Cheat Engine

[navarone]

Lol I know too many threads with too many questions but I am about to start writing my trainer in C# this evening.

Instead of finding my own pointers, I will make my own.
It will patch some assembly lines at certain code locations to MOV the value of ESI at a static address so I my trainer can grab addresses.

There's a feature implemented in CE called "Find out what addresses this code changes", it's similar to what I want my trainer to do.

This command lies within a loop, ESI's values (The values I need) change astonishingly fast.
I am importing Read_Process_Memory and use a timer of interval 50ms to check the address I keep ESI's value at to check for changes.
^
Will this work, or it's just plain retarded and I should set a Memory breakpoint instead?

Also, the game I am working at CodeShifts. The address of the code is Game.dll+1AAB29
^
Game.dll is the image base + Offset ?

[Pingo]

I do it with my C# trainers sometimes when the addresses are pure dynamic. I dont know how to do it with codeshifting.

Im not sure how to convert say Game.dll+1AAB29 to opcodes in C# to do the jumps. Cheat engine does it but i dont know how.
Maybe someone or Dark Byte can help with that part.

[navarone]

Yea, I saw that question in an earlier thread with no answer lol.

I am also afraid as the code executes at CPU speed and 1ms timer just wont be able to catch up or cause massive lag.

[Pingo]

Yea i didnt think i was gonna get an answer. But this thread HERE has an opcode class. Buggy as hell and returns the wrong bytes alot of the time but its a start.

You could also make a small CE trainer to handle the codeshifting part and add it to the resource. Then have your app store the addresses in a table and keep updating it.
I have a good example code for that if you need it.

[hcavolsdsadgadsg]

I ended up doing this in a pretty weird way a while ago.

VirtualAllocEx() to allocate some memory for myself the ended up writing the contents of the register I wanted to the buffer I just made, then rewriting a bunch of shit, jumping there, etc... it was nasty.

jumps are: (to - from) - jmp opcode length
short jumps will be 2, far will be 5... off the top of my head.

[Pingo]

[navarone]

MOV [004004F8],EAX is supposed to copy the value of EAX to 004004F8, right?

Nope, this command upon execution causes the game to jump to another address to terminate itself.


Oh and since I am back to my Windows XP machine, the game wont codeshift for some reason (or it's less often, dunno).

[Pingo]

Is 004004F8 static? Looks like it is.
Yea its moving the value of eax. But eax probably isnt the one you need. Look at all the instruction info that access your address and see which one stores the address.
You'l want to move that one to a static codecave. It shouldnt terminate the game if you write the original instructions after moving it to the cave.

I'll go try VirtualAllocEx() that slovach mentioned. Iv never thought of using that. It would make it easier for both of us.

[navarone]

mov edi,[eax+00000098] (6 bytes)

Replaced with

Jmp 00400298 (5 bytes, last byte replaced with NOP)


00400298 mov edi,DWORD PTR DS:[eax+00000098]
0040029E MOV DWORD PTR DS:[400ED2],EAX
004002A3 jmp 01F7E7A3 (To the OP code after 01F7E79D)


Codecave is 30 bytes, and I am sure I amn't writing EAX over my/other OP codes. All if this was done with OllyDbg as a test.

It refuses to write the value of EAX to 00400ED2 and jumps me to a specific address to terminate game.
Even assembling that address to jump back to my code cave cause an infinite loop. lol

[Pingo]

Post alittle screenshot that the more info gives you.
the original instructions.
also are you missing something in your script?
mov eax,[00400ED2] after you mov eax to 00400ED2. Dunno lets see those instructions.

[navarone]

Jump in game and trigger the action that calls this command, I land on my break point in my code cave. Note I am keeping an eye on address I should write EAX too, also, I manually added address pointed to by [EAX+98]. EDI contains the correct value. 451 = 1C3

[Pingo]

try this with cheat engine. Its just to test if the code works before finding a static cave. If the script doesnt crash it, you'l need to look at 01F7E790 in the memory viewer to see the cave. Add 0x20 to it for the location of eax. Remember its only eax so you'l still need to add 0x98 to it cause [eax+00000098] is the address.

[enable]
alloc(TestCave,64)

TestCave:
mov edi,DWORD PTR DS:[eax+00000098]
mov [TestCave+20],eax
mov eax,[TestCave+20]
jmp 01F7E7A3

01F7E790:
jmp TestCave

[disable]
//no disable part

or try it like this. the cave offset is alittle bigger too. 0x2c
[enable]
alloc(TestCave,64)

TestCave:
mov edi,DWORD PTR DS:[eax+00000098]
mov [TestCave+2c],eax
mov eax,[TestCave+2c]
mov edi,DWORD PTR DS:[eax+00000098]
jmp 01F7E7A3

01F7E790:
jmp TestCave

[disable]

[navarone]

I just noticed you wrote 01F7E790 instead of 01F7E79D. I will give it another shot.

Edit:

IT'S ALIVE!!!!!!



Thanks Pingo <3 <3 <3 <3

I will work on my trainer now

[Pingo]

Wait what! It should be 01F7E79D, i made a mistake. 01F7E790 will write the wrong address or cause a crash.
From that picture, does 1C3E8A74 offset 0x98 equal the address?
Looks to me like it doesnt. Looks like the second script with the 2c offset.
Try this
[enable]
alloc(TestCave,64)

TestCave:
mov edi,DWORD PTR DS:[eax+00000098]
mov [TestCave+2c],eax
mov eax,[TestCave+2c]
mov edi,DWORD PTR DS:[eax+00000098]
jmp 01F7E7A3

01F7E79D:
jmp TestCave

[disable]

[navarone]

Nah, it's working. I took care of this error earlier