|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
thenewcomer Newbie cheater Reputation: 0
Joined: 09 Mar 2013 Posts: 22 Location: Behind you
|
Posted: Sun Jul 13, 2014 11:20 pm Post subject: cycle through aobscan with multiple results |
|
|
i know theres a way to do this in autoassembly, but im not sure on the syntax since i know close to nothing about coding.
lets say i aobscan for the bytes "13 37 DE AD BE EF" and it returns 20 results. i know how to change the first one, and i know how to change all of results.
but how would i go about changing lets say, only the fourth result?
i know this is bad technique but its the closest thing to "update-proof" i can get. if i wildcard the aob, i get 28 results or some such. if i keep certain bytes, they get patched. cant lengthen the array either. ive tried searching for the name of the function as string and getting the offset and that didnt work. since it loads in flash, pointers arent an option. such an annoyance!
i found an lua function on a post from darkbyte 3 years ago that would work perfectly, except it called a nonexistent label and other things lol.
_________________
-TNC |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Mon Jul 14, 2014 4:11 am Post subject: |
|
|
"if i wildcard the aob, i get 28 results or some such. if i keep certain bytes, they get patched."
Steps:
1. Resize Memory Viewer and resize Hex Viewer (bottom part). Ten lines before and 10 lines after, around your hack point, should be visible
2. Do screenshot of Memory Viewer and attach it to your post
3. Tell what bytes get patched. ( offsets? )
Then, maybe we can help.
The other way is to use Lua script. Or place Lua script inside AA script (from CE6.4 and above)
_________________
|
|
Back to top |
|
|
661089799107 Expert Cheater Reputation: 3
Joined: 25 Jan 2009 Posts: 186
|
Posted: Mon Jul 14, 2014 8:21 am Post subject: |
|
|
Edit: Sorry missed the part where you mentioned wildcard already.
Last edited by 661089799107 on Mon Jul 14, 2014 6:40 pm; edited 3 times in total |
|
Back to top |
|
|
thenewcomer Newbie cheater Reputation: 0
Joined: 09 Mar 2013 Posts: 22 Location: Behind you
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Jul 14, 2014 1:01 pm Post subject: |
|
|
Maybe you can make sense of this. I did not try everything outlined in that thread, I admit.
|
|
Back to top |
|
|
DaSpamer Grandmaster Cheater Supreme Reputation: 52
Joined: 13 Sep 2011 Posts: 1578
|
Posted: Mon Jul 14, 2014 3:03 pm Post subject: Re: lol |
|
|
++METHOS wrote: | Maybe you can make sense of this. I did not try everything outlined in that thread, I admit. |
This solution suits offline games (as long as they're not updated), but since it's about an Flash game, this solution probably won't work.
thenewcomer wrote: | mgr.inz.Player wrote: | "if i wildcard the aob, i get 28 results or some such. if i keep certain bytes, they get patched."
Steps:
1. Resize Memory Viewer and resize Hex Viewer (bottom part). Ten lines before and 10 lines after, around your hack point, should be visible
2. Do screenshot of Memory Viewer and attach it to your post
3. Tell what bytes get patched. ( offsets? )
Then, maybe we can help.
The other way is to use Lua script. Or place Lua script inside AA script (from CE6.4 and above) |
this is the entire function. the bytes between functions fluctuate in size
also, i know ?? is any character. thats what i mean by wildcard
Code: | private function startTimer() : void
//f1 99 ca 02
//f0 f1 0b
//d0
//30
//f0 f3 0b
//d0
//66 db 5d
//12 08 00 00 <-- doesnt change
//f0 f5 0b
//d0
//4f a8 5e 00
//f0 f8 0b
//d0
//5d 80 02
//25 e8 07 <-- what im modifying, also doesnt change
//d0
//66 dc 5d
//4a 80 02 02
//68 db 5d
//f0 f9 0b
//d0
//66 db 5d
//60 7a
//66 bd 8e 01
//d0
//66 a9 5e
//27
//24 00 <-- doesnt change
//26
//4f 91 1a 05 <-- only 2 middle bytes get patched
//f0 fb 0b
//d0
//66 db 5d
//4f 92 2d 00 <-- only 2 middle bytes get patched
//f0 fc 0b
//47 <-- ends the function
}// end function
|
and the resulting wildcarded array is
Code: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 08 00 00 f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? 05 f0 ?? ?? d0 66 ?? ?? 4f ?? ?? 00 f0 ?? ?? 47 |
and when i search for it, the result is 28 found addresses. the 4th one is the correct one i want to modify |
Ok some tip... never relay on jump offset or 'any' non changing bytes (if they're not numbers).
Basically treat most functions this way..
Code: | private function startTimer() : void
//f1 XX XX XX
//f0 XX XX
//d0
//30
//f0 XX XX
//d0
//66 XX XX
//12 XX XX XX
//f0 XX XX
//d0
//4f XX XX XX
//f0 XX XX
//d0
//5d XX XX
//25 e8 07
//d0
//66 XX XX
//4a XX XX XX
//68 XX XX
//f0 XX XX
//d0
//66 XX XX
//60 XX
//66 XX XX XX
//d0
//66 XX XX
//27
//24 00
//26
//4f XX XX XX
//f0 XX X
//d0
//66 XX XX
//4f XX XX XX
//f0 XX XX
//47 <-- ends the function
}// end function
|
So AoB is
Code: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 |
Now, when you getting many results and cannot divide it down (without keeping it 'dynamic').
So what I'm doing, is searching for the aob (without the wildcards), and dumping the memory area (the aob + 50 to 100 bytes after the last byte of the aob)...
So for example you end up with this aob (you didn't specify the game.. so I just added different function):
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
So
orange = your aob
Blue= wildcard area (information about the function that coming after it..)
white = the function that coming after the function you're modifying (let's call it endTime())
So now basically we're gonna make 1 AoB, so we're gonna wildcard all the bytes that can change after update (and the information about the function), assuming you remember the opcodes as bytes representation.
So that's the before and after AoBs you're ending up with:
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
Quote: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? ?? ?? d0 30 d0 66 ?? ?? 46 ?? ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 48 |
_________________
|
|
Back to top |
|
|
thenewcomer Newbie cheater Reputation: 0
Joined: 09 Mar 2013 Posts: 22 Location: Behind you
|
Posted: Mon Jul 14, 2014 10:35 pm Post subject: Re: lol |
|
|
++METHOS wrote: | Maybe you can make sense of this. I did not try everything outlined in that thread, I admit. |
this is exactly what i was looking for, thanks. gonna see if i can get it working tonight
DaSpamer wrote: |
Ok some tip... never rely on jump offset or 'any' non changing bytes (if they're not numbers).
Basically treat most functions this way..
|
heh, i know how to wildcard an array too thanks anyways though.
also those two lines with the last bytes still on them, those bytes are parameters (numbers) that dont change.
DaSpamer wrote: |
So AoB is
Code: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 |
Now, when you getting many results and cannot divide it down (without keeping it 'dynamic').
So what I'm doing, is searching for the aob (without the wildcards), and dumping the memory area (the aob + 50 to 100 bytes after the last byte of the aob)...
So for example you end up with this aob (you didn't specify the game.. so I just added different function):
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
So
orange = your aob
Blue= wildcard area (information about the function that coming after it..)
white = the function that coming after the function you're modifying (let's call it endTime())
So now basically we're gonna make 1 AoB, so we're gonna wildcard all the bytes that can change after update (and the information about the function), assuming you remember the opcodes as bytes representation.
So that's the before and after AoBs you're ending up with:
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
Quote: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? ?? ?? d0 30 d0 66 ?? ?? 46 ?? ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 48 |
|
that makes sense, but doesnt the amount of bytes inbetween the functions fluctuate? i was under the impression it did, but i could be wrong. ill have to test it out along with the new function in the thread mentioned above. thanks guys
_________________
-TNC |
|
Back to top |
|
|
DaSpamer Grandmaster Cheater Supreme Reputation: 52
Joined: 13 Sep 2011 Posts: 1578
|
Posted: Mon Jul 14, 2014 10:49 pm Post subject: Re: lol |
|
|
thenewcomer wrote: | ++METHOS wrote: | Maybe you can make sense of this. I did not try everything outlined in that thread, I admit. |
this is exactly what i was looking for, thanks. gonna see if i can get it working tonight
DaSpamer wrote: |
Ok some tip... never rely on jump offset or 'any' non changing bytes (if they're not numbers).
Basically treat most functions this way..
|
heh, i know how to wildcard an array too thanks anyways though.
also those two lines with the last bytes still on them, those bytes are parameters (numbers) that dont change.
DaSpamer wrote: |
So AoB is
Code: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 |
Now, when you getting many results and cannot divide it down (without keeping it 'dynamic').
So what I'm doing, is searching for the aob (without the wildcards), and dumping the memory area (the aob + 50 to 100 bytes after the last byte of the aob)...
So for example you end up with this aob (you didn't specify the game.. so I just added different function):
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
So
orange = your aob
Blue= wildcard area (information about the function that coming after it..)
white = the function that coming after the function you're modifying (let's call it endTime())
So now basically we're gonna make 1 AoB, so we're gonna wildcard all the bytes that can change after update (and the information about the function), assuming you remember the opcodes as bytes representation.
So that's the before and after AoBs you're ending up with:
Quote: | f1 99 ca 02 f0 f1 0b d0 30 f0 f3 0b d0 66 db 5d 12 08 00 00 f0 f5 0b d0 4f a8 5e 00 f0 f8 0b d0 5d 80 02 25 e8 07 d0 66 dc 5d 4a 80 02 02 68 db 5d f0 f9 0b d0 66 db 5d 60 7a 66 bd 8e 01 d0 66 a9 5e 27 24 00 26 4f 91 1a 05 f0 fb 0b d0 66 db 5d 4f 92 2d 00 f0 fc 0b 47 00 00 9F 01 02 01 06 07 38 D0 30 D0 66 88 01 46 E4 03 00 96 2A 12 06 00 00 29 D0 66 E9 01 96 2A 12 06 00 00 29 D0 66 94 02 96 2A 12 06 00 00 29 D0 66 95 02 96 2A 12 06 00 00 29 D0 66 96 02 96 48 |
Quote: | f1 ?? ?? ?? f0 ?? ?? d0 30 f0 ?? ?? d0 66 ?? ?? 12 ?? ?? ?? f0 ?? ?? d0 4f ?? ?? ?? f0 ?? ?? d0 5d ?? ?? 25 e8 07 d0 66 ?? ?? 4a ?? ?? ?? 68 ?? ?? f0 ?? ?? d0 66 ?? ?? 60 ?? 66 ?? ?? ?? d0 66 ?? ?? 27 24 00 26 4f ?? ?? ?? f0 ?? ?? d0 66 ?? ?? 4f ?? ?? ?? f0 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? ?? ?? d0 30 d0 66 ?? ?? 46 ?? ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 2a 12 ?? ?? ?? 29 d0 66 ?? ?? ?? 48 |
|
that makes sense, but doesnt the amount of bytes inbetween the functions fluctuate? i was under the impression it did, but i could be wrong. ill have to test it out along with the new function in the thread mentioned above. thanks guys |
The bytes can change but the count remains the same.
_________________
|
|
Back to top |
|
|
thenewcomer Newbie cheater Reputation: 0
Joined: 09 Mar 2013 Posts: 22 Location: Behind you
|
Posted: Tue Jul 15, 2014 1:21 am Post subject: Re: lol |
|
|
DaSpamer wrote: |
The bytes can change but the count remains the same. |
thats great news for us then lol
_________________
-TNC |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Jul 15, 2014 2:45 am Post subject: Re: lol |
|
|
DaSpamer wrote: | The bytes can change but the count remains the same. |
Are you sure?
@thenewcomer, how many bytes startTimer function had before the update?
_________________
|
|
Back to top |
|
|
DaSpamer Grandmaster Cheater Supreme Reputation: 52
Joined: 13 Sep 2011 Posts: 1578
|
Posted: Wed Jul 16, 2014 7:23 am Post subject: Re: lol |
|
|
mgr.inz.Player wrote: | DaSpamer wrote: | The bytes can change but the count remains the same. |
Are you sure?
@thenewcomer, how many bytes startTimer function had before the update? |
functions length (amount of bytes) may change, but the info about the function doesn't
the info contains the following:
00 00 9F 01 02 01 06 07 38
don't know - 00 00 0F
maxstack - 01 (1)
localcount - 02 (2)
initscopedepth - 01 (1)
maxscopedepth - 06 (6)
don't know either - 07 38
So it's safe to just wildcard function data (as I don't know what are the first 3 bytes and the last 2 bytes before new function begins).
Function length does not change as long as there was no changes to the way the game was compiled (e.g property names got shorter, like 66 XX XX XX to 66 XX XX), or the function was not touched (changed / rewritten), if it was touched, it's always better to update manually (hacks most likely to be patched too).
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|