Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Rydian's Guide To Basic AOBs And Scripts
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Fri Feb 28, 2014 1:24 am    Post subject: Reply with quote

I've found that jumps that are a small number of bytes are usually just part of the logic in a function and will stay the same as long as that function does... and if the function's logic changes, usually the code targeting it needs to be edited anyways to account for this in other ways (such as an offset or type changing, or a different register being used somewhere).

In cases where the jumps are long* (and for calls), yeah I'd wildcard those, and those almost always use a 4-byte moniker anyways.

* I avoid any long jumps in Starbound since the opengl and dx versions have the jumps differ, so if I stay away from those then the same scripts work in both .exes.

_________________
Back to top
View user's profile Send private message
mightym8
How do I cheat?
Reputation: 0

Joined: 27 Feb 2014
Posts: 5

PostPosted: Fri Feb 28, 2014 7:16 am    Post subject: Reply with quote

Rydian wrote:
mightym8 wrote:
Thanks for the AOB ans Sig tutorial.

I tested replacing some code with nops but somehow the to be configured prog just closed without any Exception Very Happy
Some games can tell when their code has been changed (they do CRCs on the code repeatedly) and will kill themselves on purpose if they detect a change in order to stop you from cheating.

What game?


Hi it is not a game but a program called "ogameautomizer" it is a bot for the browsergame "ogame" and free to download. The first 5 days you can use it without any limitation and then ur session expires 2 hours after starting it.
It is no problem to restart it via a prog but it'd be much easier to just reset the timer.

Finding the dynamic address and resetting the time doesn't result in a crash. I don't know how to use the pointerscan (maybe i should just go over it and learn it) because i always did it manually. But now there are so many pointers that point to this address. It'd be a pain to check everyone.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Fri Feb 28, 2014 9:34 am    Post subject: Reply with quote

Rydian wrote:
I've found that jumps that are a small number of bytes are usually just part of the logic in a function and will stay the same as long as that function does... and if the function's logic changes, usually the code targeting it needs to be edited anyways to account for this in other ways (such as an offset or type changing, or a different register being used somewhere)


I also do not wildcard very short jumps. So, +1 Razz

_________________
Back to top
View user's profile Send private message MSN Messenger
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Fri Feb 28, 2014 11:42 am    Post subject: Reply with quote

mightym8 wrote:
Rydian wrote:
mightym8 wrote:
Thanks for the AOB ans Sig tutorial.

I tested replacing some code with nops but somehow the to be configured prog just closed without any Exception Very Happy
Some games can tell when their code has been changed (they do CRCs on the code repeatedly) and will kill themselves on purpose if they detect a change in order to stop you from cheating.

What game?


Hi it is not a game but a program called "ogameautomizer" it is a bot for the browsergame "ogame" and free to download. The first 5 days you can use it without any limitation and then ur session expires 2 hours after starting it.
It is no problem to restart it via a prog but it'd be much easier to just reset the timer.

Finding the dynamic address and resetting the time doesn't result in a crash. I don't know how to use the pointerscan (maybe i should just go over it and learn it) because i always did it manually. But now there are so many pointers that point to this address. It'd be a pain to check everyone.
When you find the line you want to edit, right-click it and find what addresses the instruction accesses. It sounds like the instruction/function may be used for a lot more than just what you're editing it for, so you may need another approach (like editing the code that reads the value instead of writing it).

For the pointer scanner, you can cancel the settings popup and then open a previous pointer scan and then rescan for a new address/value to filter things down, just like you would with a normal RAM search.

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Fri Feb 28, 2014 12:04 pm    Post subject: Reply with quote

I mainly focus on multiplayer things now a days so I have seen small jumps change a lot in MMOs that update frequently. Which is why I offered the suggestion. To each their own on how they want to make signatures though.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Fri Feb 28, 2014 1:59 pm    Post subject: Reply with quote

Ugh god don't even get me started on Terraria's updates.
_________________
Back to top
View user's profile Send private message
DEATH27
How do I cheat?
Reputation: 0

Joined: 13 May 2014
Posts: 8

PostPosted: Tue May 13, 2014 10:06 am    Post subject: Reply with quote

Great guide, helped quite a bit. I'm having a bit of trouble with AOB's though. I think the signature might be the problem, but I'm not sure how to fix it. I've got a few scripts set up, one to disable ammo loss upon firing a weapon, and one that prevents bosses from losing HP. Both of these scripts will fail to activate upon restarting the game, but will activate if I go and manually find the addresses they're supposed to work on in the disassembler. I don't have to do any editing of the script, I just need to bring up the target area in the disassembler and they'll work. This is pretty inconvenient.

Here's the target line for the infinite ammo cheat:
(Sorry, can't post URLs yet... Replace the underscores with periods)

imgur_com/8myLvr1.png

And here's my script:

imgur_com/ww8aZgS.png

Any idea what the problem might be?
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Tue May 13, 2014 1:48 pm    Post subject: Reply with quote

I'd change the first wildcard thing to ?? ?? 81 00 instead of 30 2B ?? ?? because the bytes are in reverse order so ?? ?? 81 00 will actually be targeting the address 0081????.

Anyways, if you have to actually make use of and then scan for the related game code before the script works after a restart, then chances are the game is actually loading/compiling code on-demand. Terraria and Rogue Legacy do this among a few other games.

The bad news is there's no easy way around it. The good news is you don't actually have to scan for the code, you just need to make sure that the code gets loaded by making use of it in-game. Like for Terraria or Rogue legacy I had to have the thing I was trying to prevent happen once in a run of the game before I could edit it because until then, the code doesn't exist.

_________________
Back to top
View user's profile Send private message
DEATH27
How do I cheat?
Reputation: 0

Joined: 13 May 2014
Posts: 8

PostPosted: Tue May 13, 2014 5:54 pm    Post subject: Reply with quote

You were right, the codes were being loaded only as they were being used. I made a few minor adjustments to the signatures of both scripts and it works fine now. All I have to do is fire a weapon and/or hit a boss enemy for the scripts to become usable. Thanks for the help.
Back to top
View user's profile Send private message
it-ty
Newbie cheater
Reputation: 0

Joined: 05 Jun 2014
Posts: 22

PostPosted: Fri Jul 11, 2014 6:59 am    Post subject: Reply with quote

Rydian wrote:
RASHDAN wrote:
i'll try to not miss..
but...Sad
how to know the start address and end address from the address we found
i mean if the original code says
sub ecx,eax
mov [0049e6cc],xx

that only take 2 address (from memeory view)

but in memory view we blocked till 5 address, how we know that? ============
hope u understand what i mean with ma bed english
Good question, actually.

You can right-click your target address and choose "select function", and CE will select all of the addresses that belong to that same function.

Anything within that selected block will almost always be in that general order, so you can see if you're close to the edge of a function (usually you aren't for stuff like health/damage).


I do not understand tutorial+image Please
Back to top
View user's profile Send private message
liledition
Cheater
Reputation: 0

Joined: 12 Sep 2014
Posts: 49

PostPosted: Fri Sep 12, 2014 7:10 pm    Post subject: hmm Reply with quote

Hello

That "select function" is cool stuff but what if there are a lot of stuff there? Like in Risen 3 after select function on money i got this...

Risen3.exe+33FFC7 - 55 - push ebp
Risen3.exe+33FFC8 - 56 - push esi
Risen3.exe+33FFC9 - 8B F1 - mov esi,ecx
Risen3.exe+33FFCB - 8B 6E 24 - mov ebp,[esi+24] <----this is where i selected function...
Risen3.exe+33FFCE - 33 C9 - xor ecx,ecx
Risen3.exe+33FFD0 - 85 C0 - test eax,eax
Risen3.exe+33FFD2 - 0F9E C1 - setle cl
Risen3.exe+33FFD5 - 49 - dec ecx
Risen3.exe+33FFD6 - 23 C1 - and eax,ecx
Risen3.exe+33FFD8 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+33FFDB - 89 46 24 - mov [esi+24],eax
Risen3.exe+33FFDE - E8 7D8DEDFF - call Risen3.exe+218D60
Risen3.exe+33FFE3 - 85 C0 - test eax,eax
Risen3.exe+33FFE5 - 74 5C - je Risen3.exe+340043
Risen3.exe+33FFE7 - 83 7C 24 14 00 - cmp dword ptr [esp+14],00
Risen3.exe+33FFEC - 74 55 - je Risen3.exe+340043
Risen3.exe+33FFEE - 57 - push edi
Risen3.exe+33FFEF - 8B 7E 24 - mov edi,[esi+24]
Risen3.exe+33FFF2 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+33FFF5 - 2B FD - sub edi,ebp
Risen3.exe+33FFF7 - E8 648DEDFF - call Risen3.exe+218D60
Risen3.exe+33FFFC - 8B 50 0C - mov edx,[eax+0C]
Risen3.exe+33FFFF - 8B 0A - mov ecx,[edx]
Risen3.exe+340001 - 85 C9 - test ecx,ecx
Risen3.exe+340003 - 75 04 - jne Risen3.exe+340009
Risen3.exe+340005 - 33 C0 - xor eax,eax
Risen3.exe+340007 - EB 20 - jmp Risen3.exe+340029
Risen3.exe+340009 - 8B 01 - mov eax,[ecx]
Risen3.exe+34000B - 8B 50 6C - mov edx,[eax+6C]
Risen3.exe+34000E - 6A 00 - push 00
Risen3.exe+340010 - 68 BCD9DF00 - push Risen3.exe+9FD9BC
Risen3.exe+340015 - 68 68C3DE00 - push Risen3.exe+9EC368
Risen3.exe+34001A - 6A 00 - push 00
Risen3.exe+34001C - 6A 21 - push 21
Risen3.exe+34001E - FF D2 - call edx
Risen3.exe+340020 - 50 - push eax
Risen3.exe+340021 - E8 E8E63700 - call Risen3.exe+6BE70E
Risen3.exe+340026 - 83 C4 14 - add esp,14
Risen3.exe+340029 - 8B 4C 24 18 - mov ecx,[esp+18]
Risen3.exe+34002D - 8B 10 - mov edx,[eax]
Risen3.exe+34002F - 8B 92 FC000000 - mov edx,[edx+000000FC]
Risen3.exe+340035 - 57 - push edi
Risen3.exe+340036 - 56 - push esi
Risen3.exe+340037 - 51 - push ecx
Risen3.exe+340038 - 8B C8 - mov ecx,eax
Risen3.exe+34003A - FF D2 - call edx
Risen3.exe+34003C - 5F - pop edi
Risen3.exe+34003D - 5E - pop esi
Risen3.exe+34003E - 5D - pop ebp
Risen3.exe+34003F - 5B - pop ebx
Risen3.exe+340040 - C2 0800 - ret 0008
Risen3.exe+340043 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+340046 - E8 158DEDFF - call Risen3.exe+218D60
Risen3.exe+34004B - 5E - pop esi
Risen3.exe+34004C - 5D - pop ebp
Risen3.exe+34004D - 5B - pop ebx
Risen3.exe+34004E - C2 0800 - ret 0008


