 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
AcidShout
How do I cheat?
![]() Reputation: 0
Joined: 24 Nov 2013
Posts: 6
|
 Posted: Sun Nov 24, 2013 9:28 pm Post subject: ESI is the address I need. How to port it to code? |
 |
|
----------------------------------
Last edited by AcidShout on Mon Jun 20, 2016 7:10 pm; edited 1 time in total |
|
| Back to top |
|
 |
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Mon Nov 25, 2013 1:31 am Post subject: |
|
|
I don't understand your question. If you found that the address is xxxx2BFA, why do you need to modify registers?
Also, as a general rule, if you can't hack the game with CE you're unlikely to be able to write a hack for it in C++.
|
|
| Back to top |
|
|
zm0d
Master Cheater
 Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Mon Nov 25, 2013 9:49 am Post subject: |
|
|
| justa_dude wrote: | | Also, as a general rule, if you can't hack the game with CE you're unlikely to be able to write a hack for it in C++ |
That's true.
Anyway... try to find a static base pointer to that address or use code injection and write the content of ESI to some allocated memory to build your own static pointer...
|
|
| Back to top |
|
|
AcidShout
How do I cheat?
![]() Reputation: 0
Joined: 24 Nov 2013
Posts: 6
|
| Posted: Mon Nov 25, 2013 11:25 am Post subject: |
|
|
----------------------------------
Last edited by AcidShout on Mon Jun 20, 2016 7:10 pm; edited 1 time in total |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Mon Nov 25, 2013 3:54 pm Post subject: |
|
|
| AcidShout wrote: | | zm0d wrote: | | try to find a static base pointer to that address or use code injection and write the content of ESI to some allocated memory to build your own static pointer... |
Since I know the static address of the ASM instruction that contains ESI, I could hook a function and get ESI's value from C++.
Can I? Or it's impossible? |
That's what she just suggested when she mentioned injection. The alternative is to use the pointer scanner to search for the string just like you would any other variable.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Nov 25, 2013 4:05 pm Post subject: |
|
|
| AcidShout wrote: | | I mean that I have an address that changes every time I open the game. |
-Do the tutorial. Learn how to use the pointer scanner. Learn how to use code injection. You do not need C++.
|
|
| Back to top |
|
|
zm0d
Master Cheater
Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Mon Nov 25, 2013 4:26 pm Post subject: |
|
|
| justa_dude wrote: | | That's what she just suggested when she mentioned injection. |
I really lol'ed about this hard  just because I've Hello Kitty as picture, I'm not a woman! I just like this cute little kitty *shame* AND I'M NOT GAY!!!
| AcidShout wrote: | | Or it's impossible? |
Impossible... this word is so strange in informatics..
| AcidShout wrote: | | I don't understand it, could you please explain it? |
Of course I can  If you're not able to find such a static base pointer with the help of CE (this is very rarly), you can "build" your own pointer with code injection. To this point of reading you should have done the CE built-in tutorial (without cheating // haha I'm so freakin funny ).
With C/C++ you can use the function VirtualAlloc or if you are not inside the games process (injected DLL) VirtualAllocEx to reserve some beautiful memory in the game's virtual address space. When you did that, you will get back a pointer from your newly allocated memory, that your going to use for your interest (called a CodeCave). Then you use WriteProcessMemory(...) to overwrite your mov al, [esi] with a JMP yourCodeCaveAddr. There you are able to save back your ESI address to another address (somehow like this MOV [CodeCaveAddr+20], esi). Now you have to restore your overwritten asm code after the mov command and jmp back to your source, where you came from.
So you built your own base pointer, because your interesting address is always at CodeCaveAddr+20 Note that you mostly have to fix this, if the game was updated.
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Tue Nov 26, 2013 4:47 am Post subject: |
 |
|
| zm0d wrote: | | justa_dude wrote: | | That's what she just suggested when she mentioned injection. |
I really lol'ed about this hard :D :D just because I've Hello Kitty as picture, I'm not a woman! :D :D :D :D I just like this cute little kitty :D *shame* AND I'M NOT GAY!!! :D |
Please accept my apologies and thank you for having good humor about it.
|
|
| Back to top |
|
|
zm0d
Master Cheater
Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Tue Nov 26, 2013 6:02 am Post subject: |
|
|
| justa_dude wrote: |
Please accept my apologies and thank you for having good humor about it. |
Wow, you're really polite and this in the WWW 
really seldom 
You can't insult me this way just was funny and let me started the evening with a huge smile
Sorry for offtopic, just had to say this
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Nov 26, 2013 11:01 am Post subject: |
|
|
Hello AcidShout! Well you didn't provide enough info to give an example script for your particular game (didn't include the address to hook + at least 5 bytes worth of code)
However that's okay I'll show you a couple examples from another game so you get the idea...
First I want you to make sure that your address that you're going to use as a place to easily 'grab' this pointer from is actually a good place to get it from. Make sure no other addresses are being accessed by that code! ('mov al,[esi]' which is copying a byte from the address pointed to by ESI into al as you're probably aware)
Right click on that instruction and choose 'Find what addresses this instruction accesses' Go in game and do whatever is related to your address to get the code to execute, now go back and look at the window that popped up! If only 1 address is listed continue, if there is more than one (usually very many if its the case) you'll have to figure out how to filter down to your address of interest or find somewhere else to hook! (which only your 1 address passes through)
If all is good then examine how you want to hook the address which your 'mov al,[esi]' instruction that you've found to effect your value is located at!
The 'mov al,[esi]' instruction is only 2 bytes in size, so we're going to need a little more than that for our 5 byte 'jmp' hook.
So here's an example I searched for that instruction in my game (knowing that its common) to come up with a similar example!
Your code in your game around this instruction will be different, but you can hook it in the same way as the following two examples... Looking at the image how would you hook it / which address would you hook?
In the first example, I decided it's nicer to hook the previous address rather then the one and the next. Since our 5 byte jmp hook will fit in nicely and not only that, doing it this way also makes it a little easier to update if the game updates, since you have less variables (things that will change) in your code (you'll see what I mean with the second example)
| Code: |
[enable]
alloc(GetAcidShoutString,1024)
label(AcidShoutStringPointer)
label(ReturnHere)
registersymbol(AcidShoutStringPointer)
GetAcidShoutString:
mov esi,[ebp+8] //original/overwritten code
mov al,[esi] //original/overwritten code
mov [AcidShoutStringPtr],esi
jmp ReturnHere
AC4BFSP.exe+78c4:
jmp GetAcidShoutString //E9 XX XX XX XX //5 bytes
ReturnHere:
[disable]
AC4BFSP.exe+78c4:
mov esi,[ebp+8]
mov al,[esi]
//db 8b 75 08 8a 06 //5 bytes
dealloc(GetAcidShoutString)
unregistersymbol(AcidShoutStringPointer)
|
And version two which I just for demonstrating how hooking works typically, which just hooks the address of instruction 'mov al,[esi]' rather than the previous, it contains said variables namely '[AC4BFSP.exe+24603d0]' in any case though since 7 bytes were overwritten rather than a perfect 5, we needed 2 nops to 'cover' what we overwrote with safe bytes.
| Code: |
[enable]
alloc(GetAcidShoutStringV2,1024)
label(AcidShoutStringPointer)
label(ReturnHere)
registersymbol(AcidShoutStringPointer)
GetAcidShoutStringV2:
mov al,[esi] //original/overwritten code
mov byte [AC4BFSP.exe+24603d0],al //original/overwritten code
mov [AcidShoutStringPtr],esi
jmp ReturnHere
AC4BFSP.exe+78c7:
jmp GetAcidShoutStringV2 //E9 XX XX XX XX //5 bytes
db 90 90 //nopping next two bytes == 7 bytes now
ReturnHere:
[disable]
AC4BFSP.exe+78c7:
mov al,[esi]
mov byte [AC4BFSP.exe+24603d0],al
//db 8a 06 a2 d0 03 86 02 //7 bytes
dealloc(GetAcidShoutStringV2)
unregistersymbol(AcidShoutStringPointer)
|
And now if that doesn't work as justa_dude mentioned, then converting it to C++ style isn't going to help at all! However if it does work then this would be equivalent to the first example in but in C++ code...
| Code: |
#include <Windows.h>
#include <stdio.h>
int MainThread();
HINSTANCE hInst;
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD Reason, LPVOID lpReserved)
{
if(Reason == DLL_PROCESS_ATTACH)
{
hInst = hInstance;
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)MainThread, 0, 0, 0);
}
else if(Reason == DLL_PROCESS_DETACH)
{
}
return TRUE;
}
DWORD AcidShoutStringHookAddressRVA = 0x78c4;
DWORD AcidShoutStringHookAddress;
DWORD AcidShoutStringHookReturn;
char *pAcidShoutString = 0; //initialize this one!
void _declspec(naked) GetAcidShoutString()
{
__asm
{
mov esi,[ebp+0x8]
mov al,[esi]
mov [pAcidShoutString],esi
jmp [AcidShoutStringHookReturn]
}
}
int MainThread()
{
AcidShoutStringHookAddress = (DWORD)GetModuleHandle(0) + AcidShoutStringHookAddressRVA;
AcidShoutStringHookReturn = AcidShoutStringHookAddress + 5;
DWORD OldProtection;
VirtualProtect((void*)AcidShoutStringHookAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtection);
*(BYTE*)AcidShoutStringHookAddress = 0xE9; //JMP XX XX XX XX
*(DWORD*)(AcidShoutStringHookAddress + 1) = (((DWORD)GetAcidShoutString - AcidShoutStringHookAddress) - 5);
VirtualProtect((void*)AcidShoutStringHookAddress, 5, OldProtection, &OldProtection);
while (pAcidShoutString == 0) Sleep(10);
VirtualProtect((void*)pAcidShoutString, 10, PAGE_EXECUTE_READWRITE, &OldProtection);
char *WriteThisString = "NoName";
memcpy(pAcidShoutString, WriteThisString, (strlen(WriteThisString) + 1)); //+1 for copying null terminator too
VirtualProtect((void*)pAcidShoutString, 10, OldProtection, &OldProtection);
return 0;
}
|
Now I haven't actually tested this out, just wrote it up, but if I remember correctly that's enough to make it work! Don't forget the VirtualProtects to allow you to write to the memory! (else it'll crash) They might not be needed always but usually they are, so best to just stick with them!
In this quick example upon injecting the memory must be ready to be hooked. Once hooked it will wait until it receives the pointer of interest (which seems to be a in-game-name pointer or such) and then writes 'NoName' to it! (as non-unicode, if it happens to be unicode then you'll have to change the code a little)
That should help!
_________________
|
|
| Back to top |
|
|
AcidShout
How do I cheat?
![]() Reputation: 0
Joined: 24 Nov 2013
Posts: 6
|
| Posted: Tue Nov 26, 2013 2:19 pm Post subject: |
|
|
----------------------------------
Last edited by AcidShout on Mon Jun 20, 2016 7:10 pm; edited 1 time in total |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Nov 26, 2013 2:23 pm Post subject: |
|
|
| AcidShout wrote: | | ++METHOS wrote: | | AcidShout wrote: | | I mean that I have an address that changes every time I open the game. |
-Do the tutorial. Learn how to use the pointer scanner. Learn how to use code injection. You do not need C++. |
Well, I do need C++ because I want to make a .dll so I don't need to be scanning every time I want to modify that |
-You do not need C++ to do that. You can create an auto-assembly script that will apply the changes every time.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 199
Joined: 25 Jan 2006
Posts: 8518
Location: 127.0.0.1
|
| Posted: Tue Nov 26, 2013 2:28 pm Post subject: |
|
|
| AcidShout wrote: | Why do you substract the original instruction address?
Isn't my hook function address enough?
|
Jumps/calls are calculated. They are not direct address constants. You have to calculate the distance between the call location and the function you are calling to create the offset.
| AcidShout wrote: | | Also, why sleep(10) in a while? |
Without it, your loop will consume 100% CPU.
| AcidShout wrote: | | Also, why memcpy, and not *(type*) something = another? |
You can use either in an injected DLL.
_________________
- Retired. |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Nov 26, 2013 3:55 pm Post subject: |
|
|
| AcidShout wrote: |
| Code: | | (DWORD)GetAcidShoutString - AcidShoutStringHookAddress |
Why do you substract the original instruction address?
Isn't my hook function address enough?
Also, why sleep(10) in a while?
Also, why memcpy, and not *(type*) something = another? |
Wiccaan explained those well, but I'll add that if you want you can use this macro (probably well known ):
'#define jmp(frm, to) (int)(((int)to - (int)frm) - 5)' defined at the top or in your header file (if you use one).
Then you could change this line:
| Code: |
*(DWORD*)(AcidShoutStringHookAddress + 1) = (((DWORD)GetAcidShoutString - AcidShoutStringHookAddress) - 5);
|
Into:
| Code: |
*(DWORD*)(AcidShoutStringHookAddress + 1) = jmp(AcidShoutStringHookAddress, GetAcidShoutString);
|
To visualize it a bit easier perhaps... We're jumping from the hook address to our hook code, the offset between them is the distance to jump.
I did memcpy here:
| Code: |
char *WriteThisString = "NoName";
memcpy(pAcidShoutString, WriteThisString, (strlen(WriteThisString) + 1));
|
Because from memory I didn't think you could just write to a string directly (it's raw character array [not an std::string]) I could be wrong though, I haven't tried it in a while. (maybe it's only if it was a const char * then it can't be modified like that)
Any other kind of data though I would directly write to usually!
P.S. If you really want, you can actually give a definite address to jump to rather then a relative offset. By using the 'push+ret' method 
NOTE: This will take up 6 bytes for your jump to your hook code rather than five with a regular long jump! So keep that in mind, it can be more inconvenient to use then a regular jump most of the time!
| Code: |
*(BYTE*)AcidShoutStringHookAddress = 0x68; //PUSH XX XX XX XX
*(DWORD*)(AcidShoutStringHookAddress + 1) = (DWORD)GetAcidShoutString; // hehe
*(BYTE*)(AcidShoutStringHookAddress + 5) = 0xC3 //RET
|
_________________
|
|
| Back to top |
|
|
AcidShout
How do I cheat?
![]() Reputation: 0
Joined: 24 Nov 2013
Posts: 6
|
| Posted: Tue Nov 26, 2013 5:14 pm Post subject: |
|
|
Thanks Wiccaan and SteveAndrew.
I made my DLL, but I have a problem: it crashes my game.
This is the code:
[img]//puu.sh/5uc0x.png[/img]
ptrName contains right address.
I know it, because I used MessageBoxA() to show the address, and it's the correct.
I need to patch 15 bytes next to that address to AF
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
