Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[unity 3d]Begone -Help with aob

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
icodeproductions
How do I cheat?
Reputation: 0

Joined: 18 May 2013
Posts: 4

PostPosted: Sat May 18, 2013 11:08 am    Post subject: [unity 3d]Begone -Help with aob Reply with quote

Hi ,i am trying to hack a unity 3d game called begone.
I have successfully decompiled the source.

But my aob's dont seem to work .

For eg

my objective:player health should remain at 100 even after getting hit


Code:

object:Health
Method:OnEventPlayerDamage(class EventPlayerDamage e)

Here is the function

private void OnEventPlayerDamage(EventPlayerDamage e)
{
    if (((e.victimId == this.playerId) && (this.GetHealth() > 0f)) && (Application.get_isEditor() || (BaseRoundMode.GetRoundState() == BaseRoundMode.RoundState.InProgress)))
    {
        this.SetHealth(this.GetHealth() - e.damage);  <--------------------------------------------i tried to change 59 to 58 ,but nothing happens
        if (base.get_enabled() && base.get_audio().get_enabled())
        {
            if (e.damageType == EventPlayerDamage.DamageTypes.Head)
            {
                base.get_audio().set_clip(this.headshot);
                base.get_audio().set_pitch(1f);
                base.get_audio().set_volume(1f);
                base.get_audio().set_maxDistance(50f);
                base.get_audio().Play();
            }
            else if (e.damage >= 10)
            {
                base.get_audio().set_clip(this.painBig);
                base.get_audio().set_pitch(0.9f + ((((float) (e.damage - 0x19)) / 75f) * 0.2f));
                base.get_audio().set_volume(0.9f);
                base.get_audio().set_maxDistance(50f);
                base.get_audio().Play();
            }
            else
            {
                base.get_audio().set_clip(this.painSmall);
                base.get_audio().set_pitch(0.9f + ((((float) e.damage) / 25f) * 0.2f));
                base.get_audio().set_volume(0.9f);
                base.get_audio().set_maxDistance(50f);
                base.get_audio().Play();
            }
        }
        if ((this.playerId == PhotonHelper.localPlayer.playerId) && (this.GetHealth() <= 0f))
        {
            this.SetHealth(0f);
            new EventDeath(this.playerId, e.attackerId, e.damageType, e.weaponType);
        }
    }

il code

  IL_0038:  /* 02   |                  */ ldarg.0
  IL_0039:  /* 02   |                  */ ldarg.0
  IL_003a:  /* 28   | (06)000C10       */ call       instance float32 Health::GetHealth()
  IL_003f:  /* 03   |                  */ ldarg.1
  IL_0040:  /* 7B   | (04)000EA9       */ ldfld      int32 EventPlayerDamage::damage
  IL_0045:  /* 6B   |                  */ conv.r4
  IL_0046:  /* 59   |                  */ sub
  IL_0047:  /* 28   | (06)000C11       */ call       instance void Health::SetHealth(float32)
  IL_004c:  /* 02   |                  */ ldarg.0
  IL_004d:  /* 28   | (0A)00011A       */ call       instance bool [UnityEngine]UnityEngine.Behaviour::get_enabled()
  IL_0052:  /* 39   | 42010000         */ brfalse    IL_0199
  IL_0057:  /* 02   |                  */ ldarg.0
 /* 03   |                  */ ldarg.1
  IL_0001:  /* 7B   | (04)000EAB       */ ldfld      int32 EventPlayerDamage::victimId
  IL_0006:  /* 02   |                  */ ldarg.0
  IL_0007:  /* 7B   | (04)000DF8       */ ldfld      int32 Health::playerId
  IL_000c:  /* 3B   | 01000000         */ beq        IL_0012
  IL_0011:  /* 2A   |                  */ ret
  IL_0012:  /* 02   |                  */ ldarg.0
  IL_0013:  /* 28   | (06)000C10       */ call       instance float32 Health::GetHealth()
  IL_0018:  /* 22   | 00000000         */ ldc.r4     0.0
  IL_001d:  /* 43   | C5010000         */ ble.un     IL_01e7
  IL_0022:  /* 28   | (0A)0001F7       */ call       bool [UnityEngine]UnityEngine.Application::get_isEditor()
  IL_0027:  /* 3A   | 0C000000         */ brtrue     IL_0038
  IL_002c:  /* 28   | (06)000D59       */ call       valuetype BaseRoundMode/RoundState BaseRoundMode::GetRoundState()
  IL_0031:  /* 18   |                  */ ldc.i4.2
  IL_0032:  /* 3B   | 01000000         */ beq        IL_0038
  IL_0037:  /* 2A   |                  */ ret



my aob:
7b ?? ?? ?? ?? 02 7b ?? ?? ?? ?? 3b ?? ?? ?? ?? 2a 02 28 ?? ?? ?? ?? 22 ?? ?? ?? ?? 43 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3a ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 3b ?? ?? ?? ?? 2a 02 02 28 ?? ?? ?? ?? 03 7b ?? ?? ?? ?? 6b 59 28 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02

Any help would be appreciated

Probably am in the wrong section of the code ..am lost here

Just in case anyone wishes to check the begone source here are the files
mediafire .c om /?gyhaa19hg7gg131

_________________
learning to re....
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Sat May 18, 2013 2:27 pm    Post subject: Reply with quote

Did you recompile this to a binary after changing or do you use ce?
If ce, it's possible the IL code has already been compiled to native code before your edit.
Perhaps it will reload it if you start a whole new game, but you may have to search for the native generated code with an aob and edit it there

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
icodeproductions
How do I cheat?
Reputation: 0

Joined: 18 May 2013
Posts: 4

PostPosted: Sun May 19, 2013 1:38 am    Post subject: Reply with quote

Thanks for replying darkbyte i am using ce, but how do i search for the native generated code with an aob and edit it there.I have uploaded all the decompiled dll files to mediafire if you want to have a look.
aren't Unity3d games suppose to be like flashgames ? i have a few working aob's by someone else but i cant find the corrsponding hex codes in the source of the game.sorry for my english

here is the url of the game

n +p +l+ a+ y . c o m (remove the plus signs)

_________________
learning to re....
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Sun May 19, 2013 3:07 am    Post subject: Reply with quote

Yes, it's like flash and there it is also the same as .net sometimes (it also generates native code, sometimes)

You could try editing the metadata or peheader and tell it to not use the JITer to generate native code, but it will be slow.
Instead try using the debugger. Find your health, then get hurt. You will find the native code. Now make an aob scan of this so you'll find it next time and then edit it in assembler

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
icodeproductions
How do I cheat?
Reputation: 0

Joined: 18 May 2013
Posts: 4

PostPosted: Mon May 20, 2013 1:14 am    Post subject: Reply with quote

Dark Byte wrote:
Yes, it's like flash and there it is also the same as .net sometimes (it also generates native code, sometimes)

You could try editing the metadata or peheader and tell it to not use the JITer to generate native code, but it will be slow.
Instead try using the debugger. Find your health, then get hurt. You will find the native code. Now make an aob scan of this so you'll find it next time and then edit it in assembler


thanks for the info i will now try to find the health ..but its a strange memory construct ...somehow that simple 4 bytes search wont work with the game.i will keep you updated on my findings ...am really new at this, so don't mind me asking so many questions

i have used redgate for decompling the source.could you shed some light on which debugger to use

_________________
learning to re....
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Mon May 20, 2013 3:36 am    Post subject: Reply with quote

as you can see here:
Code:
 
call       instance void Health::SetHealth(float32)

That means that SetHealth (and probably the health variable itself) is a float32
In CE that is just "Float" (not 4 byte)

You could try CE's debugger. Once you have found the health and added it to the list rightclick it and choose "Find out what writes to this address"
You will most likely get inside the "SetHealth" function then, and from there you might be able to backtrack to the function that only does it for the player, or just do a code injection there and check right there if it's the player or not

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
icodeproductions
How do I cheat?
Reputation: 0

Joined: 18 May 2013
Posts: 4

PostPosted: Mon May 20, 2013 11:46 am    Post subject: Reply with quote

Dark Byte wrote:
as you can see here:
Code:
 
call       instance void Health::SetHealth(float32)

That means that SetHealth (and probably the health variable itself) is a float32
In CE that is just "Float" (not 4 byte)

You could try CE's debugger. Once you have found the health and added it to the list rightclick it and choose "Find out what writes to this address"
You will most likely get inside the "SetHealth" function then, and from there you might be able to backtrack to the function that only does it for the player, or just do a code injection there and check right there if it's the player or not


darkybyte the health is enrypted i cant seem to find out the addresses by doing a float search ,please help

_________________
learning to re....
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Mon May 20, 2013 11:55 am    Post subject: Reply with quote

Check out health::setHealth and check how it's stored.
(Or else just try changed/unchanged scans)

Also, I noticed this game is a multiplayer game, so I doubt it's possible to change your health (not on your computer)

something else you could try is disable the JIT and optimization using some kind of flag (e.g a .ini with the same name as the assembly)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
icodeproductions
How do I cheat?
Reputation: 0

Joined: 18 May 2013
Posts: 4

PostPosted: Mon May 20, 2013 12:23 pm    Post subject: Reply with quote

Dark Byte wrote:
Check out health::setHealth and check how it's stored.
(Or else just try changed/unchanged scans)

Also, I noticed this game is a multiplayer game, so I doubt it's possible to change your health (not on your computer)

something else you could try is disable the JIT and optimization using some kind of flag (e.g a .ini with the same name as the assembly)


public void SetHealth(float newHealth)
{
this.health = UnityHelper.MemorySetter(newHealth, 0x61, 7);
}



Code:
.method public hidebysig instance void  SetHealth(float32 newHealth) cil managed
// SIG: 20 01 01 0C
{
  // Method begins at RVA 0x475d8
  // Code size       16 (0x10)
  .maxstack  8
  IL_0000:  /* 02   |                  */ ldarg.0
  IL_0001:  /* 03   |                  */ ldarg.1
  IL_0002:  /* 1F   | 61               */ ldc.i4.s   97
  IL_0004:  /* 1D   |                  */ ldc.i4.7
  IL_0005:  /* 28   | (06)0011CC       */ call       float32 UnityHelper::MemorySetter(float32,
                                                                                       int32,
                                                                                       int32)
  IL_000a:  /* 7D   | (04)000DF9       */ stfld      float32 Health::health
  IL_000f:  /* 2A   |                  */ ret
} // end of method Health::SetHealth




this is a aob i found on a youtube video and it works
d9 5e 24 83 ec 0c
change d8 5e 24 83 ec 0c

my health does not change when i get hit....
everything is client sided ..i am having difficulty because i know i am way out of my depth ..please analyze it..

_________________
learning to re....
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites