Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Injection Script Not Working

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
ran_fan06
Newbie cheater
Reputation: 0

Joined: 06 Oct 2007
Posts: 17

PostPosted: Tue Apr 11, 2017 1:44 pm    Post subject: AOB Injection Script Not Working Reply with quote

Hi guys. Tried a new method of game cheating, the aob scanning and injecting. So my injection script doesn't work. I expected it to detect that I'm in battle screen and the opcode is reading my team's health, and when it does, it changes the HP to 9999.

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscan(HP Allies,66 89 1C 01 81 E2 FC FF 1F 00) // should be unique
alloc(newmem,$1000)

label(code)
label(optional)
label(original)
label(return)

newmem:

code:
pushfd
pushad
cmp [ecx+eax+6c],f9e80000
je optional
cmp [ecx+eax+6c],f8580000
je optional
mov [ecx+eax],bx
jmp original

optional:
mov [ecx+eax],(int)9999


  original:
  and edx,001FFFFC
  jmp return
  popad
  popfd

HP Allies:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(HP Allies)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
HP Allies:
  db 66 89 1C 01 81 E2 FC FF 1F 00

unregistersymbol(HP Allies)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 078B0334

078B030B: 81 FA 00 00 80 1F     -  cmp edx,1F800000
078B0311: 74 63                 -  je 078B0376
078B0313: 8B 0D 44 73 4F 00     -  mov ecx,[ePSXe.exe+F7344]
078B0319: F7 C1 00 00 01 00     -  test ecx,10000
078B031F: 75 54                 -  jne 078B0375
078B0321: 8B C8                 -  mov ecx,eax
078B0323: 89 C2                 -  mov edx,eax
078B0325: C1 E9 10              -  shr ecx,10
078B0328: 25 FF FF 00 00        -  and eax,0000FFFF
078B032D: 8B 0C 8D E0 64 93 00  -  mov ecx,[ecx*4+ePSXe.exe+5364E0]
// ---------- INJECTING HERE ----------
078B0334: 66 89 1C 01           -  mov [ecx+eax],bx
078B0338: 81 E2 FC FF 1F 00     -  and edx,001FFFFC
// ---------- DONE INJECTING  ----------
078B033E: BB 20 00 AC 07        -  mov ebx,07AC0020
078B0343: 03 DA                 -  add ebx,edx
078B0345: 8B 03                 -  mov eax,[ebx]
078B0347: 3D 00 00 8B 07        -  cmp eax,078B0000
078B034C: 75 01                 -  jne 078B034F
078B034E: C3                    -  ret
078B034F: B8 00 00 8B 07        -  mov eax,078B0000
078B0354: 8B 0C 10              -  mov ecx,[eax+edx]
078B0357: B8 20 00 D5 07        -  mov eax,07D50020
078B035C: 8B 04 10              -  mov eax,[eax+edx]
}


File attached is from dissect data structure window, with group 1 from my team's HP and group 2 as the enemy. The values there is while I'm out of battle screen.

When in battle, the offset 6c will show the value f9e80000 or f8580000 depending on the state of my team. The enemy's team will have different values.[/code]



structure.png
 Description:
 Filesize:  28.66 KB
 Viewed:  10652 Time(s)

structure.png


Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Tue Apr 11, 2017 4:04 pm    Post subject: Reply with quote

hi,
about your current AA
1, your don't need push/popad/pushf as your code don't change the registers, and if use push/pop, the current popad/popf position is not right, they are never executed so the stack will be corrupted. They should place immediate after the label original;

2,the comparison cmp [ecx+eax+6c],f8580000 (and the one more alike) will not work as expected, since [ecx+eax+6c] means dword (4bytes)memory content, from the dissector, the constant value should be f8580024;

3. given the following conjecture (*), what your (int)9999 want to write to probably is a 32bit ps cpu mips instruction . the
mov [ecx+eax],(int)9999
will write e7 03 00 00 into the memory, which is invalid mips instruction.
May be the writing should be in 2bytes instead of 4bytes
mov word ptr[ecx+eax],(int)9999

However, if it is a code, then writing 2byte may still not work as expected.
Because for it to work, the original mips code should be also a constant write, like:
lw $v0, 10 // big endian bytes: 8c 02 00 0a
and you want to replace the 10 to 1000
lw $v0, 1000 // big endian bytes: 8c 02 03 e7
If not, like :
sub $v0,$v0,$v1 // be bytes : 00 43 10 22
then after writing 03 e7 to the place 10 22, it will be
00 43 03 e7
which is still an invalid mips instruction.
(the bytes <-> assemble line conversion can be experiment in the following site )

Even the address is not instruction, writing 2byte is safer than writing 4byte here.


(*)
Then your 3 addresses on data dissect probably are ps cpu mips instruction, see following disassemble (ps use little endian, but for matching display of the pic, this url use big endian).
Treat the middle double nop as separator, the 1st part is for 1st address, the 2nd part is for the 3rd address.

MIPS Disassemble

-----

[DELETE] I guess the "out of battle screen" detection will work, but it may not be easy to change the data (where your 9999 want to go) in a same AA script. [/DELETE]

A second thought, detection may not work, as I guess that part of code will only execute when your target address act as DATA(of battle), but when "out of battle screen" the DATA may not be access (since not in battle) or use as another purpose.

Sorry if it add confusion~

_________________
- Retarded.
Back to top
View user's profile Send private message
ran_fan06
Newbie cheater
Reputation: 0

Joined: 06 Oct 2007
Posts: 17

PostPosted: Wed Apr 12, 2017 7:22 am    Post subject: Reply with quote

The first point is understood. I removed the push and pop.

For the second point, I created a new structure during the battle instead of outside battle. I got different structure. Found out that the offset
Code:
60
stores a constant int 2048 (during battle, for my team), which is
Code:
00000800
in hex. So I compared to that instead, of course changing the code to
Code:
cmp dword ptr[ecx+eax+60], 800
. Is that right?

Now comes the third point, which is so out of my league. I think I got your main point that pushing a value into an address holding an instruction won't work, and I need to create an instruction instead (maybe?).
It is true that when I'm out of battle, the HP addresses I found changes to random numbers. That's why I want to detect when I'm in battle first.

Either way, I feel so inexperienced after reading your reply. Please point me to a good reference if you think that I need to have more basics before handling this kind of case Smile
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Wed Apr 12, 2017 1:01 pm    Post subject: Reply with quote

The real PS has a cpu MIPS (which analog to PC's intel/amd's x86 cpu) and
2M ram, with a cd-media as large as 6xxM.

If the PS Game is not as simple as a tetris, there must be some special mechanism
to allow the PS execute the 6xxM possible memory within the limited 2M ram.
It may be an overlay memory management

In different stage of the game, the 2M ram may have different layout, eg
Code:

On field,          On Battle ,         On Menu ,           On MiniGame
<common data>      <common data>       <common data>       <common data>
<field data >      <battle data>       <menu data  >       <miniGm data>
...                <battle data>       ...                 ...
[field code ]      <battle data>       [menu code  ]       [miniGm code]
[common code]      [common code]       [common code]       [common code]


From your dissector pic, it suggest the addresses are obtained from some data
(but not code) during a battle stage,
ie.
Code:

8c4 +  d0 = 994
994 + 4e0 = e74 where 4e0 = 6 * d0
  ===>
8c4 => 8c4 + d0 * 0   --> 1st player char?
994 => 8c4 + d0 * 1   --> 2ns player char?
...
e74 => 8c4 + d0 * 7   --> possible 1st/2nd enemy?

The nice arrangement of addresses in a multiple of 0xd0 size suggest they are
highly likely indeed data struct for some player char/enemy.

But the pic taking when stage outside battle, where there are now code in the
same addreses. This suggest that the same address is used both as data (during
battle) and as code (outside battle). It should be the cause you want to make
injection cheat instead of continuly freezing the same data addresses?

This is to explain (if not confuse more) my previous post.

----

Anyway, have you make an injection on where your target address (where you want to
write 9999) being changed DURING BATTLE STAGE, especially when it decrease? You
previous script don't look like make during battle stage?

Then if the modification (writing 9999) is make within the inject, you should no
need to detect whether it is in battle stage or outside battle stage,... It must be
in battle stage when the injection is executing!

It should be helpful if such inject script is post.

Then what left is to differencial if the address is freindly or enemy, as you add,
testing +60 with 800 is such filter (is friend or enemy ).
Even the +60 is not a realible filter, I'm pretty sure the PS MEMEORY ADDRESS can also be
use as a filter, and such PS MEMEORY ADDRESS should be obtain in the injection code.
eg. In your previous script, edx should be the PS MEMEORY ADDRESS at the injection point.

Please make and post a injection script during battle that write to your address want the
9999 writing.
ADDED:
Please also provide a picture for the break point registers values at the point the target address being writing.

