Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB injection... help me!

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
brisingr
Cheater
Reputation: 0

Joined: 23 Jan 2016
Posts: 36

PostPosted: Mon Mar 13, 2017 2:13 pm    Post subject: AOB injection... help me! Reply with quote

Hey there, I'm trying to assemble a script with aobscan, but unfortunatly it doesn't work.

the hardest part is in the fst command, I don't know how to disable it.

this is the script:

Code:

[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)

newmem:
label(code)
label(return)
cmp [esi+08],0
jne code
mov [esi+08],ecx

code:
  fst dword ptr [esi+08]
  mov ecx,[esi+10]
  jmp return

INJECT:
  jmp code
  nop

return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db D9 56 08 8B 4E 10

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "game.dat"+284163

"game.dat"+28414D: 90                    -  nop
"game.dat"+28414E: 90                    -  nop
"game.dat"+28414F: 90                    -  nop
"game.dat"+284150: 83 EC 08              -  sub esp,08
"game.dat"+284153: D9 44 24 0C           -  fld dword ptr [esp+0C]
"game.dat"+284157: 56                    -  push esi
"game.dat"+284158: 8B F1                 -  mov esi,ecx
"game.dat"+28415A: 8B 46 08              -  mov eax,[esi+08]
"game.dat"+28415D: 89 46 0C              -  mov [esi+0C],eax
"game.dat"+284160: D8 46 08              -  fadd dword ptr [esi+08]
// ---------- INJECTING HERE ----------
"game.dat"+284163: D9 56 08              -  fst dword ptr [esi+08]
"game.dat"+284166: 8B 4E 10              -  mov ecx,[esi+10]
// ---------- DONE INJECTING  ----------
"game.dat"+284169: 89 4C 24 10           -  mov [esp+10],ecx
"game.dat"+28416D: D8 5C 24 10           -  fcomp dword ptr [esp+10]
"game.dat"+284171: DF E0                 -  fnstsw ax
"game.dat"+284173: F6 C4 41              -  test ah,41
"game.dat"+284176: 75 05                 -  jne game.dat+28417D
"game.dat"+284178: 8B D1                 -  mov edx,ecx
"game.dat"+28417A: 89 56 08              -  mov [esi+08],edx
"game.dat"+28417D: D9 46 08              -  fld dword ptr [esi+08]
"game.dat"+284180: D8 1D A4 9D 93 00     -  fcomp dword ptr [game.dat+539DA4]
"game.dat"+284186: DF E0                 -  fnstsw ax
}
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 121

Joined: 09 Jun 2013
Posts: 3273

PostPosted: Mon Mar 13, 2017 3:45 pm    Post subject: Reply with quote

For starters:
Code:
INJECT:
  jmp newmem

Skip the FST
Code:
  mov [esi+08],ecx
  mov ecx,[esi+10]
  jmp return
Back to top
View user's profile Send private message
gameplayer
Advanced Cheater
Reputation: 2

Joined: 26 Jun 2011
Posts: 97
Location: Vietnam

PostPosted: Mon Mar 13, 2017 8:07 pm    Post subject: Reply with quote

Let me explain Zanzer's solution. You should add two following lines just before the label "code:"
Code:
mov ecx,[esi+10]
jmp return
Back to top
View user's profile Send private message
brisingr
Cheater
Reputation: 0

Joined: 23 Jan 2016
Posts: 36

PostPosted: Wed Mar 15, 2017 2:23 pm    Post subject: Reply with quote

Unfortunatly the game crashes, this is my first aobscan and maybe I'm writing something wronge, here is the code:
Code:
[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)

newmem:
label(code)
label(return)
cmp [esi+08],0
jne code
mov [esi+08],ecx
mov ecx,[esi+10]
jmp return

code:
  fst dword ptr [esi+08]
  mov ecx,[esi+10]
  jmp return

INJECT:
   jmp newmem

return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db D9 56 08 8B 4E 10

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "game.dat"+284163

"game.dat"+28414D: 90                    -  nop
"game.dat"+28414E: 90                    -  nop
"game.dat"+28414F: 90                    -  nop
"game.dat"+284150: 83 EC 08              -  sub esp,08
"game.dat"+284153: D9 44 24 0C           -  fld dword ptr [esp+0C]
"game.dat"+284157: 56                    -  push esi
"game.dat"+284158: 8B F1                 -  mov esi,ecx
"game.dat"+28415A: 8B 46 08              -  mov eax,[esi+08]
"game.dat"+28415D: 89 46 0C              -  mov [esi+0C],eax
"game.dat"+284160: D8 46 08              -  fadd dword ptr [esi+08]
// ---------- INJECTING HERE ----------
"game.dat"+284163: D9 56 08              -  fst dword ptr [esi+08]
"game.dat"+284166: 8B 4E 10              -  mov ecx,[esi+10]
// ---------- DONE INJECTING  ----------
"game.dat"+284169: 89 4C 24 10           -  mov [esp+10],ecx
"game.dat"+28416D: D8 5C 24 10           -  fcomp dword ptr [esp+10]
"game.dat"+284171: DF E0                 -  fnstsw ax
"game.dat"+284173: F6 C4 41              -  test ah,41
"game.dat"+284176: 75 05                 -  jne game.dat+28417D
"game.dat"+284178: 8B D1                 -  mov edx,ecx
"game.dat"+28417A: 89 56 08              -  mov [esi+08],edx
"game.dat"+28417D: D9 46 08              -  fld dword ptr [esi+08]
"game.dat"+284180: D8 1D A4 9D 93 00     -  fcomp dword ptr [game.dat+539DA4]
"game.dat"+284186: DF E0                 -  fnstsw ax
}
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 121

Joined: 09 Jun 2013
Posts: 3273

PostPosted: Wed Mar 15, 2017 5:33 pm    Post subject: Reply with quote

Looks like you wanted to flip the two instructions like so:
Code:
mov ecx,[esi+10]
mov [esi+08],ecx
Back to top
View user's profile Send private message
brisingr
Cheater
Reputation: 0

Joined: 23 Jan 2016
Posts: 36

PostPosted: Thu Mar 16, 2017 7:59 am    Post subject: Reply with quote

yeah, I tried to flip the instructions, but maybe it's the wrong way to disable the instruction

Code:
 
fst dword ptr [esi+08]
mov ecx,[esi+10]


How do I disable the instruction "fst dword ptr" ?

Into the memory viewer when I raplace with code that does nothing, 3 instructions changed with nop (90 in bytes), is there any way to write this in the autoassemble script?
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 55

Joined: 06 Jul 2014
Posts: 1825
Location: Arcadian Suburbia

PostPosted: Thu Mar 16, 2017 8:53 am    Post subject: Reply with quote

Code:
[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
registersymbol(INJECT)
INJECT:
  db 90 90 90
 
 
[DISABLE]
INJECT:
  db D9 56 08

unregistersymbol(INJECT)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 121

Joined: 09 Jun 2013
Posts: 3273

PostPosted: Thu Mar 16, 2017 6:42 pm    Post subject: Reply with quote

edit: Don't just delete things from the template... Add NOP back.

By telling it to "jmp return" you are skipping fst dword ptr [esi+08]. Consider it disabled.
Code:
[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  cmp [esi+08],0
  jne code
  mov ecx,[esi+10]
  mov [esi+08],ecx
  jmp return

code:
  fst dword ptr [esi+08]
  mov ecx,[esi+10]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]
INJECT:
  db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem)

Or give this a try...
Code:
[ENABLE]
aobscanmodule(INJECT,game.dat,D9 56 08 8B 4E 10)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  cmp [esi+08],0
  jne code
  fstp st(0)
  fld dword ptr [esi+10]

code:
  fst dword ptr [esi+08]
  mov ecx,[esi+10]
  jmp return

INJECT:
  jmp newmem
  nop

return:
registersymbol(INJECT)

[DISABLE]
INJECT:
  db D9 56 08 8B 4E 10
unregistersymbol(INJECT)
dealloc(newmem)
Back to top
View user's profile Send private message
brisingr
Cheater
Reputation: 0

Joined: 23 Jan 2016
Posts: 36

PostPosted: Thu Sep 21, 2017 12:27 pm    Post subject: Reply with quote

Hey there, I tried all the options and the one that works is the ParkourPenguin script.
Now the issue is that the script affects also anemy units, I've used the dissect/data tools and the opcode [+1c] define the factions. 0 is for friendly units.
How should be the script to make it compared and for not equals value inject the db 90 90 90 script?
Back to top
View user's profile Send private message
brisingr
Cheater
Reputation: 0

Joined: 23 Jan 2016
Posts: 36

PostPosted: Tue Sep 26, 2017 10:45 am    Post subject: Reply with quote

After more try nothing works, I can't find a opcode and value for friendly units.
Zanzer also your script works fine, unfortunately without the right value to compare it affects random units.
In the end I've found a script table written by recifense that works fine, unfortunately I don't understand how does it works, I'd like to learn how to make another script like this.
This is the code:
Code:
{
===========================================
 Game Title    : Command and Conquer - Generals Zero Hour (Cracked)
 Game Version  : 1.04
 Proces Name   : game.dat
 Script Version: 1.0
 CE Version    : 6.2
 Release date  : 09-Jul-2012
 Author        : Recifense
 History:
 09-Jul-12: First Release
 Features:
 - Minimum Resources
 - Minimum XP
 - God Mode
 - Unlimited Energy
===========================================
}

//=========================================
// Definitions
define(LUDO,"game.dat")

//=========================================
[ENABLE]
//=========================================
//LuaCall(CheckVersion())
//=========================================
// Check if script is compatible to this game version
// If false the script will not be loaded

assert(LUDO+0010a65d,8b 58 38 39 1d 68 69 9e 00) //_MR
assert(LUDO+00284163,d9 56 08 8b 4e 10 89 4c 24) //_GM
assert(LUDO+0014e802,8b b9 6c 01 00 00 8b 07 85) //_MI

//=========================================
alloc(MyCode,2048,LUDO)
//=========================================
// Declaration section
label(_MonRes)
label(_MonR0)
label(_MonR1)
label(_MonR2)
label(_BackMR)
label(_ExitMR)
label(_GodMode)
label(_GodM00)
label(_GodM01)
label(_BackGM)
label(_ExitGM)
label(_MonID)
label(_BackMI)
label(_ExitMI)
label(pUnit)
label(pRes)
label(pCommon)
label(iEnableGM)
label(iEnableGM1)
label(iEnableMR)
label(iEnableMX)
label(iEnableME)
label(iMinRes)
label(fGarbage)

//=========================================
// Registering Symbols
registersymbol(MyCode)
registersymbol(pUnit)
registersymbol(pRes)
registersymbol(pCommon)
registersymbol(iEnableGM)
registersymbol(iEnableGM1)
registersymbol(iEnableMR)
registersymbol(iEnableMX)
registersymbol(iEnableME)
registersymbol(iMinRes)

//=========================================
MyCode:
//=========================================
_MonRes:
 mov [pRes],eax                 // Save pointer for debugging

 mov ebx,[eax+00000160]
 mov [pCommon],ebx

 cmp dword ptr [iEnableMR],0
 je _MonR0                      // Jump if feature is disabled

 mov ebx,[iMinRes]              // Get minimum resource value
 cmp ebx,[eax+38]               // Current resource >= minimum?
 jle _MonR0                     // Jump if true

 mov [eax+38],ebx               // Update current resource

_MonR0:
 cmp dword ptr [iEnableMX],0
 je _MonR2                      // Jump if feature is disabled

 cmp dword ptr [eax+00000190],3
 jge _MonR1

 mov dword ptr [eax+00000190],3

_MonR1:
 cmp dword ptr [eax+00000194],#5000
 jg _MonR2

 mov ebx,[eax+00000194]
 dec ebx
 mov [eax+0000018c],ebx

_MonR2:
 cmp dword ptr [iEnableME],0
 je _ExitMR                     // Jump if feature is disabled

 xor ebx,ebx
 mov [eax+88],ebx               // Spent_Energy = 0

_ExitMR:
 mov ebx,[eax+38]               // Original code
 cmp [LUDO+005e68e0],ebx        // Original code
 jmp _BackMR                    // Back to main code

//=========================================
_GodMode:
 fst dword ptr [fGarbage]
 mov ecx,[fGarbage]
 test ecx,ecx
 js _GodM00

 cmp ecx,[esi+08]
 jge _ExitGM

 mov ecx,[esi+10]
 cmp ecx,47c34f80
 je _ExitGM

_GodM00:
 cmp dword ptr [iEnableGM],0
 je _ExitGM                     // Jump if feature is disabled

 mov ecx,[esi-08]               // Get ptr to Unit/Building
 or ecx,ecx
 jz _ExitGM                     // Jump if the pointer is Null

 mov eax,[ecx+000001b0]         // Get pCommon
 cmp eax,[pCommon]
 jne _ExitGM

 mov al,[ecx+00000274]
 movzx eax,al
 or eax,[ecx+0000025c]
 jz _ExitGM

 cmp dword ptr [iEnableGM1],0
 je _GodM01                     // Jump if feature is disabled

 cmp byte ptr [ecx+000001f4],01 // Is it a car bomb or similar?
 je _ExitGM                     // Jump if true

_GodM01:
 fstp st(0)                     // Discard value
 fld dword ptr [esi+10]         // Get max HP

_ExitGM:
 fst dword ptr [esi+08]         // Original code
 mov ecx,[esi+10]               // Original code
 jmp _BackGM                    // Back to main code

//=========================================
_MonID:
 mov [pUnit],ecx

_ExitMI:
 mov edi,[ecx+0000016C]         // Original code
 jmp _BackMI                    // Back to main code

//=========================================
 db '====================================>'
 db 'CE6.2 Script by Recifense 070912'
//=========================================
// Variables
iEnableMR:
 dd 0
iEnableMX:
 dd 0
iEnableGM:
 dd 0
iEnableGM1:
 dd 0
iEnableME:
 dd 0
iMinRes:
 dd #50000
pRes:
 dd 0
pUnit:
 dd 0
pCommon:
 dd MyCode
fGarbage:
 dd 0

//=========================================
// Hacking Points
LUDO+0010a65d:
 jmp _MonRes
 nop
 nop
 nop
 nop
_BackMR:

LUDO+00284163:
 jmp _GodMode
 nop
_BackGM:

LUDO+0014e802:
 jmp _MonID
 nop
_BackMI:

//=========================================
// Script for Restoring Original Codes
[DISABLE]
LUDO+0010a65d:
// mov ebx,[eax+38]
// cmp [game.dat+005e6968],ebx
 db 8b 58 38 39 1d 68 69 9e 00

LUDO+00284163:
// fst dword ptr [esi+08]
// mov ecx,[esi+10]
 db d9 56 08 8b 4e 10

LUDO+0014e802:
// mov edi,[ecx+0000016C]
 db 8b b9 6c 01 00 00

//=========================================
// Unregistering Symbols
unregistersymbol(MyCode)
unregistersymbol(pHero)
unregistersymbol(pRes)
unregistersymbol(pCommon)
unregistersymbol(iEnableGM)
unregistersymbol(iEnableGM1)
unregistersymbol(iEnableMR)
unregistersymbol(iEnableMX)
unregistersymbol(iEnableME)
unregistersymbol(iMinRes)

//=========================================
dealloc(MyCode)
//============= Scripts End ===============

// ****************************************
// NOTES
// ****************************************
{
}


can someone explain me how this script found the value to compare with in the godmode script?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites