|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25252 Location: The netherlands
|
Posted: Fri Sep 17, 2010 7:55 am Post subject: |
|
|
If it's an online game give up
If it's not, then I suggest finding the pointer to 2695338 instead of 005DA043
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
Posted: Fri Sep 17, 2010 8:33 am Post subject: |
|
|
Dark Byte wrote: | If it's an online game give up
If it's not, then I suggest finding the pointer to 2695338 instead of 005DA043 |
may i know how you got 2695338?
because this code changes its location every time i restart the game and now its not 005DA043.
Thank You.
EDIT: I know how you got it, will try it and post results.
EDIT2: Yes, this gives me 1 black address, but i need to find pointer to "add [edx+50],eax", not to my scores.
Any hints ?
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 91
Joined: 14 Jul 2007 Posts: 3093
|
Posted: Fri Sep 17, 2010 9:04 am Post subject: |
|
|
Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.
Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
But worry not, for AOB scan is very useful for this purpose. Did you try AOB scan to find the instruction?
AOB scan is relatively new, and not part of the tutorial. A note to Dark Byte: Should it be added?
If you need a starting point, download some tables or aa scripts and check how it's done.
PS. AOB scan is a very good way to cause crashes, so be sure to
- include read-only memory
- use at least 12 bytes
in your scans to avoid false positives.
|
|
Back to top |
|
|
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
Posted: Fri Sep 17, 2010 9:15 am Post subject: |
|
|
TORPEDa wrote: | Csimbi wrote: | Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.
Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
AOB scan is very useful for that. Did you try AOB scan to find the instruction? |
I did complete tutorial.
So, You are saying that its impossible to find a pointer to a specific instruction ?
Hmmm... What should i do if the only way(IMO) to change score without turning on alarm is to change this instruction, or to inject a code? |
Csimbi wrote: | Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.
Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
But worry not, for AOB scan is very useful for this purpose. Did you try AOB scan to find the instruction?
AOB scan is relatively new, and not part of the tutorial. A note to Dark Byte: Should it be added?
If you need a starting point, download some tables or aa scripts and check how it's done.
PS. AOB scan is a very good way to cause crashes, so be sure to
- include read-only memory
- use at least 12 bytes
in your scans to avoid false positives. |
ok, i downloaded some tables.
now i have go another question
What AND Where should i learn to be able to do something like this:
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(raddress)
registersymbol(raddress)
aobscan(raob,8B 96 50 04 00 00 89 55 F8)
raob:
raddress:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
mov edx,[esi+00000450]
mov [esi+00000460],3B9AC9FF //999999999 minerals
mov [esi+00000468],3B9AC9FF //999999999 gas
//place your code here
originalcode:
//mov edx,[esi+00000450]
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
raddress:
mov edx,[esi+00000450]
//Alt: db 8B 96 50 04 00 00
unregistersymbol(raddress) |
its Geri's code for starcraft 2 !
any links to tutorials ?
|
|
Back to top |
|
|
Falc0n Expert Cheater Reputation: 1
Joined: 04 Apr 2009 Posts: 104
|
Posted: Fri Sep 17, 2010 11:24 am Post subject: |
|
|
It's just simply auto assemblr code lol.... : /
It's basic asm and a bunch of easy to learn operations that db created himself.
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 91
Joined: 14 Jul 2007 Posts: 3093
|
Posted: Fri Sep 17, 2010 11:42 am Post subject: |
|
|
TORPEDa wrote: | I did complete tutorial. |
Good, no need to explain the very basics then.
TORPEDa wrote: | So, You are saying that its impossible to find a pointer to a specific instruction ? |
Correct. You could find pointer to the entry points of procedures, but it far too complicated to yield usable results.
TORPEDa wrote: | Hmmm... What should i do if the only way(IMO) to change score without turning on alarm is to change this instruction, or to inject a code? |
That's where AOB scan comes to the picture.
Take the time to learn it, it is a great asset in CE.
TORPEDa wrote: | ok, i downloaded some tables.
now i have go another question
What AND Where should i learn to be able to do something like this: |
I added some comments to the code below - and removed pieces that are not relevant, so you should be able to figure it out from there.
Code: | [ENABLE]
...
// We register a symbol for the location of the address we will find during AOB scan, so we can easily restore the original code later on.
registersymbol(raddress)
// The following command performs the actual AOB scan. Syntax: aobscan(<symbol>,<byte sausage>).
// CE will can the memory (including the read-only memory) for <byte sausage>.
// When <byte sausage> was found, <symbol> takes the address of the location, and you can use that symbol just like any label.
// If <byte sausage> was not found, CE stops running the script and consequently, it will not be enabled.
// For this very reason, you should commence all AOB scans before performing any other things in the script - including symbol registrations, memory allocations, etc.
// Note: this is actually a mistake in Geri's script; symbol registration should be after the aob scan.
aobscan(raob,8B 96 50 04 00 00 89 55 F8)
// You use the AOB scan <symbol> like any other label.
// It represents the address of the first byte in <byte sausage>.
raob:
// You put here a symbol of your own that you have registered earlier.
// This way, that symbol will take the same address as <symbol>.
// What follows your symbol is your own code, usually an unconditional jump or a call to your code cave that containing the code you want to inject.
// Remember to pad your jumps/calls with nop.
raddress:
jmp newmem
nop
returnhere:
...
[DISABLE]
// You put here a symbol of your own that you have registered earlier.
// This symbol has taken the address of the aob scan <symbol> earlier, so it can be used conveniently to restore the original code.
raddress:
mov edx,[esi+00000450]
// You unregister the symbol when you don't need it anymore.
unregistersymbol(raddress)
// Note: usually put "dealloc(newmem)" last, after restoring the code and unregistering symbols.
|
TORPEDa wrote: | any links to tutorials ? |
I don't know. Search.
Having completed the tutorial, and with the comments in the code above you should be armed with everything you need.
Give it a go. Just remember the "read-only memory" and the "use at least 12 bytes" tips to avoid crashes.
Last edited by Csimbi on Fri Sep 17, 2010 12:02 pm; edited 6 times in total |
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 91
Joined: 14 Jul 2007 Posts: 3093
|
Posted: Fri Sep 17, 2010 12:17 pm Post subject: |
|
|
Here's a draft(!) aob script for your case.
Study it and be sure to double-check the hack point and the byte sausage before you actually use it.
Code: | [ENABLE]
aobscan(aobHook, 01 42 50 8B 85 C6 FF FF FF 8B 48 34 39 09)
alloc(mCave, 1024)
label(cHook)
registersymbol(cHook)
mCave:
// Your code here:
// Original code:
add [edx+50],eax
mov eax,[ebp-00000094]
ret
aobHook:
cHook:
call mCave
nop
nop
nop
nop
[DISABLE]
cHook:
add [edx+50],eax
mov eax,[ebp-00000094]
unregistersymbol(cHook)
dealloc(mCave) |
PS. You can use ?? as wildcards in aob scan.
|
|
Back to top |
|
|
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
Posted: Fri Sep 17, 2010 2:56 pm Post subject: |
|
|
Csimbi wrote: | Here's a draft(!) aob script for your case.
Study it and be sure to double-check the hack point and the byte sausage before you actually use it.
Code: | [ENABLE]
aobscan(aobHook, 01 42 50 8B 85 C6 FF FF FF 8B 48 34 39 09)
alloc(mCave, 1024)
label(cHook)
registersymbol(cHook)
mCave:
// Your code here:
// Original code:
add [edx+50],eax
mov eax,[ebp-00000094]
ret
aobHook:
cHook:
call mCave
nop
nop
nop
nop
[DISABLE]
cHook:
add [edx+50],eax
mov eax,[ebp-00000094]
unregistersymbol(cHook)
dealloc(mCave) |
PS. You can use ?? as wildcards in aob scan. |
thank You! But what are those mCaves, cHooks, lables ?
When i try execting you code i get this: See Attachment
Geri wrote: | Yes, this is probably one of the most simple of scripts ever.
If You want to read my tutorial on how to do this, check out the articles on this page:
url
I have used exactly the same method on C&C Generals ZH and I have written down in details how to do it as an example. The same method was used in many other games. In SC2 too.
url |
i checked your site few days ago, nice tutorials!
Description: |
|
Filesize: |
107.79 KB |
Viewed: |
29203 Time(s) |
|
|
|
Back to top |
|
|
AhMunRa Grandmaster Cheater Supreme Reputation: 27
Joined: 06 Aug 2010 Posts: 1117
|
Posted: Fri Sep 17, 2010 3:22 pm Post subject: |
|
|
The C and the 6 are transposed. Switch them.
C6 should be 6C
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
Back to top |
|
|
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
Posted: Fri Sep 17, 2010 3:29 pm Post subject: |
|
|
AhMunRa wrote: | The C and the 6 are transposed. Switch them.
C6 should be 6C |
oh, i didn't notice!
Thank You!
EDIT: Code works !
ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc.
YaY!
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 91
Joined: 14 Jul 2007 Posts: 3093
|
Posted: Fri Sep 17, 2010 7:03 pm Post subject: |
|
|
Oh, a typo, thanks AhMunRa!
This is what happens when you type When you copy that from CE directly, you will not have this problem.
TORPEDa wrote: |
ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc. |
Oh, those are just my own names for labels and stuff. I make the first letter lowercase, indicating what is the purpose of the symbol (m for memory, c for code, p for pointer, etc), the rest is just whatever comes to my mind...
There are nice tutorials around about the auto-assembler - and actually, it's part of the tutorial as well...
|
|
Back to top |
|
|
TORPEDa Cheater Reputation: 1
Joined: 16 Sep 2010 Posts: 41
|
Posted: Fri Sep 17, 2010 7:09 pm Post subject: |
|
|
Csimbi wrote: | Oh, a typo, thanks AhMunRa!
This is what happens when you type When you copy that from CE directly, you will not have this problem.
TORPEDa wrote: |
ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc. |
Oh, those are just my own names for labels and stuff. I make the first letter lowercase, indicating what is the purpose of the symbol (m for memory, c for code, p for pointer, etc), the rest is just whatever comes to my mind...
There are nice tutorials around about the auto-assembler - and actually, it's part of the tutorial as well... |
in the tutorial you just need to inject 1 line...
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 91
Joined: 14 Jul 2007 Posts: 3093
|
Posted: Fri Sep 17, 2010 8:06 pm Post subject: |
|
|
Hit F1 in the auto-assembler window.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|