|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
YoucefHam Cheater Reputation: 5
Joined: 19 Mar 2015 Posts: 39 Location: Algeria
|
Posted: Thu Jan 26, 2017 11:24 am Post subject: [SLVED]Put a RANDOM number (in range) every time in function |
|
|
Hello
I am searching for days and trying every script I find, but no luck.
So I want a big Help from experts, Please help me.
I am using Cheat engine Tutorial as example I tried every script in here.
I manage to get one of them working, but there is no range in it, just random numbers.
jgoemat wrote: | If you use LUA it will only generate the random number when assembling, i.e. once when they enable the script (untried):
Code: |
label(myRandomNumber)
myRandomNumber:
{$lua}
return string.format("dd #%d", math.random(100))
{$asm}
// this should return something like "dd #97"
|
If you want a new random number every time you will have to get some code for a random number generator. There is some sample code if you do a search, or you could write a quick c program that calls rand() and debug it and view the assembly as you step through it. I don't know if it is available in a dll. Taking the simple c code from wikipedia:
Code: | m_w = <choose-initializer>; /* must not be zero, nor 0x464fffff */
m_z = <choose-initializer>; /* must not be zero, nor 0x9068ffff */
uint get_random()
{
m_z = 36969 * (m_z & 65535) + (m_z >> 16);
m_w = 18000 * (m_w & 65535) + (m_w >> 16);
return (m_z << 16) + m_w; /* 32-bit result */
} |
This might work (untried):
Code: |
newmem:
label(m)
m:
dd 12345678 87654321 // m_w and m_z
label(rand)
rand:
push ebx
push ecx
push edx
mov ebx,[m]
mov ecx,ebx
and ecx,0000ffff // ebx is now (m_w & 65535)
shr ebx,10 // ecx is now (m_w >> 16)
mov eax, #18000
mul ecx
add eax,ebx
mov [m],eax // update m_w
mov ebx, [m+04]
mov ecx,ebx
and ebx,0000ffff // ebx is now (m_z & 65535)
shr ecx,10 // ecx is now (m_z >> 16)
mov eax,#36969
mul ebx
add eax,ecx
mov [m+04],eax // update m_z
// eax still m_z
shl eax,10 // eax now (m_z << 16)
add eax,[m] // add m_w
pop edx
pop ecx
pop ebx
ret
// here's your code
code:
push eax
call rand
and eax,00FF
mov [esi+14],eax // HERE
pop eax
mov [pPedestal],esi
jmp return
|
|
Description: |
|
Filesize: |
75.69 KB |
Viewed: |
13514 Time(s) |
|
Last edited by YoucefHam on Thu Jan 26, 2017 7:05 pm; edited 1 time in total |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
|
Back to top |
|
|
YoucefHam Cheater Reputation: 5
Joined: 19 Mar 2015 Posts: 39 Location: Algeria
|
Posted: Thu Jan 26, 2017 11:59 am Post subject: |
|
|
I sow that one but, I get 1 random number in 1~2sec
and the function excuted 50 times in 1 sec.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Jan 26, 2017 12:01 pm Post subject: |
|
|
Try learning from the code instead of copying and pasting it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
YoucefHam Cheater Reputation: 5
Joined: 19 Mar 2015 Posts: 39 Location: Algeria
|
Posted: Thu Jan 26, 2017 4:04 pm Post subject: |
|
|
ParkourPenguin wrote: | Try learning from the code instead of copying and pasting it. |
Thanks bro
I manage to get it to work.
but I don't want it to work all the time
I want it when I click the button it get random number.
I tried stoping your code but I couldn't, crash every time.
thanks.
Description: |
|
Filesize: |
74.13 KB |
Viewed: |
13464 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Jan 26, 2017 4:16 pm Post subject: |
|
|
I will say this once more, then I'm done: stop copying and pasting code you don't understand. Examples are provided so that people can learn from them. I gave a lengthy explanation of my example in that topic for this reason.
In this case, try to write a code injection that will generate a pseudorandom number from msvcrt's rand without copying and pasting someone else's code. If you can't get it to work, post the code here and I or someone else will help you with it.
(note that if you call any function to run, all caller-saved registers could be modified by convention, so back them up to avoid undefined behavior)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
YoucefHam Cheater Reputation: 5
Joined: 19 Mar 2015 Posts: 39 Location: Algeria
|
Posted: Thu Jan 26, 2017 6:47 pm Post subject: |
|
|
Thank you for advising me to workout my brain, but I am not good at ASM's
so this is my code, I get a random number in the range, sorry for the traboll and thank you.
And this is my Final table if any one need it in the futur.
just Activate it, set the limits(min/max)
then use "call rand"
and use the random number in the address 'RND'
Example:
newmem:
call rand
code:
mov eax,[RND]
mov [ebx+00000480],eax
jmp return
Description: |
|
Filesize: |
132.46 KB |
Viewed: |
13427 Time(s) |
|
Description: |
|
Download |
Filename: |
RANDOM Number In Range (Thank you ParkourPenguin).CT |
Filesize: |
3.44 KB |
Downloaded: |
881 Time(s) |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Jan 26, 2017 8:32 pm Post subject: |
|
|
I didn't explicitly say this, but I expected you to only use one script. Not your own script plus the example I provided.
I'll assume a language barrier is preventing you from understanding my explanation in the previously linked topic, so I'll just give you a solution and hope you can understand code better.
Code: | [ENABLE]
aobscanmodule(INJECT,Tutorial-i386.exe,89 83 80 04 00 00 8D 55 D4 E8 02)
alloc(newmem,1024)
alloc(lowerBound,4)
alloc(upperBound,4)
label(return)
registersymbol(INJECT)
registersymbol(lowerBound)
registersymbol(upperBound)
newmem:
push edx
push ecx
call msvcrt.rand
mov edx,[lowerBound]
mov ecx,[upperBound]
cmp ecx,edx
cmovl ecx,edx
inc ecx
sub ecx,edx
xor edx,edx
idiv ecx
add edx,[lowerBound]
mov eax,edx
pop ecx
pop edx
// original code:
mov [ebx+00000480],eax
jmp return
lowerBound:
dd #10
upperBound:
dd #15
INJECT:
jmp newmem
nop
return:
[DISABLE]
INJECT:
db 89 83 80 04 00 00
unregistersymbol(upperBound)
unregistersymbol(lowerBound)
unregistersymbol(INJECT)
dealloc(upperBound)
dealloc(lowerBound)
dealloc(newmem) |
Fun fact: in this specific case, you could just hijack the random number generator CE uses to subtract from the health. Looking at the 5 instructions prior to the write would tell you all you need to know.
Code: | [ENABLE]
aobscanmodule(INJECT,Tutorial-i386.exe,89 83 80 04 00 00 8D 55 D4 E8 02)
registersymbol(INJECT)
INJECT-14:
dd #6 // range (1 = always the same number)
INJECT-B:
db 8D 80
dd #10 // lower bound
db 90 90 90 90 90
[DISABLE]
unregistersymbol(INJECT)
INJECT-14:
dd 5
INJECT-B:
db 8D 50 01 8B 83 80 04 00 00 29 D0
{
Tutorial-i386.exe+23AEB - B8 05000000 - mov eax,00000005
Tutorial-i386.exe+23AF0 - E8 FBABFEFF - call Tutorial-i386.exe+E6F0
Tutorial-i386.exe+23AF5 - 8D 50 01 - lea edx,[eax+01]
Tutorial-i386.exe+23AF8 - 8B 83 80040000 - mov eax,[ebx+00000480]
Tutorial-i386.exe+23AFE - 29 D0 - sub eax,edx
Tutorial-i386.exe+23B00 - 89 83 80040000 - mov [ebx+00000480],eax
} |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|