| View previous topic :: View next topic |
| Author |
Message |
wizzar
How do I cheat?
![]() Reputation: 0
Joined: 19 Oct 2015
Posts: 7
|
 Posted: Mon Oct 19, 2015 1:36 pm Post subject: offset from base pointer is variable |
 |
|
| So I found a base pointer (green address 005D75C0) which is 4th level pointer. So, to make it point to where I want, I must add 4 offsets: 8, d0, 1c8c and 2. The first two, 8 and d0, never changes. However, 1c8c changes whenever the game is restarted. It is an array index (eax*ebx*4+A4). Does this mean it is not ppossible to find a constant path to the information I want?
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Oct 19, 2015 2:24 pm Post subject: |
|
|
The game knows the path to your object, so it is always possible to find a path to it. It may however be a damn friggin' pain...
Currently CE has no support for variable offsets, so the best you could do if you don't want to make some assembly coding is make a lua script that would find the array index, compute the 3rd offset, and add a proper pointer to the cheat table. But of course you'd have to figure out where the index comes from.
An usually simpler method is to find out what access your variable, pick a function that doesn't access any other, and modify it so that it overwrites your variable or logs its address at a known location.
Modding the game is also an option to consider (especially in rpgmaker/renpy games).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
wizzar
How do I cheat?
![]() Reputation: 0
Joined: 19 Oct 2015
Posts: 7
|
| Posted: Mon Oct 19, 2015 2:39 pm Post subject: |
|
|
| Wouldn't the function be on a random address? Also, how can I make sure a function does not access anything other than my variable?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Oct 19, 2015 3:24 pm Post subject: |
|
|
| wizzar wrote: | | Wouldn't the function be on a random address? |
For old games that use a static base (win xp era and older): no, unless it is located in a dll.
For newer games that use ASLR (vista era and later): yes, but the game.exe+1234 format will still reliably locate them.
For flash/.net (ex: unity) games or basically anything that uses JIT compiling: yes but you can locate your function with an signature scan (aka aobscan).
Since aobscans also make your hack somewhat patch-resistant it is recommended to use this anyway.
| wizzar wrote: | | Also, how can I make sure a function does not access anything other than my variable? |
Right click in the find out what *** window->check if found opcodes... Once this is enabled, the number between parenthesis in the count column indicates the number of different addresses accessed.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
wizzar
How do I cheat?
![]() Reputation: 0
Joined: 19 Oct 2015
Posts: 7
|
| Posted: Tue Oct 20, 2015 12:27 am Post subject: |
|
|
I found a function that deals with the variable, I restarted several times and the function address didn't change (Game.004F5CE4).
Inside the function, the 11th instruction stores the offset in EAX.
This function is executed when player enters the game.
Can't I track that?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Oct 20, 2015 3:50 am Post subject: |
|
|
Given what you found, the least bad solution I see is to make an assembler script that would slightly modify the function at Game.004F5CE4 to store the offset at a known location and a lua script (embedded inside a separate assembler script) that would read this offset, and update the offset of your pointer in the table.
Cheat engine does not understand [[[game.exe+1234]+4]+[game.exe+5678]].
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Tue Oct 20, 2015 5:07 am Post subject: |
|
|
You can always use lua to fill in the offset part (or update it with a timer)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
wizzar
How do I cheat?
![]() Reputation: 0
Joined: 19 Oct 2015
Posts: 7
|
| Posted: Tue Oct 20, 2015 5:15 pm Post subject: |
|
|
The perfect solution would be to write a piece of code that would store the values of edx and edc at address 0x004F0186 in variables in my program.
I'm still learning asm, I don't know a "clean" way to do that, and I can't modify the *.exe, so I came up with another solution.
I wrote a debugger in C and attached it to the process thread and set a breakpoint at 0x004F0186. From there I read edx and edc to my program, then I detach the debugger (DebugActiveProcess/DebugActiveProcessStop).
If I could just __asm__ something inline it would be a solution too, but I don't know how to do that, and injection is very easy to be detected.
Thank you guys.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Tue Oct 20, 2015 9:15 pm Post subject: |
|
|
hi,
I've made a script to simulate debug break point and log register (rcx here) using code cave, hopefully would be an alternative solution for the problem of this thread.
It should work as expected.
However, the DEALLOC command in lua-assemble-call seems not work.
If I copy the print output of the lua-assemble-call into a memory record, the memory deallocate properly.
Would DarkByte please check what's the problem?
Thank you~
ADDED:
sorry, somehow there was typo, it is fixed ~_~
| Description: |
| demo on logging rcx on beginning of readProcessMemory @ cheatengine-x86_64.exe |
|
Download |
| Filename: |
00.logAndActivate.CT |
| Filesize: |
6.97 KB |
| Downloaded: |
757 Time(s) |
_________________
- Retarded. |
|
| Back to top |
|
|
wizzar
How do I cheat?
![]() Reputation: 0
Joined: 19 Oct 2015
Posts: 7
|
| Posted: Wed Oct 21, 2015 12:52 am Post subject: |
|
|
Cool!
Can this be ran from my C application?
Does it inject new instructions in the exe?
Sorry for my ignorance, I've only started fiddling with asm, cheat engine, olly etc 2 days ago 
I think I made great progress though 
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Wed Oct 21, 2015 4:03 am Post subject: |
|
|
| wizzar wrote: | Cool!
Can this be ran from my C application?
Does it inject new instructions in the exe?
Sorry for my ignorance, I've only started fiddling with asm, cheat engine, olly etc 2 days ago
I think I made great progress though |
hi,
the script is in ce specific ct format which use a combination of a ce specific version of lua language and auto Assemble script (aa script) (, and other facilities).
The aa script is partially like an assembler script,eg masm.
I think it may need a considerable effort to convert these ct functionality to a c application from zero. For example, the "reassemble" functionality may need some disassembler/assembler library/coding.
ce is open source, you may have a look how those functionality work, https://github.com/cheat-engine/cheat-engine
@DarkByte
a quick test show the aforementioned DEALLOC problem may not from ce side. Sorry for asking debugging on a mess ~_~
| Code: |
local aa1 = autoAssemble([[
alloc(aatest_1_aa,100,readProcessMemory)
aatest_1_aa:
dq aatest_1_aa
aatest_1_aa+10:
dq 123456789
registersymbol(aatest_1_aa)
]])
if not aa1 then print("aa1 failed") end
print(hx(readQword("aatest_1_aa+10") or -1))
local aa2 = autoAssemble([[
dealloc(aatest_1_aa)
unregistersymbol(aatest_1_aa)
]])
if not aa2 then print("aa2 failed") end
print(hx(readQword("aatest_1_aa+10") or -1)) -- should not be read
|
_________________
- Retarded. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Wed Oct 21, 2015 4:31 am Post subject: |
|
|
dealloc just won't work with the autoAssemble() command. (dealloc only works when inside a cheat table entry)
If you wish to reuse a block of memory every time, use globalalloc instead
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Wed Oct 21, 2015 4:59 am Post subject: |
|
|
| Dark Byte wrote: | dealloc just won't work with the autoAssemble() command. (dealloc only works when inside a cheat table entry)
If you wish to reuse a block of memory every time, use globalalloc instead |
oh... but the test script just post dealloc properly (aatest_1_aa)?
And for generic use of the script, especially the 64bit rip address thing, it seem the aa script format:
| Code: | | alloc(symbol,size,nearbyTargetAddress) |
is necsessary. If I'm not wrong, globalalloc allocate memory on lower 2G address.
ADDED:
ahh.... have some test to reassemble a high memory call-command into a lower globalalloc memory. Yes, it may be possible to use globalalloc.
Thanks.
_________________
- Retarded. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
