 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
 Posted: Mon Mar 08, 2010 5:01 am Post subject: AA -> ASM |
 |
|
Hello all,
I tried almsot everything, but i have no idea why this wouldnt work.
im trying to convert an AA script into _asm , after a few tries almost every script succeed, but i cant get this one....
| Code: | #define JMP(frm, to) (int)(((int)to - (int)frm) - 5); //Jump (for codecaves)
#define _CRT_SECURE_NO_WARNINGS 1 //Get rid of annoying messages with _itoa()
#include <windows.h>
#include "Resource.h"
extern BOOL NazVacExit;
DWORD DupexAddyRet = (0x7F4386 +6);
DWORD DupexAddy = 0x007F4380;
DWORD ListOffset,ESIList,EDIValue, address;
//------------------------------------------------------------------------------------------
//Reads a Pointer
__inline ULONG_PTR ReadPointer(ULONG_PTR* ulBase, INT nOffset)
{
if ( !IsBadReadPtr((VOID*)ulBase, sizeof(ULONG_PTR)) )
if ( !IsBadReadPtr((VOID*)((*(ULONG_PTR*)ulBase)+nOffset), sizeof(ULONG_PTR)) )
return *(ULONG_PTR*)((*(ULONG_PTR*)ulBase)+nOffset);
return 0;
}
void __declspec(naked) __stdcall UEMIASM ()
{
_asm
{
cmp [address],1
je [on]
cmp [address],2
je [vac]
on:
jmp [FindCharacterAddress]
vac:
jmp [DupeXVac]
FindCharacterAddress:
mov [esi+0x114],edi
push eax
push ebx
push ecx
push edx
mov eax,0
mov ebx,ListOffset
mov ecx,ESIList
mov edx,EDIValue
CompareOffset:
cmp eax,[ebx]
je [StoreESI]
cmp esi,[ecx+eax*4]
je [EndSearch]
inc eax
jmp [CompareOffset]
StoreESI:
mov [ecx+eax*4],esi
inc eax
mov [ebx],eax
mov [edx],edi
EndSearch:
pop edx
pop ecx
pop ebx
pop eax
jmp [DupexAddyRet]
//---------@-@-@-@--@-----------------------------------------
DupeXVac:
push eax
push ebx
push ecx
mov ebx,[ListOffset]
dec ebx
mov ecx,ESIList
mov eax,[ecx+ebx*4]
cmp esi,eax
je [DoNormal]
mov edi,[EDIValue]
DoNormal:
mov [esi+0x114],edi
pop eax
pop ebx
pop ecx
jmp [DupexAddyRet]
}
}
void DupexFunc ( HWND hWnd)
{
DWORD Protection;
VirtualProtect((LPVOID) DupexAddy, 0x10, PAGE_EXECUTE_READWRITE, &Protection);
while (!NazVacExit)
{
BOOL RUBEN3;
address = GetDlgItemInt (hWnd, IDC_POINTEREDIT, &RUBEN3, 0);
SetDlgItemText(hWnd, IDC_POINTER, (LPCSTR)address);
SetDlgItemText(hWnd, IDC_POINTER2, (LPCSTR)ListOffset);
*(BYTE*)DupexAddy = 0xE9;
*(DWORD*)(DupexAddy + 1) = JMP(DupexAddy,UEMIASM);
*(BYTE*)(DupexAddy + 5) = 0x90;
const unsigned int ListOffsetConst = ListOffset;
SetDlgItemText(hWnd, IDC_POINTEREDIT2 , (LPCSTR)ListOffsetConst);
ListOffset = ListOffsetConst;
address = address;
Sleep(100);
}
} |
my c++ , this is the AA script
| Code: | [enable]
alloc(FindCharacterAddress, 1024)
alloc(ListOffset, 4)
alloc(ESIList, 1024)
alloc(DupeXVac, 1024)
alloc(EDIValue, 4)
alloc(dupex,64)
alloc(address,4)
registersymbol(address)
registersymbol(FindCharacterAddress)
registersymbol(ListOffset)
label(disablez)
label(on)
label(vac)
label(EndSearch)
label(CompareOffset)
label(StoreESI)
label(DoNormal)
FindCharacterAddress:
mov [esi+114],edi
push eax
push ebx
push ecx
push edx
mov eax,0
mov ebx,ListOffset
mov ecx,ESIList
mov edx,EDIValue
CompareOffset:
cmp eax,[ebx]
je StoreESI
cmp esi,[ecx+eax*4]
je EndSearch
inc eax
jmp CompareOffset
StoreESI:
mov [ecx+eax*4],esi
inc eax
mov [ebx],eax
mov [edx],edi
EndSearch:
pop edx
pop ecx
pop ebx
pop eax
jmp 7F4386
DupeXVac:
push eax
push ebx
push ecx
mov ebx,[ListOffset]
dec ebx
mov ecx,ESIList
mov eax,[ecx+ebx*4]
cmp esi,eax
je DoNormal
mov edi,[EDIValue]
DoNormal:
mov [esi+114],edi
pop eax
pop ebx
pop ecx
jmp 7F4386 //DupeX Addy +6
address:
db 00 00 00 00
007F4380://Dupex Addy : 89 BE 14 01 00 00 EB
jmp dupex
nop
dupex:
cmp [address],0
je disablez
cmp [address],1
je on
cmp [address],2
je vac
disablez:
mov [esi+00000114],edi
jmp 007F4386 //1 addy under dupex
on:
jmp FindCharacterAddress
vac:
jmp DupeXVac
[disable]
007F4380:
mov [esi+00000114],edi
dealloc(FindCharacterAddress, 1024)
dealloc(ListOffset)
dealloc(ESIList)
dealloc(DupeXVac)
dealloc(EDIValue)
unregistersymbol(FindCharacterAddress)
unregistersymbol(ListOffset)
|
it has 2 adress which uve to add, adress and lisoffset, u gotta freeze them and change the value of adress to 1-> 2 freeze
works fine in game
the game crashs
|
|
| Back to top |
|
 |
smartz993
I post too much
 Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Mon Mar 08, 2010 10:33 am Post subject: |
|
|
Easiest way to see if there are any problems with the inline asm is to open the DLL that you're coding in OllyDbg and look at the asm that was produced by your compiler.
If you don't see any problems, try enabling the DupeX script while attached to EmptyProcess.exe and compare that memory with the memory in Olly.
There should be differences. (probably since you're not using dword ptr)
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Mar 08, 2010 10:57 am Post subject: |
|
|
| I tried that with a clean project, but it crashes and the adress didnt change at all, could it be cause of the VirutalProtect?
|
|
| Back to top |
|
|
smartz993
I post too much
Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Mon Mar 08, 2010 12:50 pm Post subject: |
|
|
| NoMercy wrote: | | I tried that with a clean project, but it crashes and the adress didnt change at all, could it be cause of the VirutalProtect? |
Open the DLL in OllyDbg, don't inject it.
Or for another option, inject the DLL into EmptyProcess.exe and compare the memory the way CE shows it.
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Mon Mar 08, 2010 2:23 pm Post subject: |
|
|
u mean the emtpyorcess from CE right, it closes with a windows error 
|
|
| Back to top |
|
|
smartz993
I post too much
Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Mon Mar 08, 2010 2:25 pm Post subject: |
|
|
| NoMercy wrote: | | u mean the emtpyorcess from CE right, it closes with a windows error |
Make your own emptyprocess then with some free memory haha
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Tue Mar 09, 2010 3:49 pm Post subject: |
|
|
| I did it with olly, but it is complety different and if u run it, and press dupex the GUi freezes, so something is definelty wrong, how can i find out what?
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Tue Mar 09, 2010 10:53 pm Post subject: |
|
|
If the GUI is freezing that means it must be stuck in the infinite loop you have there:
| Code: | | while (!NazVacExit) { ... } |
Make sure you call the DupexFunc function in a different thread than the GUI message thread.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
