Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Game reads my aobscan?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
lp0
Advanced Cheater
Reputation: 2

Joined: 25 Feb 2013
Posts: 73
PostPosted: Fri Aug 02, 2013 4:34 pm    Post subject: Game reads my aobscan? Reply with quote
This is more of just making sure I am not insane as I have a basic/general understanding of how these things work, but as with all complicated technical topics the rabbit hole goes very deep.

Anyway .. to the point. I'm not looking for anyone to hold my hand, just to sort of point me in the right direction about what may or may not be going on here, and possibly validating or invalidating my current theory.

I'm messing around with a certain game, writing an assembler script using aobscan, and the first time you run it, it works fine - however, after that, the game appears to load the byte pattern being scanned for into a separate (but always earlier) memory location so that if the script is run again, it injects into the new earlier point rather than the later point for the routine the game actually uses.

First, is this possible or am I making something out of this that it is not?

Second, if it is possible, can I get around this?

I've thought that when I mess with it next time I will inject to a different routine in memory, but that sort of begs the question that the game might just trap that and any code injection I do.

If it helps, as far as I can tell the game is built on Mono/Unity.
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Fri Aug 02, 2013 5:50 pm    Post subject: Re: Game reads my aobscan? Reply with quote
lp0 wrote:
First, is this possible or am I making something out of this that it is not?
At the very least I doubt the game knows what aob you scanned for, but I may know what bytes were changed. It is possible that the game has integrity checks and tries to to rebuild modified code, but I've never met/heard of such protection yet. So with the limited knowledge I currently have, I'm on the "[you're] making something out of this that it is not" side. Perhaps your aob signature is just too short/not "unique" enough. Also did you check that the copy of your signature is really a dummy and not executed at some point?

lp0 wrote:
Second, if it is possible, can I get around this?
Probably. If your theory were correct, then:
-1st thing I'd try is to use and aob signature that does not cover the modified bytes.
-2nd thing I'd try is to use the lua aobscan that returns ALL instances of the found signature, and patch them all.
-3rd thing, that I'd probably NOT try is to use stealthedit so that the game does not detect that its code was modified.

And just in case: are you sure that the code you find on the 2nd script execution is not the code YOU previously injected (missing dealloc in the disable part) ?
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
lp0
Advanced Cheater
Reputation: 2

Joined: 25 Feb 2013
Posts: 73
PostPosted: Fri Aug 02, 2013 6:18 pm    Post subject: Reply with quote
I've written several scripts to test the theory as it were, and every time the first search is unique and works, and the second (and after) times the game always somehow produces another copy I never found before; and if I fiddle with it I can get it to generate a third copy, a fourth copy, so on and so forth.

The "new" code is sitting in the middle of memory just surround by a whole set of push statements, with no difference; just a set of 30 of the same push statements, with the aobscan pattern inserted at some arbitrary point in that set.

I looked into stealthedit and sort of drew the same conclusion; I am more apt to do the LUA approach just to test the theory and try to trim the actual cause of it down.

The dealloc is there; now that I think about it I will fiddle around with an offset jump instead of aobscan. If there is no aobscan and it is just a jump, and it works repeatedly then, I can sort of use that in conjunction with the LUA approach to say "yes, this is really what is happening."

Thanks.

edit: The offset jump does work repeatedly every time; very strange. I'll move to LUA and overwrite all the results. In the event the LUA approach works, I will maybe put something up regarding the game and my findings so people can look at it; it's possible I am just being stupid.

edit 2: Turns out the game had updated several times behind my back, each time while I was doing testing. A run of bad luck - lesson learned I suppose.
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Fri Aug 02, 2013 9:18 pm    Post subject: Reply with quote
lp0 wrote:
Turns out the game had updated several times behind my back, each time while I was doing testing. A run of bad luck.
So you applied your hack, then later the game started updating itself, causing a copy of the function you hooked to be present in memory (as patch data). And out of bad luck when you reapplied your hack, the AA aobscan always grabbed the patch data instead of the actual executed code. Is that what you meant?
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
lp0
Advanced Cheater
Reputation: 2

Joined: 25 Feb 2013
Posts: 73
PostPosted: Fri Aug 02, 2013 9:32 pm    Post subject: Reply with quote
Gniarf wrote:
lp0 wrote:
Turns out the game had updated several times behind my back, each time while I was doing testing. A run of bad luck.
So you applied your hack, then later the game started updating itself, causing a copy of the function you hooked to be present in memory (as patch data). And out of bad luck when you reapplied your hack, the AA aobscan always grabbed the patch data instead of the actual executed code. Is that what you meant?


Honestly, I am still a little fuzzy on the details - before I made the post, I was sure (as sure as you can be when dealing with these sort of things) I had ruled out all/most of the usual pitfalls. I wouldn't post if I thought it was just some stupid thing. Is the game updating while I'm messing around with it a stupid thing to fall prey to? Possibly; and I will just leave that hanging there.

What exactly was going on? I can't say with any absolute sense. What I basically did was this (I'm assuming since you replied back the details interest you in some technical sense, as they do me).

Obviously running the game, Cheat engine, found values, dug up the pointers, and before I started doing the code injections, I noticed that the pointers would (sometimes) when I started the game, invalidate; there was no real rhyme or rhythm, but it seemed that if I started the programs in a certain sequence the pointers I had found would not point to the values, they would just be lost in space as the case might be. I eventually got tired of searching for pointers, and what I thought from there was this:

Who cares what the pointers are, find the routine modifying the values (in this case I never had to worry about shared data or IFF stuff) and just modify those, and then profit. So, I did that, overwrote the routines, and that's when I started seeing that whenever I enabled the script I would start finding multiple patterns of the AOB scans. And, whenever I made the assumption that the byte pattern was not long enough, I would modify the pattern and restart CE/the game; I would then see the exact same problem, even if I wrote an entirely new script the game would "match" the pattern I was searching for and it would appear in memory in an earlier location, foiling the assembler AOB scan.

After a little while, I gave up and made the post; I put the game down, watched some stupidity on YouTube, and when I checked back here and read your post, I figured "Ok, once more into the breach dear friends." I brought the game back up, and found that 2 or 3 (documented) patches had been put out today; that led me to the conclusion that maybe I was somehow being clobbered by those patches, so I went back into the game, rewrote the scripts and checked the patterns just to be sure, and now everything works like it should.

So, I don't know - with the general knowledge I have of these topics, I find it hard to believe the initial premise of this thread, which is why I sort of threw in the possibility of "I might just be stupid." It's possible I was just being stupid, and that being said, if I am not being stupid then I still cannot explain the results I was seeing as there is literally no difference between the scripts I am applying now and the scripts I wrote earlier (as per a linux diff command).
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Sat Aug 03, 2013 3:56 am    Post subject: Reply with quote
I would have had a lot of wtf? on my head too after your experiments.
Now that the script work, are you sure that there is no copy of the code in memory (which, this time, would luckily be in higher memory than the executed code)?

Thinking again about it, you said earlier that the copy code was surrounded by push statements, I take it the game copies the whole function, so maybe you could have included some of the inter-function-padding in your aob (still, you probably already thought about this, so what's wrong with it?).
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 472

Joined: 09 May 2003
Posts: 25871
Location: The netherlands
PostPosted: Sat Aug 03, 2013 4:46 am    Post subject: Reply with quote
mono is an emulator. This means it takes the original native code and when a function is executed for the first time, it converts it a code the system accepts, and might eventually free that runtime generated code if you're low on memory and it hasn't been executed in a while.

If there is a memory leak of some sorts, where it forgets to free, or clean previously allocated memory, the old runtime generated code will still be in memory.
Best way to get around this problem is just edit every occasion of the aob you find

also, mono exports some functions you may be able to call to get the address of a specific method. And if not, https://github.com/Unity-Technologies contains the mono sourcecode for unity, so you may even add that export yourself. (or build it so it auto generates the code immediately and never frees it)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites