Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Binary differences between old and new game version

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Jane
Expert Cheater
Reputation: 0

Joined: 21 Feb 2016
Posts: 110

PostPosted: Tue Mar 14, 2017 8:55 pm    Post subject: Binary differences between old and new game version Reply with quote

Hi guys, first to give some background on my situation, recently a game/application had a major update from the developer which caused nearly all of my AOBs to "break" (no longer returns any results). It seems like a lot of instructions either changed or shifted around, I managed to find a few by manually tracing it like before but still a lot of old functions from my scripts I cannot find that simply.

I managed to get a copy of the old version before everything broke, scanning that version still returns the results I need so my question is; is there any other way I can find these functions in the new binary by making comparisons to the old one or maybe searching for something else unique in that memory region? Maybe there is some function to assist in spotting the differences between the two?

(I posted this in General Gamehacking in case maybe something other than CE can be of help here)
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 137

Joined: 25 Jan 2006
Posts: 7258
Location: 127.0.0.1

PostPosted: Tue Mar 14, 2017 11:45 pm    Post subject: Reply with quote

Generally, people will use structure offsets in their patterns which are victim to this kind of update that happens from time to time. Ideally, you will want to make your patterns only include the main opcode bytes and not the sub-information as required parts of the pattern.

For example, if you have a block of code like this:
Code:
SomeGameFile.dll+12F2 - 41                    - inc ecx
SomeGameFile.dll+12F3 - 88 02                 - mov [edx],al
SomeGameFile.dll+12F5 - 42                    - inc edx
SomeGameFile.dll+12F6 - 84 C0                 - test al,al
SomeGameFile.dll+12F8 - 75 F6                 - jne SomeGameFile.dll+12F0
SomeGameFile.dll+12FA - 8B 44 24 14           - mov eax,[esp+14]
SomeGameFile.dll+12FE - 8B 4C 24 1C           - mov ecx,[esp+1C]
SomeGameFile.dll+1302 - 89 46 10              - mov [esi+10],eax
SomeGameFile.dll+1305 - 89 5E 14              - mov [esi+14],ebx
SomeGameFile.dll+1308 - 89 4E 18              - mov [esi+18],ecx


You will see structure offsets of objects, such as:
Code:

SomeGameFile.dll+1302 - 89 46 10              - mov [esi+10],eax


+10 here would be a potentially changable offset if they decide to insert new information before it inside of the structure. So ideally you would want to make that data a wildcard.

So you could land up creating a generic pattern or more strict patterns such as:

Code:
Generic:
75 ?? 8B 44 24 14 8B 4C 24 1C 89 46 10 89 5E 14 89 4E 18

Strict:
75 ?? 8B 44 24 ?? 8B 4C 24 ?? 89 46 ?? 89 5E ?? 89 4E ?? (Leaving off the last wildcard in your actual search since its not needed, just here for reference.)

Strict x2
75 ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ??


In the case of Strict x2, you would usually land up needing more data to make a unique signature.
At this point you are making the registers used wildcards so in case things change from:
Code:

mov [esi+10],eax
to
mov [esi+10],edx


The eax to edx change would be a single byte difference, but it will break your entire pattern if its being enforced etc.

If your pattern scanner supports it, you can also do half-byte patterns.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Jane
Expert Cheater
Reputation: 0

Joined: 21 Feb 2016
Posts: 110

PostPosted: Thu Mar 23, 2017 3:54 pm    Post subject: Reply with quote

Wow just realized I had read this and completely forgot to reply, I feel like an asshole. Thank you so much atom your tips were very helpful, I managed to update things a lot simpler than I thought (using a combination of your methods and also string searching for common things with IDA)

Cheers and thanks again ~
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites