 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
shadel
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2010
Posts: 52
|
 Posted: Mon Sep 06, 2010 5:12 pm Post subject: dynamic code duplication, is it possible to do that ? |
 |
|
What do I mean by that ?
Well, when you do code injection with the help of the auto-assembler template,
CE copies some bytes and put it under the label "originalcode" and put a jmp where it was.
However the copy is static, so for some games, the "originalcode" is not valid anymore.
Can the code be copied dynamicly to an allocated space and back at the origin ?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Mon Sep 06, 2010 5:14 pm Post subject: |
|
|
yes, readbytes, but you REALLY do not want to do that.
If the bytes change that what you're overwriting with a jump is different as well
you will certainly crash
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
shadel
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2010
Posts: 52
|
| Posted: Mon Sep 06, 2010 6:49 pm Post subject: |
|
|
Isn't readbytes a VisualBasic procedure ?
I was thinking about Assembler only.
Well, here is the code region I want to modify and a canvas of code :
| Code: | 207FF9A8 - c7 05 68 00 f7 01 dc 84 1d 00 - mov [01f70068],001d84dc : [00000000]
207FF9B2 - 81 0d 14 00 f7 01 00 00 00 80 - or [01f70014],80000000
207FF9BC - 31 c0 - xor eax,eax
207FF9BE - a3 b4 ff f6 01 - mov [01f6ffb4],eax
207FF9C3 - c7 05 b0 ff f6 01 e0 84 1d 00 - mov [01f6ffb0],001d84e0 : [00000000]
207FF9CD - 8b 0d b0 fe f6 01 - mov ecx,[01f6feb0] : [00000001]
207FF9D3 - 83 c1 0c - add ecx,0c
207FF9D6 - 89 c8 - mov eax,ecx
207FF9D8 - c1 e8 0c - shr eax,0c
207FF9DB - 8b 04 85 08 f0 8d 01 - mov eax,[eax*4+018df008]
207FF9E2 - bb f1 f9 7f 20 - mov ebx,207ff9f1 : [00142581]
207FF9E7 - 01 c1 - add ecx,eax
207FF9E9 - 0f 88 d1 e7 05 e1 - js 0185e1c0
207FF9EF - 89 11 - mov [ecx],edx
207FF9F1 - 81 25 14 00 f7 01 ff ff ff 7f - and [01f70014],7fffffff |
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
aobscan(faddr,89 11 81 25 14 00 ** ** ff ff ff 7f c7 05 68 00 ** ** 14 84 1d 00)
label(faddr_r)
registersymbol(faddr_r)
faddr:
faddr_r:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
jmp returnhere
originalcode:
mov [ecx],edx
and [01f70014],7fffffff
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
faddr_r:
mov [ecx],edx
and [01f70014],7fffffff
//Alt: db 89 11 81 25 14 00 F7 01 FF FF FF 7F
unregistersymbol(faddr_r) |
I'm trying to find a workaround to get rid of the static value 01f70014 both in enable and disable :
| Code: | | and [01f70014],7fffffff |
I'm new to Assembler, so I don't really know if it is possible.
Maybe by using the memory at 207FF9B4 I don't edit which will always be there.
|
|
| Back to top |
|
|
shadel
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2010
Posts: 52
|
| Posted: Tue Sep 07, 2010 3:42 pm Post subject: |
|
|
I found out by adding this part to the code using the labels like registers and values :
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
aobscan(faddr,89 11 81 25 14 00 ** ** ff ff ff 7f c7 05 68 00 ** ** 14 84 1d 00)
label(faddr_r)
registersymbol(faddr_r)
faddr:
faddr_r:
jmp newmem
db 90 90 90 ff ff ff 7f
returnhere:
newmem:
push eax
push ebx
mov eax,faddr
mov ebx,[eax-3a]
mov [eax+5],ebx
mov eax,originalcode
mov [eax+5],ebx
mov [eax+8],7fffffff
pop ebx
pop eax
jmp returnhere
originalcode:
db 89 11 81 25 14
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
faddr_r:
db 89 11 81 25 14
unregistersymbol(faddr_r) |
But I could do it only because some parts were static in the end...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Tue Sep 07, 2010 4:39 pm Post subject: |
|
|
Sorry, I meant readmem
example:
| Code: |
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode_uniqueid)
label(exit)
aobscan(faddr,89 11 81 25 ** ** ** ** ff ff ff 7f c7 05 68 00 ** ** 14 84 1d 00)
label(faddr_r)
registersymbol(faddr_r)
registersymbol(originalcode_uniqueid)
faddr:
faddr_r:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
returnhere:
newmem:
//do what you want
originalcode_uniqueid:
readmem(faddr,12)
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
faddr_r:
readmem(originalcode_uniqueid,12)
unregistersymbol(faddr_r)
unregistersymbol(originalcode_uniqueid)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
shadel
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2010
Posts: 52
|
| Posted: Wed Sep 08, 2010 2:19 pm Post subject: |
|
|
I tried it out but CE won't let me add it to the cheat list because of faddr being undefined.
I get the message :
| Code: | | Error in line 29 (readmem(00000000,12)) : The memory at 00000000 could not be fully read. |
Is that what you meant when saying I don't want to use readmem ?
Anyway, I somehow see how the script works so I am going to look more into it.
Thanks.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