_________________
- Retarded.
Back to top
View user's profile Send private message
ran_fan06
Newbie cheater
Reputation: 0

Joined: 06 Oct 2007
Posts: 17

PostPosted: Thu Apr 13, 2017 10:13 am    Post subject: Reply with quote

First of all, thanks a lot!! This means so much to me in terms of the things I get to learn.

Guessing that I did get what your third point meant, and answering to the new question at the same time, the code I'm trying to inject to is the only code that accesses the HP during battle. I'm being attacked, that code triggered. I attack the enemy, the code triggered.

Of course I'm using the find out what writes to the address function to my HP. But I believe it also accesses every other thing. Even while not in battle. See attachment A below. It's the addresses being accessed & written to by that code alone constantly.

I've successfully injected into it by comparing ecx to b579a0, and eax to 8f24 (attachment B), then if those are true, writing (int)9999 into it. It worked with the side effect that my MP drains to 0. I believe it should've been mov word ptr instead of just mov.

I guess that's how the 2M memory handles the 6xxM memory, like what you said....

I don't know how to create a breakpoint to the code only when it accesses the HP address, so I didn't do it. But I used the find out what writes thingy which I think is the same. So it's in attachment B.



Attachment B.png
 Description:
Attachment B
 Filesize:  34.17 KB
 Viewed:  10497 Time(s)

Attachment B.png



Attachment A.png
 Description:
Attachment A
 Filesize:  33.18 KB
 Viewed:  10497 Time(s)

Attachment A.png


Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Thu Apr 13, 2017 11:47 am    Post subject: Reply with quote

It seems all values shown on pic 2 are valid MIPS instructions.

It is strange to me that the previous injection script is the ONLY (?) code that change your target address (*) , and also that it treat the address as PS MEMORY DATA and as PS MEMORY CODE.

The target address is team hp during battle stage, for my understand of how epsxe work , there should be a x86 code being compiled base on a piece of ps memory code specifically treat the target address as your team hp, instead of writing the address yet another ps memory codes, which I think only happen when the real PS reading code from CD and should only happen at the time of changing from battle stage to non battle stage or vice versa.

I'm lost too at this moment.
If you don't mind, would you please pm me what the game is?

(*)
In pic 1, EDX is 80108f24, this should be PS Memory, which map to pc / x86 memory of Eax+Ecx = b608c4 (as your 1st address at dissector).

There may be some AR code of the PS GAME having the number 80108f24 ? FF9 ? http://wescastro.com/codetwink/cheats.codetwink.com/psx/view/1254/50/


ADDED:
[delete]If the init inject script DO also treat the target address as your team hp,
it should be possible to use EDX (as ps memory address) and the +60 == 800 (2 bye or 4byte?) to act as filter, ie EDX alone to differential friendly or enemy, the +60 check it in battle stage.[/delete]
oops, it is not necessary right, when PS writing the team hp with MIPS CODE, the address +60 may still equal 800, which +60 will soon writing by same code in a few nano second... so the in battle stage detection failed.

_________________
- Retarded.
Back to top
View user's profile Send private message
ran_fan06
Newbie cheater
Reputation: 0

Joined: 06 Oct 2007
Posts: 17

PostPosted: Thu Apr 13, 2017 9:11 pm    Post subject: Reply with quote

It blows my mind that you actually figured out the game from a list of registers Exclamation Exclamation

Well, it's not the only code that accesses the HP address. But, it is the only code accessing it at the right time, which is during battle. When I'm out of battle, the HP addresses holds random values, different in each screen.

The +60 offset hold 4 bytes value of hex 800 or int 2048, only for my team. The same offset hold 4 bytes value of 0 for the enemy. The offset also changes to that value only during battle. While out of battle, it changes to random values. So the offset allows me to detect both in-battle state and team hp state, is it not?

BTW, I still don't know how to can read the values addressed by the code as MIPS instructions. Haha.
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sat Apr 15, 2017 2:13 am    Post subject: Reply with quote

@"I still don't know how to can read the values addressed by the code as MIPS instructions."

It can be try to convert the bytes to see if it is valid MIPS code.
Try MIPS Disassemble

Given it is FF9, and the info from the AR code page , and how to map PS MEM to PC MEM from the previous inject script, I try emulate the
D00F11B8 0001
for battle stage detection.

Hopefully it has no typo and work and the comment is clear to explain what it do.

ADDED:
The "HP Allies" contain space, which make it not valid AA symbol.
AA symbol contain only alpha-number characters and _ . @ #.

Code:


[ENABLE]

aobscan(HP_Allies,66 89 1C 01 81 E2 FC FF 1F 00) // should be unique
alloc(newmem,$1000)

label(code)

label(original)
label(return)

label(done)
label(doPlayer)
label(doEnemy)

label(MapPSMEM)

newmem:

code:
  push ecx  //  save temp
  push eax
  //////////// from here to done: to check if we need to modify bx, and only bx
  //// not modify edx

    /// emulate D00F11B8 0001 to detect in battle stage
    mov  eax,800f11b8   /// ps mem address
    call MapPSMEM       //// map it to pc memory address
    cmp  word ptr[eax],0001 /// compare 2byte word

    jne  done       /// the D00F11B8 0001 test fail , not in battle, no modify bx

      //// test player hp address
      cmp  edx,80108F24 /// player #1 hp
      je   doPlayer
      cmp  edx,80108FF4 /// player #2 hp
      je   doPlayer
      cmp  edx,801090c4 /// player #1 hp
      je   doPlayer
      cmp  edx,80109194 /// player #1 hp
      je   doPlayer
      //// test enemy hp address
      cmp  edx,80109264 /// enemy #1 hp
      je   doEnemy
      cmp  edx,80109334 /// enemy #2 hp
      je   doEnemy
      cmp  edx,80109404 /// enemy #3 hp
      je   doEnemy
      cmp  edx,801094d4 /// enemy #4 hp
      je   doEnemy
      cmp  edx,801095a4 /// enemy #5 hp
      je   doEnemy

      jmp  done  /// no matching hp address, done, no modify bx

doPlayer:
    mov  ax,#9999  //// prefix # or (int) for decimal number
    cmp  ax,bx
    jle  @f
    mov  bx,ax  /// player hp no less than 9999
@@:
    jmp  done
doEnemy:
   
    mov  ax,1
    cmp  ax,bx
    jge  @f
    mov  bx,ax  /// enemy hp no more than 1, 1 hit kill
@@:
    jmp  done

done:
  pop eax  // restore temp
  pop ecx

  original:
  mov [ecx+eax],bx  /// original
  and edx,001FFFFC  /// original

  jmp return

MapPSMEM:
//  input  eax = PS MEM Address
//  output eax = the PC address that PS MEM Address map to
//  no error check
push  ecx
mov   ecx,eax
shr   ecx,10
and   eax,0ffff
reassemble(HP_Allies-7) // copy  mov ecx,[ecx*4+ePSXe.exe+5364E0]
lea   eax,[eax+ecx]     // get pc address
pop   ecx
ret

HP_Allies:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(HP_Allies)

[DISABLE]
HP_Allies:
  db 66 89 1C 01 81 E2 FC FF 1F 00

_________________
- Retarded.
Back to top
View user's profile Send private message
ran_fan06
Newbie cheater
Reputation: 0

Joined: 06 Oct 2007
Posts: 17

PostPosted: Mon Apr 17, 2017 10:13 pm    Post subject: Reply with quote

Code:
Sorry for the late reply. Haven't had the time. So the mapping of the PS Mem to the PC Mem is a necessary thing to tackle? Trust me when I say I only get around 30% of the instructions you created.

The[b] shr, lea[/b] is new to me. Don't even know why you use the [b]and[/b] instruction with the value 0ffff, or why [b]shr ecx[/b] with 10. [i]Also why you reassemble the HP_allies-7 code before calling lea.[/i] (Now I know that it gives an error if I rewrite the whole instruction, so you just reused the code instead)

The code does work. I am just hoping that I can understand more of it.

Btw, can't I just use the edx to compare the 800f11b8 with 1?

EDIT:
OK, I played around with the [b]shr[/b] and the [b]and[/b]. What you did was getting 800f to ecx and getting 11b8 to eax from the address 800f11b8. Then you reuse the code from ePSXe to change the ecx, add it to eax, and move the addition to eax as a PC mem address mapped from PS mem address.

Why reuse the code? Is the code the one that maps the address


Oh god I just realized you copied the code from ePSXe to obtain the PC address mapped. Silly me... Haha... Well it still involves using an AR code discovered by someone else.

I guess I could've just find the address that identifies whether I'm in battle or not using CE, and use that address for battle stage detection instead. Still, can't I just compare edx to 1 before finding the PC address?

I learned so much from you. Thank you. If you have more to teach me, any tips, a link for me to learn more, whatever, please do post it or PM.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites