Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Cheat Engine Forum Index
PostGo back to topic
Geri
Moderator
Reputation: 111
Joined: 05 Feb 2010
Posts: 5636

PostPosted: Mon Dec 12, 2011 4:11 pm    Post subject: Restore original code after execution

Here is the original article, though it doesn't really matter because it is identical to this one at this moment.

http://szemelyesintegracio.hu/cheats/41-game-hacking-articles/417-restore-code

This tutorial will not be long, I just want to share something that may help some people when they are making cheats for games that are using memory integrity checks. Of course the best way is to somehow circumvent the memory check so it will not get you, but let's say that you are not skilled enough for it, or it would take too much time and effort and it doesn't worth it. In that case, you may consider making an option that doesn't have to be turned on all the time, eg it is adding some health or ammo and then it can be turned off.

At this moment, Cheat Engine doesn't have an option to execute a script only once, but Dark Byte has provided a neat template that you can use in your AA scripts. The purpose of the script is to change back the code to the original if your cheat script has been executed, so if you use a code that is executed let's say 100 times per second, chances that a protection will find you in that fraction of second is pretty low. So here is Dark Byte's script:

Code:
alloc(mycode,512)
alloc(originalcode,6)
label(returnhere)
originalcode:
db or ig in al co de

fullaccess(game.exe+1234) //make read/write/execute
game.exe+1234:
jmp mycode
returnhere:

mycode:
do your stuff like storing the address

//restore with original bytes
pushad //can't be bothered
pushfd
cld
mov ecx,6  //nr of bytes
mov esi, originalcode
mov edi, originaladdress
rep movsb
popfd
popad

(originalinstruction)
jmp returnhere




It may be confusing if you are not familiar with all of the instructions in the code, but it will do the job perfectly. Here is the same script with my comments:

Code:
alloc(mycode,512)      //allocate 512 bytes for your cheat script
alloc(originalcode,6)    //allocate 6 bytes, assuming that the original code is 6 bytes. if it is more or less, adjust the number
label(returnhere)         //usual returnhere label as in every script, the code after the original code
originalcode:                //define originalcode
db or ig in al co de      //here you need to put the bytes that are making up the original code

fullaccess(game.exe+1234) //make read/write/execute   //don't forget to give the size parameter, in this case it is 6 bytes
game.exe+1234:                    //change the original code to...
jmp mycode                           //...a jump, and as the jump will take up 5 bytes, you will also need a nop after it to have your 6 bytes
returnhere:                            //the code after the original code

mycode:                              //here is the place of your cheat script, whatever it is
do your stuff like storing the address

//restore with original bytes
pushad //can't be bothered       //save registers
pushfd                                      //save flags
cld         //clear direction flag, see below
mov ecx,6  //nr of bytes
mov esi, originalcode
mov edi, originaladdress
rep movsb                         //move the bytes of the original code to the original code's address, see below
popfd                          //load flags
popad                        //load registers

(originalinstruction)
jmp returnhere




cld instruction:


Clears the DF flag in the EFLAGS register. When the DF flag is set to 0, string operations

increment the index registers (ESI and/or EDI). Operation is the same in all

non-64-bit modes and 64-bit mode.



rep movsb instruction:
This is a bit complicated to explain in just a few words, but here is the short story. It will copy the bytes from the address on ESI to the address on EDI. In our case, copy the original code to the original code's address. Usually you will not see this command when you are hacking games (it is used for strings, not for values like health etc), but it is useful here. In case you are interested in the long description of the command, just look it up on the net.

Maybe it is helpful if I put up some actually working code and not just a template, so here are 2 examples. Both of them is for the tutorial of Cheat Engine 6.1. Their purpose is to change your health to 999 if you click on the Hit me button in the 2nd step of the tutorial, then if this happened, change back the code to the original. Here is the first, pretty much the same as what Dark Byte has posted:

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(mycode,512)
alloc(originalcode,6)
label(returnhere)
originalcode:
db 29 83 58 04 00 00      //these are the original bytes of the code line

fullaccess(00420F3E,6) //make read/write/execute   //00420F3E is the address of the original code
00420F3E:
jmp mycode
nop
returnhere:

mycode:
mov [ebx+0458],(int)999      //change health to 999

//restore with original bytes
pushad //can't be bothered
pushfd
cld
mov ecx,6  //nr of bytes
mov esi, originalcode
mov edi, 00420F3E
rep movsb
popfd
popad


jmp returnhere
 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat




The script above is having a little problem, it is not doing anything when you disable the code, so users would actually hit the hotkey twice to enable the cheat after every use. To solve that, here is another example:

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
globalalloc(mycode,512)
globalalloc(originalcode,6)
label(returnhere)
originalcode:
db 29 83 58 04 00 00

fullaccess(00420F3E,6) //make read/write/execute
00420F3E:
jmp mycode
nop
returnhere:

mycode:
mov [ebx+0458],(int)999

//restore with original bytes
pushad //can't be bothered
pushfd
cld
mov ecx,6  //nr of bytes
mov esi, originalcode
mov edi, 00420F3E
rep movsb
popfd
popad


jmp returnhere
 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
globalalloc(mycode,512)                   //I have changed the alloc to globalalloc so it is allocated only once, not all the time when you run the script
globalalloc(originalcode,6)
label(returnhere)
originalcode:
db 29 83 58 04 00 00

fullaccess(00420F3E,6) //make read/write/execute
00420F3E:
jmp mycode
nop
returnhere:

mycode:
mov [ebx+0458],(int)999

//restore with original bytes
pushad //can't be bothered
pushfd
cld
mov ecx,6  //nr of bytes
mov esi, originalcode
mov edi, 00420F3E
rep movsb
popfd
popad


jmp returnhere




Hope this will be helpful for some people who are looking for this kind of option in Cheat Engine, because sometimes memory checks can be a real pain for beginners and I think that this is an acceptable solution for those who don't want to bother with it too much.
_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Post reviews:   Approve 2
Author Review
GrandPa
Review: Approve
Post reference:
ReviewPosted: Fri Dec 16, 2011 4:43 pm

Useful script!!!
Back to top
View user's profile Send private message
Kavvman
Review: Approve
Post reference:
ReviewPosted: Sat Feb 23, 2013 11:31 am

Thank you!
Back to top
View user's profile Send private message
Display:  
Cheat Engine Forum Index


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites