Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Newbie questions about the Auto Assembler and AOB Injection.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
DodgeWolfy
Newbie cheater
Reputation: 0

Joined: 13 May 2017
Posts: 19

PostPosted: Wed Jan 17, 2018 10:40 am    Post subject: Newbie questions about the Auto Assembler and AOB Injection. Reply with quote

Disclaimer:
Right off the bat, i'll say that I am inexperienced when it comes to coding..
This post will mostlikely waste your time so by all means, ignore it if you don't have time or the crayons to explain it
Smile

I want to know what the default AOB Injection code does, in a simple way that i can explain it to myself.
I really don't understand what it does precisely and i always tend to limit myself to the most simple and basic of things like this:
"mov rax,[rax+60]" → "mov rax,#999"

I do that because i really don't mess with things i don't understand because i don't want to break something or keep restarting my game because of crashes and getting nowhere, now i've went through "Rydian's Guide To Basic AOBs And Scripts" (Can't use URLs yet, my bad) a few times but that's a bit too basic, he does give a good explanation but in a few cases he just points out "don't touch this" and i want to know exactly what those things do..

I want to learn to properly use the Assembler and make more complicated hacks, one of the things would be getting a dynamic /current address from the operation that runs, for example:
Getting the address for coins by seeing what the instruction writes to, or something like that but i'm getting sidetracked here.

The main reason i am asking all of this is to make my code look neat so that when i later return to it i can easily understand what it does and be up to speed with what's going on.


Let me elaborate with an example code directly from CE, the code is irrelevant, it's about the principle.

Code:

// I'll note the things i know / my understanding of things with comments, please correct me wherever i am wrong



[ENABLE] //Marks the start of the script and anything below it until disable is code that runs when you activate the script

aobscanmodule(INJECT,cheatengine-x86_64.exe,48 8B 40 60 90)  //Module that looks for a specific array of bytes inside the code inside the given exe and gives them a usersymbol of your choice
alloc(newmem,$1000,"cheatengine-x86_64.exe"+1A40F)  //Allocates memory for the code to run with a label newmem, with a size of $1000 (1MB??), re-directs the memory / code of "cheatengine-x86_64.exe"+1A40F" to the newly allocated memory and nops what was originally in that position.

label(code)  //Creates a label named "code"
label(return)  //Creates a label named "return"

newmem: //This is the very start of the memory and anything below it is a "function" of it

code:  //This marks the beginning of the original code
  mov rax,[rax+60]  //The actual code
  nop  //I have no clue why this is needed
  jmp return  //jumps to label return

INJECT:  //I am assuming this runs after it hits "return" which just puts it back at newmem, which is the very start, doesn't that cause it to loop back? If it doesn't run after return, why do we need to register "INJECT"?
  jmp newmem

return:  //We register symbol return? wasn't that already registered by aobscanmodule? I don't understand this. Also does this NEED to be the same as the one in the aobscanmodule?
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 48 8B 40 60 90  //Sets back the original array of bytes? But why is it under "Inject" ?

unregistersymbol(INJECT)  //Self Explanatory
dealloc(newmem)  //Self Explanatory


Thank you in advance!

P.S. - Apologies if i'm coming out ignorant by asking this rather than looking through some tutorials Sad
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Wed Jan 17, 2018 12:02 pm    Post subject: Reply with quote

DodgeWolfy wrote:

I want to know what the default AOB Injection code does, in a simple way that i can explain it to myself.

Array Of Byte, or in other terms:
- group of bytes
- sequence of bytes
- a pattern
in basic words, it do search for the given pattern in the given module.

