 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
GrandPa
Advanced Cheater
![]() Reputation: 3
Joined: 09 Jul 2010
Posts: 87
Location: Italy
|
 Posted: Thu Sep 02, 2010 7:59 am Post subject: Help to obtain an Auto-generating table |
 |
|
I build up a small watching auto assemble cheat.
The problem is that just after it writes down addresses and their values, I have to stop it, and clear the watches, to continue playing, otherwise the game discovers it and freeze up due some protection check.
The addresses and values are created (copied) at each instance of the game and the original table become unaccessible. The pointers to those memory locations are created the same way too.
I actually have to write down each one into CE table in order to change them when I need.
My question is:
is it possible to instruct an(other) auto assemble cheat to enable it to write the addresses directly into CE table?
If Yes, how to build it?
OR
In CE, is there already a feature able to do this?
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G |
|
| Back to top |
|
 |
XaLeX
Expert Cheater
![]() Reputation: 0
Joined: 19 Aug 2008
Posts: 226
|
| Posted: Thu Sep 02, 2010 8:17 am Post subject: |
|
|
I don't get what you're trying to do.. you're logging addresses and values into allocated memory?
Anyway, as far as i know there's no feature like that, but you can code it in with little delphi knowledge.
p.s. un italiano! non ci credo! 
|
|
| Back to top |
|
|
GrandPa
Advanced Cheater
![]() Reputation: 3
Joined: 09 Jul 2010
Posts: 87
Location: Italy
|
| Posted: Thu Sep 02, 2010 6:09 pm Post subject: |
|
|
Well, anyway for the moment I build up another auto assemble cheat, where, in addition to the watches, I also build up a converter for found addresses into a readable CE table.
Then, I simply copy and append the converted strings to an empty CE table via HxD.
The new table works nice even if I can't merge to the original one, but it seems to me it's a common issue, if I remember well.
I know it's not the best solution, but I knew only a bit of old Basic and by now I'm still trying to understand (and use) the Assembler (not Assembly).
p.s. Italia? Di che area? Io sono del NO
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G |
|
| Back to top |
|
|
XaLeX
Expert Cheater
![]() Reputation: 0
Joined: 19 Aug 2008
Posts: 226
|
| Posted: Thu Sep 02, 2010 6:32 pm Post subject: |
|
|
I still don't get what you're trying to do.. anyway, to log addresses, you can do something like:
| Code: | removed, check link
|
EDIT: i fixed it and posted it in another thread where it'll be easier to update it. it's here
then when you want to log an address: | Code: | push xxxxxx
call address_logger |
should do the trick.
I'll test it in a min and post the results.. not sure it's bug-free, it's 1:20 am after all, xD
edit: tested.. it works!
p.s. salerno.. non che ne vada fiero xD
|
|
| Back to top |
|
|
GrandPa
Advanced Cheater
![]() Reputation: 3
Joined: 09 Jul 2010
Posts: 87
Location: Italy
|
| Posted: Fri Sep 03, 2010 11:11 am Post subject: |
|
|
First of all: THANK YOU.
I read your post, but I don't understand a couple of things.
1) Your code:
| Code: | globalalloc(log_base, 1024)
globalalloc(log,1024) |
CE translate 1024 as a decimal value
| Code: | cmp ecx,1024
.
.
mov ecx,256 |
When executing these opcodes, CE should consider them as hex value.
Correct me if I'm wrong.
2) After enabling Logger function, I have to create my injection then calling the function.
Where can I read logged addresses? Starting from log_base?
I have to admit I tryed to test the function in my target game, Puzzle Quest 2, and I'm unable to make it work, probably because of its protections.
p.s. peccato! troppo lontani per organizzare per una birretta.
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G |
|
| Back to top |
|
|
XaLeX
Expert Cheater
![]() Reputation: 0
Joined: 19 Aug 2008
Posts: 226
|
| Posted: Fri Sep 03, 2010 11:28 am Post subject: |
|
|
| GrandPa wrote: | 1) Your code:
[coe]globalalloc(log_base, 1024)
globalalloc(log,1024)[/code]
CE translate 1024 as a decimal value
| Code: | cmp ecx,1024
.
.
mov ecx,256 |
When executing these opcodes, CE should consider them as hex value.
