|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Andrej730 How do I cheat? Reputation: 0
Joined: 20 Jan 2024 Posts: 4
|
Posted: Sat Jan 20, 2024 6:07 am Post subject: Tutorial x32 crash on code injection |
|
|
I was following 9th step of the tutorial using "Cheat Engine Tutorial Step 9 : Shared Code
" youtube tutorial and I've learned that it crashed on code injection part but it works fine if I use x64 version of the tutorial.
The script for code injection is below. There was instruction that was writing decreased health value and I just skipped it if [ebx+10] = 1 (where ebx+10 stores team id):
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10], 1
je short exit
originalcode:
mov [ebx+04],eax
fldz
exit:
jmp returnhere
"Tutorial-i386.exe"+28E89:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+28E89:
db 89 43 04 D9 EE
//mov [ebx+04],eax
//fldz |
Then I've met the same crash on code injection in graphical tutorial level 2.
Code injection script is below. Similar concept - I check if [rax+60] (which is max health of the entity) equals 0x64 (=100 health) and jump to exit right away instead of subtracting the damage from entity's health.
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"gtutorial-x86_64.exe"+400E3)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [rax+64], 64
je short exit
originalcode:
sub [rax+60],edx
ret
add [rax],al
exit:
jmp returnhere
"gtutorial-x86_64.exe"+400E3:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"gtutorial-x86_64.exe"+400E3:
db 29 50 60 C3 00 00
//sub [rax+60],edx
//ret
//add [rax],al |
I'm farily new to this, can you please help me understand:
1) How do I investigate those types of crashes to know why they happen?
2) What causes them?
3) A bit of a side question. Noticed that sometimes when you attach a debugger (when you do something like "Find out what writes to this address"), it shows you instructions and then you close appeared window without clicking "Stop". Then if you open it again it stops showing new instructions that used that address. Is it because because previous debugger is still running somewhere in background? Can I somehow stop after window is closed or retrieve it's window?
Thanks.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4518
|
Posted: Sat Jan 20, 2024 11:23 am Post subject: |
|
|
You didn't execute the original code. If you want to skip that `sub` instruction, that's fine. The other instruction, `fldz`, should always be executed.
Code: | newmem:
cmp [ebx+10], 1
je short exit
originalcode:
mov [ebx+04],eax
exit:
fldz
jmp returnhere |
Same thing for the second script. You shouldn't jump back in that case because of the `ret` instruction.
1) If you don't know what the code you're writing does, you won't know right from wrong. Learn more about assembly. Look through a basic tutorial on x86 assembly to get started. Read an instruction set reference for more details. e.g.:
https://www.felixcloutier.com/x86/
2) You did something wrong. There's really no way to be more specific than that for such a generic question.
In the first script, your code injection screws with the x87 stack. One path, it loads 0 onto the stack; the other does nothing. Eventually, this will probably result in an x87 stack underflow or overflow.
In the second script, you jump back past the end of the original function, effectively jumping to garbage that probably isn't even valid code (at least not code that was suppose to be executed).
Don't screw with the original code if you don't know what it does.
3) Works fine for me. Go to "Memory Viewer -> View -> Breakpoint list" to see all the active breakpoints.
The game must actually access / write to the address for the respective breakpoint to trigger.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Andrej730 How do I cheat? Reputation: 0
Joined: 20 Jan 2024 Posts: 4
|
Posted: Sat Jan 20, 2024 12:06 pm Post subject: |
|
|
Thank you, it helps! I've also investigated issues with the debugger by stepping through the code to undertstand it better.
The main problem in both cases was that I assumed that it's safe just to replace all instructions overridden by code injection `jmp newmem` with my code but turn out there were some instructions overridden that must be executed from my code too (in first case it was fldz, in second - ret) , I'll post both solution below just for the reference.
Quote: | Works fine for me. Go to "Memory Viewer -> View -> Breakpoint list" to see all the active breakpoints. |
That's nice, it has the list of all the times I've used options similar to "find what writes to this address". Not sure about my issue, maybe I just got confused - I'll try to reproduce it more consistently.
Solutions:
1) Step 9 tutorial. The problem was that for the player it was jumping to `exit` label and `fldz` instruction was never executed in that case resulting in crash.
Why it worked on x64 - on x64 it was overridding just 1 instruction `movss [rbx+08],xmm0` so there were no need to reuse any overridden instructions in `newmem` code.
Solution:
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10], 1
je exit
originalcode:
mov [ebx+04],eax
exit:
fldz
jmp returnhere
"Tutorial-i386.exe"+28E89:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+28E89:
db 89 43 04 D9 EE
//mov [ebx+04],eax
//fldz
|
2) Problem with graphic tutorial code was that in case player taking damage it was jumping to `returnhere` and never executing `ret`, so the solution was:
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"gtutorial-x86_64.exe"+400E3)
label(exit)
newmem:
// compare max health to 100 (player has max health = 100)
// and skip the damage
cmp [rax+64],#100
je exit
sub [rax+60],edx
exit:
ret
"gtutorial-x86_64.exe"+400E3:
jmp newmem
nop
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"gtutorial-x86_64.exe"+400E3:
db 29 50 60 C3 00 00
//sub [rax+60],edx
//ret
//add [rax],al
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|