|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
ThatBenderGuy Newbie cheater Reputation: 0
Joined: 28 Aug 2013 Posts: 24
|
Posted: Tue Aug 02, 2016 12:06 am Post subject: Obtaining a base address for use in cheat table? |
|
|
Okay so I am trying to to get a player's base address in a game and I found an update instruction to the player's health. Now I want to move the adjusted offset to a custom variable and I think I have the right script but what I have causes the game to crash. Here is my script
Code: |
define(playerUpdate, starbound.Star::StatSet::update+6B2)
globalalloc(playerBase,250)
[ENABLE]
assert(playerUpdate,F3 0F 11 83 84 00 00 00)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
movss [rbx+00000084],xmm0
mov [playerBase],rbx
jmp return
playerUpdate:
jmp code
nop
nop
nop
nop
nop
return:
[DISABLE]
playerUpdate:
db F3 0F 11 83 84 00 00 00 |
How many opcodes does "jmp code" take up? I'm assuming because I don't have enough nop's in there is why it's crashing but if I could get some insight on this it would be nice.
EDIT:
Okay so looks like the jmp instruction is actually too long and overwrites 5-7 instructions within the update instruction area. Is it possible for me to shorten the instruction somehow?
_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing! |
|
Back to top |
|
|
predprey Master Cheater Reputation: 24
Joined: 08 Oct 2015 Posts: 486
|
Posted: Tue Aug 02, 2016 2:48 am Post subject: |
|
|
for 32 bit applications, full jmp machine code takes up 5 bytes. CE template should automatically nop the correct amount when you generate it over an instruction. overwriting 5-7 instructions seems too much for a single jmp. are you perhaps reusing a template generated from another instruction and not changing the number of nops appropriately?
TLDR byte code for movss [rbx+00000084],xmm0 is F3 0F 11 83 84, just enough for a jmp instruction. remove all the nops below playerUpdate:
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Tue Aug 02, 2016 9:04 am Post subject: |
|
|
predprey: That's correct for a 32-bit application. This is a 64-bit application (rbx implies 64-bit addressing).
OP: http://forum.cheatengine.org/viewtopic.php?p=5678286#5678286 (not exactly the same, but you should get the point)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Tue Aug 02, 2016 5:25 pm Post subject: |
|
|
You should just use CE's AOB Injection template and let it handle that magic.
Afterwards, you can replace the aobscan() with your define().
|
|
Back to top |
|
|
ThatBenderGuy Newbie cheater Reputation: 0
Joined: 28 Aug 2013 Posts: 24
|
Posted: Tue Aug 02, 2016 6:05 pm Post subject: |
|
|
Zanzer wrote: | You should just use CE's AOB Injection template and let it handle that magic.
Afterwards, you can replace the aobscan() with your define(). |
I have tried that and it does work fine but the second I add my globalalloc it does the same thing and overwrites later instructions
predprey wrote: | for 32 bit applications, full jmp machine code takes up 5 bytes. CE template should automatically nop the correct amount when you generate it over an instruction. overwriting 5-7 instructions seems too much for a single jmp. are you perhaps reusing a template generated from another instruction and not changing the number of nops appropriately?
TLDR byte code for movss [rbx+00000084],xmm0 is F3 0F 11 83 84, just enough for a jmp instruction. remove all the nops below playerUpdate: |
Well I've tried removing all the nop's but it still (for whatever reason) is creating a bunch of add instructions
I've tried revising my script but even this one still causes crashes. I moved down a few instructions as the other ones get jumped to at some point and this new instruction does not appear to have any jumps directly to it or the following instruction
Code: |
[ENABLE]
globalalloc(playerBase,512)
aobscanmodule(playerUpdate,starbound.exe,48 8D 4C 24 40 48 3B CE) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
lea rcx,[rsp+40]
mov [playerBase],rbx
jmp return
playerUpdate:
jmp code
return:
registersymbol(playerUpdate)
[DISABLE]
playerUpdate:
db 48 8D 4C 24 40
unregistersymbol(playerUpdate)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "starbound.exe"+493666
"starbound.exe"+493629: 80 7C 24 44 00 - cmp byte ptr [rsp+44],00
"starbound.exe"+49362E: 0F 84 48 01 00 00 - je starbound.exe+49377C
"starbound.exe"+493634: 48 8D 8B 88 00 00 00 - lea rcx,[rbx+00000088]
"starbound.exe"+49363B: E8 50 F9 C1 FF - call starbound.exe+B2F90
"starbound.exe"+493640: F3 0F 10 44 24 40 - movss xmm0,[rsp+40]
"starbound.exe"+493646: F3 0F 5E 00 - divss xmm0,[rax]
"starbound.exe"+49364A: F3 0F 59 83 84 00 00 00 - mulss xmm0,[rbx+00000084]
"starbound.exe"+493652: F3 0F 11 83 84 00 00 00 - movss [rbx+00000084],xmm0 <--------- Original instruction that I tried scanning for
"starbound.exe"+49365A: 0F B6 44 24 44 - movzx eax,byte ptr [rsp+44]
"starbound.exe"+49365F: 48 8D B3 88 00 00 00 - lea rsi,[rbx+00000088]
// ---------- INJECTING HERE ----------
"starbound.exe"+493666: 48 8D 4C 24 40 - lea rcx,[rsp+40]
// ---------- DONE INJECTING ----------
"starbound.exe"+49366B: 48 3B CE - cmp rcx,rsi
"starbound.exe"+49366E: 74 30 - je starbound.exe+4936A0
"starbound.exe"+493670: 84 C0 - test al,al
"starbound.exe"+493672: 74 22 - je starbound.exe+493696
"starbound.exe"+493674: 48 8D 4C 24 40 - lea rcx,[rsp+40]
"starbound.exe"+493679: E8 12 F9 C1 FF - call starbound.exe+B2F90
"starbound.exe"+49367E: F3 0F 10 00 - movss xmm0,[rax]
"starbound.exe"+493682: 80 7E 04 00 - cmp byte ptr [rsi+04],00
"starbound.exe"+493686: 74 04 - je starbound.exe+49368C
"starbound.exe"+493688: C6 46 04 00 - mov byte ptr [rsi+04],00
} |
_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing!
Last edited by ThatBenderGuy on Tue Aug 02, 2016 6:16 pm; edited 1 time in total |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Tue Aug 02, 2016 6:15 pm Post subject: |
|
|
Oh, that's probably because you're allocating memory and it's likely no where near the injection point.
That is causing the jump to be 14 bytes long, as detailed in ParkourPenguin's link.
Use this version of alloc() to tell CE where to allocate the memory near:
Code: | alloc(newmem,$1000,playerUpdate) |
|
|
Back to top |
|
|
ThatBenderGuy Newbie cheater Reputation: 0
Joined: 28 Aug 2013 Posts: 24
|
Posted: Tue Aug 02, 2016 10:49 pm Post subject: |
|
|
Okay so I got the injection to work and here is my script
Code: |
[ENABLE]
define(thePlayerUpdate,starbound.Star::StatSet::update+6B2)
alloc(newmem,$1000,thePlayerUpdate)
label(code)
label(return)
newmem:
code:
movss [rbx+00000084],xmm0
jmp return
thePlayerUpdate:
jmp code
nop
nop
nop
return:
registersymbol(thePlayerUpdate)
[DISABLE]
thePlayerUpdate:
db F3 0F 11 83 84 00 00 00
unregistersymbol(thePlayerUpdate)
dealloc(newmem) |
now my only problem is when I add the instruction: globalalloc(playerBase,250) and the instruction mov [playerBase],rbx to my script then the script no longer activates
_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing! |
|
Back to top |
|
|
ThatBenderGuy Newbie cheater Reputation: 0
Joined: 28 Aug 2013 Posts: 24
|
Posted: Thu Aug 04, 2016 1:20 am Post subject: |
|
|
So here is my refined script:
Code: |
define(thePlayerUpdate,starbound.Star::StatSet::update+6B2)
globalalloc(playerBase,250)
[ENABLE]
alloc(newmem,$1000,thePlayerUpdate)
label(code)
label(return)
newmem:
code:
movss [rbx+00000084],xmm0
cmp [rbx+138],0
jne return
//mov [playerBase],rbx
jmp return
thePlayerUpdate:
jmp code
nop
nop
nop
return:
registersymbol(thePlayerUpdate)
[DISABLE]
thePlayerUpdate:
db F3 0F 11 83 84 00 00 00
unregistersymbol(playerBase)
unregistersymbol(thePlayerUpdate)
dealloc(newmem)
dealloc(playerBase) |
but whenever I uncomment mov [playerBase],rbx the script no longer activates. Is there a way to find out why just adding this 1 instruction makes it not activate?
_________________
Fine! I'll go build my own lunar lander, with blackjack and hookers. In fact, forget the lunar lander and the blackjack. Ahh, screw the whole thing! |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Aug 04, 2016 6:07 am Post subject: |
|
|
Code: | code:
movss [rbx+00000084],xmm0
cmp [rbx+138],0
jne return
push rax
mov rax,playerBase
mov [rax],rbx
pop rax
jmp return |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|