When i put it in AA there are only first 4 lines so other lines are not important??? Question
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Tue Sep 23, 2014 11:40 pm    Post subject: Re: hmm Reply with quote

liledition wrote:
Hello

That "select function" is cool stuff but what if there are a lot of stuff there? Like in Risen 3 after select function on money i got this...

[snipped]

When i put it in AA there are only first 4 lines so other lines are not important??? Question
In that example I'd just target the first few lines of the function.

Risen3.exe+33FFC7 - 55 - push ebp
Risen3.exe+33FFC8 - 56 - push esi
Risen3.exe+33FFC9 - 8B F1 - mov esi,ecx
Risen3.exe+33FFCB - 8B 6E 24 - mov ebp,[esi+24] <----this is where i selected function...
Risen3.exe+33FFCE - 33 C9 - xor ecx,ecx
Risen3.exe+33FFD0 - 85 C0 - test eax,eax

So...
55 56 8B F1 8B 6E 24 33 C9 85 C0

Something like that should be a good enough signature. Then to edit the line you say you're targeting, it'd be +4 from the scan.

_________________
Back to top
View user's profile Send private message
Attack
Cheater
Reputation: 0

Joined: 21 Mar 2011
Posts: 46
Location: Canada

PostPosted: Tue Feb 03, 2015 7:49 pm    Post subject: Reply with quote

I have a question and maybe it should have it's own thread, but after searching, I simply cannot find an answer anywhere. This is the code I need to adjust:
Code:
jetsetradio.exe+B409B - 2B C6                 - sub eax,esi

As you can see, it is only two bytes. I can find this and replace it with another two byte code and it works, but because what I want to do is more complicated than 2 bytes, I need a jmp, to do that, I need more bytes, so I look at the next line:
Code:
jetsetradio.exe+B409D - 8D 0C 8D 209E8E01     - lea ecx,[ecx*4+jetsetradio.exe+9F9E20]

OK, that's easy, I use part of this for the AOB anyway... Now a few tests later and I learn that I cannot use that opcode, as it changes every reboot (and presumably in other computers).

This is my scan
Code:
aobscan(aobTime,8D 0C 8D 20 9E ?? 01)

This finds the code I am looking for. Or well, it finds the line that follows the actual line. The line where I can inject.

My issue is here. I still need that code. It's part of my code and part of the disable. I have learnt through reading that using the original opcodes is important, but in this case, one of the bytes changes all the time.

Do I just put the instruction rather than
db opcode
Or is there a way to get the actual opcode that aob is finding? Can I read and store the opcode before replacing it?


EDIT: Apparently readmem is the answer: http://forum.cheatengine.org/viewtopic.php?p=5510717
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Tue Jun 02, 2015 12:14 pm    Post subject: Reply with quote

Couldn't you focus on the opcode above your target and include the target too?
_________________
Back to top
View user's profile Send private message
nack911
Newbie cheater
Reputation: 0

Joined: 25 Jun 2015
Posts: 13

PostPosted: Thu Jun 25, 2015 6:36 am    Post subject: The game crashes after nop Reply with quote

how do i counter this problem? the cheat is successful but after a minute or so the game crash
_________________
Cheating is fun because I don't believe in true love. Sex is purpose of all humans. XD .l.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 2 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites