Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Tutorial x32 crash on code injection

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Andrej730
How do I cheat?
Reputation: 0

Joined: 20 Jan 2024
Posts: 4

PostPosted: Sat Jan 20, 2024 6:07 am    Post subject: Tutorial x32 crash on code injection Reply with quote

I was following 9th step of the tutorial using "Cheat Engine Tutorial Step 9 : Shared Code
" youtube tutorial and I've learned that it crashed on code injection part but it works fine if I use x64 version of the tutorial.

The script for code injection is below. There was instruction that was writing decreased health value and I just skipped it if [ebx+10] = 1 (where ebx+10 stores team id):
Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10], 1
je short exit

originalcode:
mov [ebx+04],eax
fldz

exit:
jmp returnhere

"Tutorial-i386.exe"+28E89:
jmp newmem
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+28E89:
db 89 43 04 D9 EE
//mov [ebx+04],eax
//fldz



Then I've met the same crash on code injection in graphical tutorial level 2.
Code injection script is below. Similar concept - I check if [rax+60] (which is max health of the entity) equals 0x64 (=100 health) and jump to exit right away instead of subtracting the damage from entity's health.

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"gtutorial-x86_64.exe"+400E3)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [rax+64], 64
je short exit

originalcode:
sub [rax+60],edx
ret
add [rax],al

exit:
jmp returnhere

"gtutorial-x86_64.exe"+400E3:
jmp newmem
nop
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"gtutorial-x86_64.exe"+400E3:
db 29 50 60 C3 00 00
//sub [rax+60],edx
//ret
//add [rax],al




I'm farily new to this, can you please help me understand:
1) How do I investigate those types of crashes to know why they happen?
2) What causes them?

3) A bit of a side question. Noticed that sometimes when you attach a debugger (when you do something like "Find out what writes to this address"), it shows you instructions and then you close appeared window without clicking "Stop". Then if you open it again it stops showing new instructions that used that address. Is it because because previous debugger is still running somewhere in background? Can I somehow stop after window is closed or retrieve it's window?

Thanks.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4518

PostPosted: Sat Jan 20, 2024 11:23 am    Post subject: Reply with quote

You didn't execute the original code. If you want to skip that `sub` instruction, that's fine. The other instruction, `fldz`, should always be executed.
Code:
newmem:
  cmp [ebx+10], 1
  je short exit
originalcode:
  mov [ebx+04],eax
exit:
  fldz
  jmp returnhere

Same thing for the second script. You shouldn't jump back in that case because of the `ret` instruction.

1) If you don't know what the code you're writing does, you won't know right from wrong. Learn more about assembly. Look through a basic tutorial on x86 assembly to get started. Read an instruction set reference for more details. e.g.:
https://www.felixcloutier.com/x86/

2) You did something wrong. There's really no way to be more specific than that for such a generic question.
In the first script, your code injection screws with the x87 stack. One path, it loads 0 onto the stack; the other does nothing. Eventually, this will probably result in an x87 stack underflow or overflow.
In the second script, you jump back past the end of the original function, effectively jumping to garbage that probably isn't even valid code (at least not code that was suppose to be executed).
Don't screw with the original code if you don't know what it does.

3) Works fine for me. Go to "Memory Viewer -> View -> Breakpoint list" to see all the active breakpoints.
The game must actually access / write to the address for the respective breakpoint to trigger.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Andrej730
How do I cheat?
Reputation: 0

Joined: 20 Jan 2024
Posts: 4

PostPosted: Sat Jan 20, 2024 12:06 pm    Post subject: Reply with quote

Thank you, it helps! I've also investigated issues with the debugger by stepping through the code to undertstand it better.

The main problem in both cases was that I assumed that it's safe just to replace all instructions overridden by code injection `jmp newmem` with my code but turn out there were some instructions overridden that must be executed from my code too (in first case it was fldz, in second - ret) , I'll post both solution below just for the reference.


Quote:
Works fine for me. Go to "Memory Viewer -> View -> Breakpoint list" to see all the active breakpoints.

That's nice, it has the list of all the times I've used options similar to "find what writes to this address". Not sure about my issue, maybe I just got confused - I'll try to reproduce it more consistently.






Solutions:
1) Step 9 tutorial. The problem was that for the player it was jumping to `exit` label and `fldz` instruction was never executed in that case resulting in crash.
Why it worked on x64 - on x64 it was overridding just 1 instruction `movss [rbx+08],xmm0` so there were no need to reuse any overridden instructions in `newmem` code.

Solution:

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10], 1
je exit

originalcode:
mov [ebx+04],eax

exit:
fldz
jmp returnhere

"Tutorial-i386.exe"+28E89:
jmp newmem
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+28E89:
db 89 43 04 D9 EE
//mov [ebx+04],eax
//fldz



2) Problem with graphic tutorial code was that in case player taking damage it was jumping to `returnhere` and never executing `ret`, so the solution was:
Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"gtutorial-x86_64.exe"+400E3)
label(exit)

newmem:
// compare max health to 100 (player has max health = 100)
// and skip the damage
cmp [rax+64],#100
je exit

sub [rax+60],edx

exit:
ret

"gtutorial-x86_64.exe"+400E3:
jmp newmem
nop

 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"gtutorial-x86_64.exe"+400E3:
db 29 50 60 C3 00 00
//sub [rax+60],edx
//ret
//add [rax],al
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites