnhere

so this function is not being executed in the script?

This function is exected, the jump calls newmem, after newmem runs it goes to originalcode, then exit.


N-Y-M wrote:
EDIT:
another question, do we need to jmp back to execute the remaining function?

thanks.


once it reaches exit it returns to "returnhere"

returnhere is just a pointer to an address underneath the original pinball.exe address

_________________
http://www.thedarkalliance.org
Thank you for visiting!
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
N-Y-M
Master Cheater
Reputation: 0

Joined: 13 Jul 2006
Posts: 475
Location: Emergency

PostPosted: Mon Aug 21, 2006 5:06 pm    Post subject: Reply with quote

1. the exit function is to make the script loop to freeze the ball value?
2. newmem is followed by originalcode, so should we put a "jmp exit' before originalcode?

_________________

---| Powered by Dark Byte |---
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10

PostPosted: Tue Aug 22, 2006 11:29 pm    Post subject: Reply with quote

It is my understanding that nothing ever gets NOP'd because it returns after the NOP. I am led to believe a NOP here wouldn't matter since 3 would replace 3, 2, 1 easily without having to NOP it. I still don't know about NOPPING tho.

Anyways I simplified the code a little, got rid of some labels that helped confused a few things.


Enabled code:

Code:
[ENABLE]
alloc(newmem,2048)
label(returnhere)

Pinball.exe+175b7:
jmp newmema
returnhere:

newmem:
mov eax,3
mov [esi+00000146],eax
jmp returnhere


Disable code:
Code:
[DISABLE]
dealloc(newmem)

Pinball.exe+175b7:
mov [esi+00000146],eax

----------------------------------------------------
Normally when you want to return something you would use the RET command, but you are not suppose to use RET commands in a code cave/allocated memory to my understanding.

Instead we use a returnhere label. What could also be done to my understanding is that you could just JMP to the normal game routine. This means the line directly under the code we are replacing in the disassembler. Given that the code we are replacing is 010175B7 the line under it is 010175BD. so 10175BD is the next normal game routine

Code would look like this:
Code:

[ENABLE]
alloc(newmem,2048)

Pinball.exe+175b7:
jmp newmem

newmem:
mov eax,3
mov [esi+00000146],eax
jmp 10175BD
 





Pinball.exe+175b7 refers to the address of the opcode, in this case 010175B7



and Finally, Instead of making allocating memory, you could just found a code cave using CE's code cave finder. Make sure the code cave is in the green memory, as others I’ve tried don't work. A code cave I've found was 102E226.





Code:
[ENABLE]

10175b7:
jmp 102E226

102E226:
mov eax,3
mov [esi+00000146],eax
jmp 10175bd
 
 
[DISABLE]

10175b7:
mov [esi+00000146],eax






Here is the above code in T-Search form using easywriter:

Patch:


Code:
offset 0x10175b7
jmp 0x102E226

offset 0x102E226
mov eax,0x3
mov [esi+0x146],eax
jmp 0x10175bd


Unpatch:

Code:
offset 0x10175b7
mov [esi+0x146],eax


Disclaimer: I am very new to this and only trying to help out from what I've came to understand. Please understand if any of this information is false and please correct me if I am incorrect.
Back to top
View user's profile Send private message AIM Address
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Aug 23, 2006 1:48 am    Post subject: Reply with quote

That nop is required because the instruction(s) being overwritten with the jmp are combined longer than 6 bytes (mov [esi+00000146],eax is 6 bytes, the jmp 5)

if you don't nop the last byte after the jmp, and just jump to there, you will be executing garbage, and a high chance the game crashes, or acts weird

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
N-Y-M
Master Cheater
Reputation: 0

Joined: 13 Jul 2006
Posts: 475
Location: Emergency

PostPosted: Wed Aug 23, 2006 2:34 am    Post subject: Reply with quote

@Dark Byte
usually we need to jmp back to normal game routine, right? but i don't see any jmp after newmem...can you explain a bit?

_________________

---| Powered by Dark Byte |---
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Aug 23, 2006 2:51 am    Post subject: Reply with quote

it does have a jump back to the original code
returnhere is a label that gets the address after the nop instruction
So "jmp returnhere" jumps to the original gamecode

//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough

label(returnhere)
label(originalcode)
label(exit)

Pinball.exe+175b7:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
mov [esi+00000146],3

exit:
jmp returnhere

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
N-Y-M
Master Cheater
Reputation: 0

Joined: 13 Jul 2006
Posts: 475
Location: Emergency

PostPosted: Wed Aug 23, 2006 3:11 am    Post subject: Reply with quote

it is very clear and i guess i could make my own script now, thanks! Laughing
_________________

---| Powered by Dark Byte |---
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10

PostPosted: Wed Aug 23, 2006 10:52 am    Post subject: Reply with quote

Dark Byte wrote:
That nop is required because the instruction(s) being overwritten with the jmp are combined longer than 6 bytes (mov [esi+00000146],eax is 6 bytes, the jmp 5)

if you don't nop the last byte after the jmp, and just jump to there, you will be executing garbage, and a high chance the game crashes, or acts weird


I understand. Are all mov's 6 bytes? or can you explain why this mov is 6 bytes. Also, are all jmp's 5 bytes?

What I get from this post is that before hand the orignal code used 6 bytes, we replaced that with 5 bytes, but there was a byte left over so we NOP it to balanace things.

I see orignally I thought jmp commands were like GOTO statements in the code, and the newmem: was just a way of organizing. I think I understand now that when you have [address]: it writes to that address, much like offset in T-search.

When I saw:
Code:
Pinball.exe+175b7:
jmp newmem
nop
returnhere:


I thought it was JMPing to the newmem part of the code, but it is actually writing a JMP command to the newmem address in the the Pinball.exe+175b7 address (10175B7) and then NOPing.

What is confusing is how returnhere gets the games next routine address simply by just saying returnhere:

What are the addresses for the orignalcode: and exit: labels?
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites