|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
D1g1Byt3 Cheater Reputation: 0
Joined: 02 Dec 2015 Posts: 40
|
Posted: Mon Jun 19, 2017 12:07 pm Post subject: Script causing game to crash |
|
|
I was just making a simple script for the game Crea Code: | http://store.steampowered.com/app/280520/Crea/ |
Steam specifically
For now all I was trying to do was store the base address in label to access later
and then add the health and stamina offsets to get the addresses. I really don't know how to explain it properly.
Anyways the problem I am having is this.
I tried adding what I think to be the base address to a label, when I enable the script it acts like its going to add the address, and when a value such as the health changes. The game just crashes. No warning or error or anything. I was wondering if there is something I am missing. I was able to debug just fine with no crash, but as soon as I enable the script and a value changes. It crashes.
Here is the script:
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
globalalloc(_playerbase,4)
newmem:
code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return
hpread:
jmp newmem
nop
return:
registersymbol(hpread)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00
unregistersymbol(hpread)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A
"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}
|
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Wed Jun 21, 2017 1:31 pm Post subject: |
|
|
hey,
are you trying to say that you want CE to find the dynamic address and store it in _player base with the value?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
D1g1Byt3 Cheater Reputation: 0
Joined: 02 Dec 2015 Posts: 40
|
Posted: Wed Jun 21, 2017 1:48 pm Post subject: |
|
|
Yeah, I want to store the "Base Address" and add it with the offsets to things like HP, and stamina manually.
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Wed Jun 21, 2017 1:51 pm Post subject: |
|
|
okay just post the code here without your modification so I can read.
EDIT: lol, this is strange. usually people want the address and the value for health stamina or whatever but NOT the BASE address.
whatever you want ill help you with it.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
D1g1Byt3 Cheater Reputation: 0
Joined: 02 Dec 2015 Posts: 40
|
Posted: Wed Jun 21, 2017 1:59 pm Post subject: |
|
|
OldCheatEngineUser wrote: | okay just post the code here without your modification so I can read. |
Code: |
// ORIGINAL CODE - INJECTION POINT: 7FF6F4220007
7FF6F421FFEF: 00 00 - add [rax],al
7FF6F421FFF1: 00 00 - add [rax],al
7FF6F421FFF3: 00 00 - add [rax],al
7FF6F421FFF5: 00 00 - add [rax],al
7FF6F421FFF7: 00 00 - add [rax],al
7FF6F421FFF9: 00 00 - add [rax],al
7FF6F421FFFB: 00 00 - add [rax],al
7FF6F421FFFD: 00 00 - add [rax],al
7FF6F421FFFF: 00 48 89 - add [rax-77],cl
7FF6F4220002: 0D F9 FF FE FF - or eax,FFFEFFF9
// ---------- INJECTING HERE ----------
7FF6F4220007: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
7FF6F422000D: E9 BE BA 76 00 - jmp crea.exe+75BAD0
7FF6F4220012: 90 - nop
7FF6F4220013: 90 - nop
7FF6F4220014: 90 - nop
7FF6F4220015: 90 - nop
7FF6F4220016: 90 - nop
7FF6F4220017: 90 - nop
7FF6F4220018: 90 - nop
7FF6F4220019: 90 - nop
7FF6F422001A: 90 - nop
} |
I want to be able to "Store" the base address with an injection copy, and then use it create like a pointer for the other offsets to get the addess for things like HP, and stamina. I don't know if I'm explaining it properly or not.
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Wed Jun 21, 2017 2:01 pm Post subject: |
|
|
seems you are hooking data not code
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
D1g1Byt3 Cheater Reputation: 0
Joined: 02 Dec 2015 Posts: 40
|
Posted: Wed Jun 21, 2017 2:03 pm Post subject: |
|
|
OldCheatEngineUser wrote: | seems you are hooking data not code |
what do you mean?
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Wed Jun 21, 2017 2:07 pm Post subject: |
|
|
in every software.
theres a .data section and .code section.
data section get changed whenever you restart the game.
code section is static, codes there will not change unless if there is an update.
PLUS: if its really data section then
7FF6F4220007: 89 81 84 00 00 00 - mov [rcx+00000084],eax
when you loss health or stamina this line of assembly instruction will be changed.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Wed Jun 21, 2017 2:33 pm Post subject: |
|
|
Looks like code to me.
Going back to the script in the first post, there's no guarantee newmem will be within a rel32 displacement of the injection point. This may cause CE to assemble a longer jump that takes up 14 bytes instead of the normal 5 bytes. If you want to always use the 5-byte version, pass a 3rd parameter to alloc specifying the region to allocate memory near.
You also may need to change the write to [_playerbase] to use a valid 64-bit addressing mode- under certain circumstances, that instruction won't assemble. One way would be to use another register to hold the destination (e.g. mov rdi,_playerbase / mov [rdi],rcx); back up the register if need be.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Wed Jun 21, 2017 4:02 pm Post subject: |
|
|
okay standing on the first post, its codes section. and second post might be the new allocated memory.
maybe all what he have to do is use LEA instruction.
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$100)
label(code)
label(return)
alloc(playerbase,8)
registersymbol(playerbase)
newmem:
push rbx
lea rbx,[rcx] // [rcx] will load the current base address "as you said and want"
mov [playerbase],rbx
pop rbx
code:
mov [rcx+00000084],eax
jmp return
hpread:
jmp newmem
nop
return:
registersymbol(hpread)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00
unregistersymbol(playerbase)
dealloc(playerbase)
unregistersymbol(hpread)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A
"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}
|
EDIT: since its 64bit game, he need to allocate 8bytes to his address (playerbase). otherwise it will cause a technical error.
you can notice his second code post. addresses are long.
he actually need 6 bytes, but keep it 8 just in case.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|