|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Fri Feb 28, 2014 1:24 am Post subject: |
|
|
I've found that jumps that are a small number of bytes are usually just part of the logic in a function and will stay the same as long as that function does... and if the function's logic changes, usually the code targeting it needs to be edited anyways to account for this in other ways (such as an offset or type changing, or a different register being used somewhere).
In cases where the jumps are long* (and for calls), yeah I'd wildcard those, and those almost always use a 4-byte moniker anyways.
* I avoid any long jumps in Starbound since the opengl and dx versions have the jumps differ, so if I stay away from those then the same scripts work in both .exes.
_________________
|
|
Back to top |
|
|
mightym8 How do I cheat? Reputation: 0
Joined: 27 Feb 2014 Posts: 5
|
Posted: Fri Feb 28, 2014 7:16 am Post subject: |
|
|
Rydian wrote: | mightym8 wrote: | Thanks for the AOB ans Sig tutorial.
I tested replacing some code with nops but somehow the to be configured prog just closed without any Exception | Some games can tell when their code has been changed (they do CRCs on the code repeatedly) and will kill themselves on purpose if they detect a change in order to stop you from cheating.
What game? |
Hi it is not a game but a program called "ogameautomizer" it is a bot for the browsergame "ogame" and free to download. The first 5 days you can use it without any limitation and then ur session expires 2 hours after starting it.
It is no problem to restart it via a prog but it'd be much easier to just reset the timer.
Finding the dynamic address and resetting the time doesn't result in a crash. I don't know how to use the pointerscan (maybe i should just go over it and learn it) because i always did it manually. But now there are so many pointers that point to this address. It'd be a pain to check everyone.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Feb 28, 2014 9:34 am Post subject: |
|
|
Rydian wrote: | I've found that jumps that are a small number of bytes are usually just part of the logic in a function and will stay the same as long as that function does... and if the function's logic changes, usually the code targeting it needs to be edited anyways to account for this in other ways (such as an offset or type changing, or a different register being used somewhere) |
I also do not wildcard very short jumps. So, +1
_________________
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Fri Feb 28, 2014 11:42 am Post subject: |
|
|
mightym8 wrote: | Rydian wrote: | mightym8 wrote: | Thanks for the AOB ans Sig tutorial.
I tested replacing some code with nops but somehow the to be configured prog just closed without any Exception | Some games can tell when their code has been changed (they do CRCs on the code repeatedly) and will kill themselves on purpose if they detect a change in order to stop you from cheating.
What game? |
Hi it is not a game but a program called "ogameautomizer" it is a bot for the browsergame "ogame" and free to download. The first 5 days you can use it without any limitation and then ur session expires 2 hours after starting it.
It is no problem to restart it via a prog but it'd be much easier to just reset the timer.
Finding the dynamic address and resetting the time doesn't result in a crash. I don't know how to use the pointerscan (maybe i should just go over it and learn it) because i always did it manually. But now there are so many pointers that point to this address. It'd be a pain to check everyone. | When you find the line you want to edit, right-click it and find what addresses the instruction accesses. It sounds like the instruction/function may be used for a lot more than just what you're editing it for, so you may need another approach (like editing the code that reads the value instead of writing it).
For the pointer scanner, you can cancel the settings popup and then open a previous pointer scan and then rescan for a new address/value to filter things down, just like you would with a normal RAM search.
_________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Feb 28, 2014 12:04 pm Post subject: |
|
|
I mainly focus on multiplayer things now a days so I have seen small jumps change a lot in MMOs that update frequently. Which is why I offered the suggestion. To each their own on how they want to make signatures though.
_________________
- Retired. |
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Fri Feb 28, 2014 1:59 pm Post subject: |
|
|
Ugh god don't even get me started on Terraria's updates.
_________________
|
|
Back to top |
|
|
DEATH27 How do I cheat? Reputation: 0
Joined: 13 May 2014 Posts: 8
|
Posted: Tue May 13, 2014 10:06 am Post subject: |
|
|
Great guide, helped quite a bit. I'm having a bit of trouble with AOB's though. I think the signature might be the problem, but I'm not sure how to fix it. I've got a few scripts set up, one to disable ammo loss upon firing a weapon, and one that prevents bosses from losing HP. Both of these scripts will fail to activate upon restarting the game, but will activate if I go and manually find the addresses they're supposed to work on in the disassembler. I don't have to do any editing of the script, I just need to bring up the target area in the disassembler and they'll work. This is pretty inconvenient.
Here's the target line for the infinite ammo cheat:
(Sorry, can't post URLs yet... Replace the underscores with periods)
imgur_com/8myLvr1.png
And here's my script:
imgur_com/ww8aZgS.png
Any idea what the problem might be?
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Tue May 13, 2014 1:48 pm Post subject: |
|
|
I'd change the first wildcard thing to ?? ?? 81 00 instead of 30 2B ?? ?? because the bytes are in reverse order so ?? ?? 81 00 will actually be targeting the address 0081????.
Anyways, if you have to actually make use of and then scan for the related game code before the script works after a restart, then chances are the game is actually loading/compiling code on-demand. Terraria and Rogue Legacy do this among a few other games.
The bad news is there's no easy way around it. The good news is you don't actually have to scan for the code, you just need to make sure that the code gets loaded by making use of it in-game. Like for Terraria or Rogue legacy I had to have the thing I was trying to prevent happen once in a run of the game before I could edit it because until then, the code doesn't exist.
_________________
|
|
Back to top |
|
|
DEATH27 How do I cheat? Reputation: 0
Joined: 13 May 2014 Posts: 8
|
Posted: Tue May 13, 2014 5:54 pm Post subject: |
|
|
You were right, the codes were being loaded only as they were being used. I made a few minor adjustments to the signatures of both scripts and it works fine now. All I have to do is fire a weapon and/or hit a boss enemy for the scripts to become usable. Thanks for the help.
|
|
Back to top |
|
|
it-ty Newbie cheater Reputation: 0
Joined: 05 Jun 2014 Posts: 22
|
Posted: Fri Jul 11, 2014 6:59 am Post subject: |
|
|
Rydian wrote: | RASHDAN wrote: | i'll try to not miss..
but...
how to know the start address and end address from the address we found
i mean if the original code says
sub ecx,eax
mov [0049e6cc],xx
that only take 2 address (from memeory view)
but in memory view we blocked till 5 address, how we know that? ============
hope u understand what i mean with ma bed english | Good question, actually.
You can right-click your target address and choose "select function", and CE will select all of the addresses that belong to that same function.
Anything within that selected block will almost always be in that general order, so you can see if you're close to the edge of a function (usually you aren't for stuff like health/damage). |
I do not understand tutorial+image Please
|
|
Back to top |
|
|
liledition Cheater Reputation: 0
Joined: 12 Sep 2014 Posts: 49
|
Posted: Fri Sep 12, 2014 7:10 pm Post subject: hmm |
|
|
Hello
That "select function" is cool stuff but what if there are a lot of stuff there? Like in Risen 3 after select function on money i got this...
Risen3.exe+33FFC7 - 55 - push ebp
Risen3.exe+33FFC8 - 56 - push esi
Risen3.exe+33FFC9 - 8B F1 - mov esi,ecx
Risen3.exe+33FFCB - 8B 6E 24 - mov ebp,[esi+24] <----this is where i selected function...
Risen3.exe+33FFCE - 33 C9 - xor ecx,ecx
Risen3.exe+33FFD0 - 85 C0 - test eax,eax
Risen3.exe+33FFD2 - 0F9E C1 - setle cl
Risen3.exe+33FFD5 - 49 - dec ecx
Risen3.exe+33FFD6 - 23 C1 - and eax,ecx
Risen3.exe+33FFD8 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+33FFDB - 89 46 24 - mov [esi+24],eax
Risen3.exe+33FFDE - E8 7D8DEDFF - call Risen3.exe+218D60
Risen3.exe+33FFE3 - 85 C0 - test eax,eax
Risen3.exe+33FFE5 - 74 5C - je Risen3.exe+340043
Risen3.exe+33FFE7 - 83 7C 24 14 00 - cmp dword ptr [esp+14],00
Risen3.exe+33FFEC - 74 55 - je Risen3.exe+340043
Risen3.exe+33FFEE - 57 - push edi
Risen3.exe+33FFEF - 8B 7E 24 - mov edi,[esi+24]
Risen3.exe+33FFF2 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+33FFF5 - 2B FD - sub edi,ebp
Risen3.exe+33FFF7 - E8 648DEDFF - call Risen3.exe+218D60
Risen3.exe+33FFFC - 8B 50 0C - mov edx,[eax+0C]
Risen3.exe+33FFFF - 8B 0A - mov ecx,[edx]
Risen3.exe+340001 - 85 C9 - test ecx,ecx
Risen3.exe+340003 - 75 04 - jne Risen3.exe+340009
Risen3.exe+340005 - 33 C0 - xor eax,eax
Risen3.exe+340007 - EB 20 - jmp Risen3.exe+340029
Risen3.exe+340009 - 8B 01 - mov eax,[ecx]
Risen3.exe+34000B - 8B 50 6C - mov edx,[eax+6C]
Risen3.exe+34000E - 6A 00 - push 00
Risen3.exe+340010 - 68 BCD9DF00 - push Risen3.exe+9FD9BC
Risen3.exe+340015 - 68 68C3DE00 - push Risen3.exe+9EC368
Risen3.exe+34001A - 6A 00 - push 00
Risen3.exe+34001C - 6A 21 - push 21
Risen3.exe+34001E - FF D2 - call edx
Risen3.exe+340020 - 50 - push eax
Risen3.exe+340021 - E8 E8E63700 - call Risen3.exe+6BE70E
Risen3.exe+340026 - 83 C4 14 - add esp,14
Risen3.exe+340029 - 8B 4C 24 18 - mov ecx,[esp+18]
Risen3.exe+34002D - 8B 10 - mov edx,[eax]
Risen3.exe+34002F - 8B 92 FC000000 - mov edx,[edx+000000FC]
Risen3.exe+340035 - 57 - push edi
Risen3.exe+340036 - 56 - push esi
Risen3.exe+340037 - 51 - push ecx
Risen3.exe+340038 - 8B C8 - mov ecx,eax
Risen3.exe+34003A - FF D2 - call edx
Risen3.exe+34003C - 5F - pop edi
Risen3.exe+34003D - 5E - pop esi
Risen3.exe+34003E - 5D - pop ebp
Risen3.exe+34003F - 5B - pop ebx
Risen3.exe+340040 - C2 0800 - ret 0008
Risen3.exe+340043 - 8D 4E 04 - lea ecx,[esi+04]
Risen3.exe+340046 - E8 158DEDFF - call Risen3.exe+218D60
Risen3.exe+34004B - 5E - pop esi
Risen3.exe+34004C - 5D - pop ebp
Risen3.exe+34004D - 5B - pop ebx
Risen3.exe+34004E - C2 0800 - ret 0008
When i put it in AA there are only first 4 lines so other lines are not important???
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Tue Sep 23, 2014 11:40 pm Post subject: Re: hmm |
|
|
liledition wrote: | Hello
That "select function" is cool stuff but what if there are a lot of stuff there? Like in Risen 3 after select function on money i got this...
[snipped]
When i put it in AA there are only first 4 lines so other lines are not important??? | In that example I'd just target the first few lines of the function.
Risen3.exe+33FFC7 - 55 - push ebp
Risen3.exe+33FFC8 - 56 - push esi
Risen3.exe+33FFC9 - 8B F1 - mov esi,ecx
Risen3.exe+33FFCB - 8B 6E 24 - mov ebp,[esi+24] <----this is where i selected function...
Risen3.exe+33FFCE - 33 C9 - xor ecx,ecx
Risen3.exe+33FFD0 - 85 C0 - test eax,eax
So...
55 56 8B F1 8B 6E 24 33 C9 85 C0
Something like that should be a good enough signature. Then to edit the line you say you're targeting, it'd be +4 from the scan.
_________________
|
|
Back to top |
|
|
Attack Cheater Reputation: 0
Joined: 21 Mar 2011 Posts: 46 Location: Canada
|
Posted: Tue Feb 03, 2015 7:49 pm Post subject: |
|
|
I have a question and maybe it should have it's own thread, but after searching, I simply cannot find an answer anywhere. This is the code I need to adjust:
Code: | jetsetradio.exe+B409B - 2B C6 - sub eax,esi |
As you can see, it is only two bytes. I can find this and replace it with another two byte code and it works, but because what I want to do is more complicated than 2 bytes, I need a jmp, to do that, I need more bytes, so I look at the next line:
Code: | jetsetradio.exe+B409D - 8D 0C 8D 209E8E01 - lea ecx,[ecx*4+jetsetradio.exe+9F9E20] |
OK, that's easy, I use part of this for the AOB anyway... Now a few tests later and I learn that I cannot use that opcode, as it changes every reboot (and presumably in other computers).
This is my scan
Code: | aobscan(aobTime,8D 0C 8D 20 9E ?? 01) |
This finds the code I am looking for. Or well, it finds the line that follows the actual line. The line where I can inject.
My issue is here. I still need that code. It's part of my code and part of the disable. I have learnt through reading that using the original opcodes is important, but in this case, one of the bytes changes all the time.
Do I just put the instruction rather than
db opcode
Or is there a way to get the actual opcode that aob is finding? Can I read and store the opcode before replacing it?
EDIT: Apparently readmem is the answer: http://forum.cheatengine.org/viewtopic.php?p=5510717
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Tue Jun 02, 2015 12:14 pm Post subject: |
|
|
Couldn't you focus on the opcode above your target and include the target too?
_________________
|
|
Back to top |
|
|
nack911 Newbie cheater Reputation: 0
Joined: 25 Jun 2015 Posts: 13
|
Posted: Thu Jun 25, 2015 6:36 am Post subject: The game crashes after nop |
|
|
how do i counter this problem? the cheat is successful but after a minute or so the game crash
_________________
Cheating is fun because I don't believe in true love. Sex is purpose of all humans. XD .l. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|