DodgeWolfy wrote:
I really don't understand what it does precisely and i always tend to limit myself to the most simple and basic of things like this:
"mov rax,[rax+60]" → "mov rax,#999"

side-note:
mov rax,[rax+60] is reading from memory-location
mov [rax+60],rax is writing to a memory-location

mov - transfer data from one location to another.
Code:
mov rax,[rax+60]

what [square-brackets] means:
- a memory location
say rax = 10000000
plus offset of 60 = 10000060
10000060 holds the value of 100
now the operation is in a simple way:
- move 100 into rax
- move whatever in 10000060 into rax
- move whatever value in side [memory-location] into rax

Code:
mov rax,#999

- move an immediate 4 byte value into rax

DodgeWolfy wrote:
I want to learn to properly use the Assembler and make more complicated hacks, one of the things would be getting a dynamic /current address from the operation that runs, for example:
Getting the address for coins by seeing what the instruction writes to, or something like that but i'm getting sidetracked here.

a simple way to achieve this:
lets take this instruction for example:
Code:
mov rax,[rax+60]

- lea rax,[rax+60]
- mov [Symbol],rax

then add symbol to your address-list, make sure its registered or globally-allocated.

DodgeWolfy wrote:
aobscanmodule(INJECT,cheatengine-x86_64.exe,48 8B 40 60 90) //Module that looks for a specific array of bytes inside the code inside the given exe and gives them a usersymbol of your choice

yes, there is a benefit from the symbol you can search for it:
- disassembly window, goto address, type inject

but remember aobscanmodule does search from executable entry point til it find the matching pattern, which can be very slow in large modules.
you have another type called aobscanregion, which take four-parameters:
Code:
AOBSCANREGION(name, startaddress, stopaddress, array of byte)

- name is symbol
- start address, "cheatengine.exe"+1000
- stop address, "cheatengine.exe"+1500
- aob to search for

this type can be even faster, but for the fastest injection use code injection or in other terms address injection.

DodgeWolfy wrote:
alloc(newmem,$1000,"cheatengine-x86_64.exe"+1A40F) //Allocates memory for the code to run with a label newmem, with a size of $1000 (1MB??), re-directs the memory / code of "cheatengine-x86_64.exe"+1A40F" to the newly allocated memory and nops what was originally in that position.

newmem, a name of the new allocated memory you can give it any name and you can search for it.

alloc is used with dealloc, you have another type called:
globalalloc:
- no need for deallocation
- no need for registering a symbol

$1000 equal to 4096 bytes which is equal to 4 KiloBytes, the '$' means you are using hex-values so 1000 hex is 4096 decimal.

the third-parameter is for giving CE a hint on where to allocate the memory, and near which address.
this is useful in 64-bit games to avoid long/far jumps.
with this parameter CE tries to make the jump short or near.

DodgeWolfy wrote:
newmem: //This is the very start of the memory and anything below it is a "function" of it

newmem: as a label
is the start address of the new allocated memory.

DodgeWolfy wrote:
code: //This marks the beginning of the original code
mov rax,[rax+60] //The actual code
nop //I have no clue why this is needed
jmp return //jumps to label return

yes by default CE put the original codes here, you can play with them the way you like.

about the nop, CE wont put things like that here UNLESS the nop is compiler-generated.

DodgeWolfy wrote:
INJECT: //I am assuming this runs after it hits "return" which just puts it back at newmem, which is the very start, doesn't that cause it to loop back? If it doesn't run after return, why do we need to register "INJECT"?
jmp newmem

no, INJECT is the address you injected you code at.
and its replaced with jmp newmem to your memory which newmem where you have the rights to do whatever you want.

in some cases there are nop's after jmp newmem which are the extra-not-needed-bytes, CE wil replace them with nop.
you still can do something fancy if you have many bytes remaining:
- add new instruction there to do something different

DodgeWolfy wrote:
return: //We register symbol return? wasn't that already registered by aobscanmodule? I don't understand this. Also does this NEED to be the same as the one in the aobscanmodule?
registersymbol(INJECT)

by default CE replace return with the address after jmp newmem, in other words:
see the instruction (i dont wanna use address to avoid confusion) you injected you code at? return label is the address of the next original instruction.

and registersymbol can be placed anywhere, doesnt matter its just a default thing.

DodgeWolfy wrote:
INJECT:
db 48 8B 40 60 90 //Sets back the original array of bytes? But why is it under "Inject" ?

unregistersymbol(INJECT) //Self Explanatory
dealloc(newmem) //Self Explanatory

yes, and why? because INJECT symbol is equal to the address you injected you code on, so it place these bytes there.

remember:
- registersymbol & unregistersymbol ARE NOT USED with globalalloc
- dealloc is ONLY USED with alloc, globalalloc DOES NOT USE any type of deallocation.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
DodgeWolfy
Newbie cheater
Reputation: 0

Joined: 13 May 2017
Posts: 19

PostPosted: Wed Jan 17, 2018 12:42 pm    Post subject: Reply with quote

Thank you so much for the extremely detailed reply, I already knew what AOB means and how to use the mov command and deal with memory addresses, the main thing was the ordering of the labels that confuses me, also you mentioned #999 is 4 Byte because of the #, how would one specify 2 or 8 byte, out of curiosity i know i can do (Float) and (Double) for the corresponding value types

I have already dealt with making my own symbols and allocation etc. i made a little table which saves values so you can restore them later which i used to change the physics in a game. Typically i avoid globalalloc as it's "a one time memory leak" and never thought i could just use LEA, i'm retarded....

So what i've gathered is that the piece of code that i showed and your explanation that it works something like this - the INJECT in aobscanmodule is just a "label" if you will to easily find / name the instruction and be able to reference it in memory view.

Just to summarize...

INJECT:
jmp newmem

Also is the first thing that runs from that code because the aobmodule makes it start there, it takes priority before newmem, correct?

Finally when it hits "return:" that's just a pre-defined thing that makes it go to the original place and continue the instruction?

It does not matter that registersymbol(INJECT) is in the return, it can also be at the top and it will still have the same effect?

I think the main problem is that i think the instruction goes top to bottom like normal high level code.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Wed Jan 17, 2018 1:08 pm    Post subject: Reply with quote

DodgeWolfy wrote:
INJECT:
jmp newmem

Also is the first thing that runs from that code because the aobmodule makes it start there, it takes priority before newmem, correct?

this wont be under the new allocated memory, it will be on the original place of the injection point.
and yes, correct.

DodgeWolfy wrote:
Finally when it hits "return:" that's just a pre-defined thing that makes it go to the original place and continue the instruction?

yes.

DodgeWolfy wrote:
It does not matter that registersymbol(INJECT) is in the return, it can also be at the top and it will still have the same effect?

yes.

DodgeWolfy wrote:
I think the main problem is that i think the instruction goes top to bottom like normal high level code.

yes, but not the case with labels.
labels will be replaced with addresses after compiling your script, you can just spaghetti-code it:

labelFive:
; some code
jmp labelOne

lableThree:
; some code
jmp labelFour

labelOne:
; some code
jmp labelThree

labelTwo:
; some code
jmp some where else

labelfour:
; some code
jmp labelTwo

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
DodgeWolfy
Newbie cheater
Reputation: 0

Joined: 13 May 2017
Posts: 19

PostPosted: Wed Jan 17, 2018 1:11 pm    Post subject: Reply with quote

Got it, no need for making it look good, again, Thank you so much!
Back to top
View user's profile Send private message
sbryzl
Master Cheater
Reputation: 6

Joined: 25 Jul 2016
Posts: 252

PostPosted: Wed Jan 17, 2018 1:57 pm    Post subject: Reply with quote

DodgeWolfy wrote:
Thank you so much for the extremely detailed reply, I already knew what AOB means and how to use the mov command and deal with memory addresses, the main thing was the ordering of the labels that confuses me, also you mentioned #999 is 4 Byte because of the #, how would one specify 2 or 8 byte, out of curiosity i know i can do (Float) and (Double) for the corresponding value types


# is a short way to indicate that it is in base 10 format. Another way to write it would be (int)999. Without the integer notation Cheat Engine will assume your number is in hexadecimal format.

Number of bytes is implied to Cheat Engine by the register size and pointer notation. RAX instructions would be assembled as an 8 byte instruction if the current situation allows for it. AX instructions would be asembled as 2 byte. When using pointers you would use pointer size notation such as mov RAX, QWORD PTR [pointer] and mov AX, WORD PTR [pointer].
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites