|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Dec 07, 2005 10:56 pm Post subject: Auto assembler scripts in trainers |
|
|
I am assuming you have read http://forum.cheatengine.org/viewtopic.php?t=4868 and understand it (most of it)
If you want to make a trainer using auto assembler scripts it's quite easy.
Just have a table with a auto assembler script and add it to your trainer. When selecting a auto assembler script your options will be limited to only enable and disable, but you can combine it with other cheats
here is a table and a resulting trainer
infinite balls script:
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
Pinball.exe+175b7:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [esi+00000146],3
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
Pinball.exe+175b7:
mov [esi+00000146],eax
|
Description: |
|
Download |
Filename: |
pinballassemblereasy.CT |
Filesize: |
617 Bytes |
Downloaded: |
3728 Time(s) |
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Dec 08, 2005 12:20 am; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Dec 07, 2005 11:53 pm Post subject: |
|
|
In this tutorial I am assuming you uderstand the above tutorial, and http://forum.cheatengine.org/viewtopic.php?t=4869
Also, if you downloaded Cheat Engine 5.2 before the date this was posted I recommend redownloading it. (fixes a delayed update of the userdefined symbol, and the problem of never deallocating memory in scripts)
You know how to make a trainer with auto assembler scripts, but you want to let your users fill in values for certain stuff. In that case registersymbol is usefull.
I have manipulated the script in http://forum.cheatengine.org/viewtopic.php?t=4869 to do something more usefull:
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
registersymbol(ballsiwant) //add "ballsiwant" to the userdefined symbollist
alloc(newmem,2048) //2kb should be enough
alloc(ballsiwant,4)
label(returnhere)
label(originalcode)
label(exit)
ballsiwant:
db 3 //initialize this var to 3
Pinball.exe+175b7:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov eax,[ballsiwant] //plase in eax the value of ballsiwant
originalcode:
mov [esi+00000146],eax
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
unregistersymbol(ballsiwant)
dealloc(newmem)
dealloc(ballsiwant)
Pinball.exe+175b7:
mov [esi+00000146],eax
|
as you see I have created a variable called "ballsiwant" that gets the default value of 3 (in case you forget to update your symbol list, or the trainer has some delay problem, shouldn't be possible though, but just to be safe)
I have created a cheat table with 2 items, the auto assembler script, and the entry with as address "ballsiwant"
now create the table, first add the infinite balls script as a cheat, and IN THE SAME CHEAT , add the "ballsiwant" address, setit to only set a value, and allow user input
give it a hotkey, description etc....
and create the rest of the trainer, e.g usedefined window, images, icons, etc....
when done and you've created the trainer you should be able to use it and fill in how many balls you want to get when you lose a ball. (it is infinite, but you could probably add som code so it only executes it once after setting the balls...)
Description: |
|
Download |
Filename: |
pinballwithuserdefinedballs.CT |
Filesize: |
948 Bytes |
Downloaded: |
3319 Time(s) |
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Bepetemish Grandmaster Cheater Reputation: 0
Joined: 12 Apr 2006 Posts: 564 Location: The Netherlands, GreenMile
|
|
Back to top |
|
|
cparty Expert Cheater Reputation: 0
Joined: 01 Dec 2005 Posts: 219
|
Posted: Thu Apr 20, 2006 12:49 pm Post subject: Re: !! |
|
|
Bepetemish wrote: | OHHHHHHHHH the site admin makes a dubble post |
Actually, if you would have read and understood the two posts you'd have recognized that its 2 different posts, the later being a refinement of the first one.
|
|
Back to top |
|
|
Bepetemish Grandmaster Cheater Reputation: 0
Joined: 12 Apr 2006 Posts: 564 Location: The Netherlands, GreenMile
|
|
Back to top |
|
|
Xblade Of Heaven Master Cheater Reputation: 0
Joined: 16 Oct 2005 Posts: 394 Location: DEAD
|
Posted: Wed May 10, 2006 4:07 am Post subject: |
|
|
I do not understand that it is this Pinball.exe+175b7, you can explain to find like the correct value in other games?, thank you
_________________
Welcome to the Hell.
|
|
Back to top |
|
|
N-Y-M Master Cheater Reputation: 0
Joined: 13 Jul 2006 Posts: 475 Location: Emergency
|
Posted: Mon Aug 21, 2006 11:35 am Post subject: Re: Auto assembler scripts in trainers |
|
|
I was quite confused with the script, could you explain these for me?
Code: | Pinball.exe+175b7:
jmp newmem
nop
returnhere: |
what is the rationale of putting "nop" and "return here:"? can i remove them?
Code: | exit:
jmp returnhere |
so this function is not being executed in the script?
EDIT:
another question, do we need to jmp back to execute the remaining function?
thanks.
_________________
|
|
Back to top |
|
|
linosal Grandmaster Cheater Reputation: 1
Joined: 27 Jun 2006 Posts: 821 Location: http://www.thedarkalliance.org
|
Posted: Mon Aug 21, 2006 1:15 pm Post subject: Re: Auto assembler scripts in trainers |
|
|
N-Y-M wrote: | I was quite confused with the script, could you explain these for me?
what is the rationale of putting "nop" and "return here:"? can i remove them?
|
NOP is a filler code, does nothing except keep the bytes in sync.
N-Y-M wrote: | Code: | exit:
jmp returnhere |
so this function is not being executed in the script?
|
This function is exected, the jump calls newmem, after newmem runs it goes to originalcode, then exit.
N-Y-M wrote: | EDIT:
another question, do we need to jmp back to execute the remaining function?
thanks. |
once it reaches exit it returns to "returnhere"
returnhere is just a pointer to an address underneath the original pinball.exe address
_________________
|
|
Back to top |
|
|
N-Y-M Master Cheater Reputation: 0
Joined: 13 Jul 2006 Posts: 475 Location: Emergency
|
Posted: Mon Aug 21, 2006 5:06 pm Post subject: |
|
|
1. the exit function is to make the script loop to freeze the ball value?
2. newmem is followed by originalcode, so should we put a "jmp exit' before originalcode?
_________________
|
|
Back to top |
|
|
ParoXsitiC Newbie cheater Reputation: 0
Joined: 22 Aug 2006 Posts: 10
|
Posted: Tue Aug 22, 2006 11:29 pm Post subject: |
|
|
It is my understanding that nothing ever gets NOP'd because it returns after the NOP. I am led to believe a NOP here wouldn't matter since 3 would replace 3, 2, 1 easily without having to NOP it. I still don't know about NOPPING tho.
Anyways I simplified the code a little, got rid of some labels that helped confused a few things.
Enabled code:
Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
Pinball.exe+175b7:
jmp newmema
returnhere:
newmem:
mov eax,3
mov [esi+00000146],eax
jmp returnhere |
Disable code:
Code: | [DISABLE]
dealloc(newmem)
Pinball.exe+175b7:
mov [esi+00000146],eax |
----------------------------------------------------
Normally when you want to return something you would use the RET command, but you are not suppose to use RET commands in a code cave/allocated memory to my understanding.
Instead we use a returnhere label. What could also be done to my understanding is that you could just JMP to the normal game routine. This means the line directly under the code we are replacing in the disassembler. Given that the code we are replacing is 010175B7 the line under it is 010175BD. so 10175BD is the next normal game routine
Code would look like this:
Code: |
[ENABLE]
alloc(newmem,2048)
Pinball.exe+175b7:
jmp newmem
newmem:
mov eax,3
mov [esi+00000146],eax
jmp 10175BD
|
Pinball.exe+175b7 refers to the address of the opcode, in this case 010175B7
and Finally, Instead of making allocating memory, you could just found a code cave using CE's code cave finder. Make sure the code cave is in the green memory, as others I’ve tried don't work. A code cave I've found was 102E226.
Code: | [ENABLE]
10175b7:
jmp 102E226
102E226:
mov eax,3
mov [esi+00000146],eax
jmp 10175bd
[DISABLE]
10175b7:
mov [esi+00000146],eax |
Here is the above code in T-Search form using easywriter:
Patch:
Code: | offset 0x10175b7
jmp 0x102E226
offset 0x102E226
mov eax,0x3
mov [esi+0x146],eax
jmp 0x10175bd |
Unpatch:
Code: | offset 0x10175b7
mov [esi+0x146],eax |
Disclaimer: I am very new to this and only trying to help out from what I've came to understand. Please understand if any of this information is false and please correct me if I am incorrect.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Aug 23, 2006 1:48 am Post subject: |
|
|
That nop is required because the instruction(s) being overwritten with the jmp are combined longer than 6 bytes (mov [esi+00000146],eax is 6 bytes, the jmp 5)
if you don't nop the last byte after the jmp, and just jump to there, you will be executing garbage, and a high chance the game crashes, or acts weird
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
N-Y-M Master Cheater Reputation: 0
Joined: 13 Jul 2006 Posts: 475 Location: Emergency
|
Posted: Wed Aug 23, 2006 2:34 am Post subject: |
|
|
@Dark Byte
usually we need to jmp back to normal game routine, right? but i don't see any jmp after newmem...can you explain a bit?
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Aug 23, 2006 2:51 am Post subject: |
|
|
it does have a jump back to the original code
returnhere is a label that gets the address after the nop instruction
So "jmp returnhere" jumps to the original gamecode
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
Pinball.exe+175b7:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [esi+00000146],3
exit:
jmp returnhere
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
N-Y-M Master Cheater Reputation: 0
Joined: 13 Jul 2006 Posts: 475 Location: Emergency
|
Posted: Wed Aug 23, 2006 3:11 am Post subject: |
|
|
it is very clear and i guess i could make my own script now, thanks!
_________________
|
|
Back to top |
|
|
ParoXsitiC Newbie cheater Reputation: 0
Joined: 22 Aug 2006 Posts: 10
|
Posted: Wed Aug 23, 2006 10:52 am Post subject: |
|
|
Dark Byte wrote: | That nop is required because the instruction(s) being overwritten with the jmp are combined longer than 6 bytes (mov [esi+00000146],eax is 6 bytes, the jmp 5)
if you don't nop the last byte after the jmp, and just jump to there, you will be executing garbage, and a high chance the game crashes, or acts weird |
I understand. Are all mov's 6 bytes? or can you explain why this mov is 6 bytes. Also, are all jmp's 5 bytes?
What I get from this post is that before hand the orignal code used 6 bytes, we replaced that with 5 bytes, but there was a byte left over so we NOP it to balanace things.
I see orignally I thought jmp commands were like GOTO statements in the code, and the newmem: was just a way of organizing. I think I understand now that when you have [address]: it writes to that address, much like offset in T-search.
When I saw: Code: | Pinball.exe+175b7:
jmp newmem
nop
returnhere: |
I thought it was JMPing to the newmem part of the code, but it is actually writing a JMP command to the newmem address in the the Pinball.exe+175b7 address (10175B7) and then NOPing.
What is confusing is how returnhere gets the games next routine address simply by just saying returnhere:
What are the addresses for the orignalcode: and exit: labels?
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|