Correct me if I'm wrong. |
exact, thanks for pointing that out  correct it by adding a '#' before them so CE reads them as decimals.
| GrandPa wrote: | 2) After enabling Logger function, I have to create my injection then calling the function.
Where can I read logged addresses? Starting from log_base? |
Yes, for example, if you hook a function after the prologue, and you want to log its first argument, in the injected code just do:
| Code: | newmem:
push [ebp+8]
call log
originalcode:
//... |
the logged addresses will be written from log_base to log_base+1020 so yes, start reading at log_base.
|
|
| Back to top |
|
|
GrandPa
Advanced Cheater
![]() Reputation: 3
Joined: 09 Jul 2010
Posts: 87
Location: Italy
|
| Posted: Fri Sep 03, 2010 6:07 pm Post subject: |
|
|
Your function works great now; in addition, I was able to insert into CE table all the addresses, managing like pointers, using the form:
Address of pointer log_base+xxxx - Offset (Hex) 0
where xxxx is the offset (in hex) it got in the log table. This way it's possible to use the same trick in other similar cases (like per_section valid addresses).
Well, in order to give my poor contribute, here it is my watch plus converter.
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(start)
label(setthi)
label(reglow)
label(settlo)
label(regend)
label(exit)
005A3754: //PuzzleQuest2.exe+1A3754
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode: //just kept as reminder
mov eax,[esp+10] //game gets addresses from stack because it use_
mov ecx,[eax] //_OS structured-like calls
//testing:
inc [newmem+124] //counter; +124h, enough for code and white space
cmp dword ptr [newmem+124],12 //18 couples address/value
ja exit //not jg that gave me problems in Olly
push edi
push esi
mov edi,[newmem+124] //retrieve counter for testing
mov esi,edi //copy counter for conversion
imul edi,edi,8 //address + value = 8 bytes; not: imul edi,8 because _
//_ it's the same as: imul eax,edi,8
add edi,120
mov [edi+newmem],eax //store address
add edi,04
mov [edi+newmem],ecx //store value |
For the converter part, values aren't necessary
| Code: | //converting: //conversion into a working CE table starting from the first _
//_ entry and giving them all the same references
push ecx
push eax
sub edi,5 //stored address -1 byte
dec esi
imul esi,esi,27 //same as before; 27h=1Eh record lenght +address +name (1 char)
add esi,250
mov dword ptr [esi+newmem],20000000 //20 = blank description
add esi,4
mov dword ptr [esi+newmem],00610E20 //don't know, just tryed it
add esi,4
mov dword ptr [esi+newmem],00000008 //don't know, just tryed it
add esi,4
mov ecx,4 //counter for bytes of the address
start:
xor eax,eax
mov al,byte ptr [edi+ecx+newmem] //get address byte, from highest to lowest
shl ax,4 //if al was E8, ax become 0E80
xchg ah,al //new ax = 800E
shr ah,4 //new ax = 080E
cmp ah,9
ja setthi //ah = 08, don't jump
add ah,30 //new ah = 38 = char 8
jmp reglow
setthi:
add ah,37
reglow:
cmp al,9
ja settlo //al = 0E, jump
add al,30
jmp regend
settlo:
add al,37 //new al = 45 = char E
regend:
mov word ptr [esi+newmem],ax //stores 45 38 = char E8
inc esi
inc esi
dec ecx //decrease counter
cmp ecx,0 //when finished conversion continues
jnz start
mov dword ptr [esi+newmem],01000002 //02 stays for type=2 = 4bytes
add esi,4
mov dword ptr [esi+newmem],0 //always 0
add esi,4
mov dword ptr [esi+newmem],0 //always 0
add esi,4
mov dword ptr [esi+newmem],0 //always 0
add esi,4
mov dword ptr [esi+newmem],010000 //always 0 + 01 = end record
pop eax
pop ecx
pop esi
pop edi
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
005A3754:
mov eax,[esp+10]
mov ecx,[eax]
//Alt: db 8B 44 24 10 8B 08 |
In CE 5.6.1, cheat tables start always with:
CHEATENGINE....
43 48 45 41 54 45 4E 47 49 4E 45 09 00 00 00;
followed by record numbers (in my case was 13): 0D;
followed by a sequence that, for addresses only, is always:
00 00 00 01 (end of title record?);
I append there the converted table,
followed by 00 for 26 times.
If I made some mistakes, please, Dark Byte correct me
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
