Cheat Engine

[QnD]

I am working on a game where the mem area that stores the stats I want to adjust changes for every level. I found an Asm routine that I can use as a static searchable reference.

I am trying to write a script that determines the address the Asm routine writes to. I used asmRoutine=AOBScan("xx xx xx xx") to find the assembly routine. I need to find a way via LUA to figure out the address that it writes to and store that in a var. The address I need to find is also contained in register EDX when Asm funct is called (or at end (not sure))

This is how I do it in CE manually :
I find my Asm code block and add it to the "Code List".
I rightclick on the Asm code label and select "find out what address this writes to".
This hooks the debugger to that routine and returns an address when code is run (usually the next action in the game).

Any help would be greatly appreciated

[daspamer]

Edit:
Forgot to mention, If you don't want to do the thing I did below (I use it for flash games or browser games, basically games that cannot have a static pointer), and your game is an PC game (not browser/flash).
You could just use Pointers..?

Why not doing code injection? (Step 4 I think in C.E tutorial).
Create AoB of the ASM region.
then add to the script.

[QnD]

ThxDaspammer,
It is a FB flash game. I dont know if I can mention the name. I was thinking about code injection, but wanted to make it simple so my girl could use it. I also wanted to learn LUA a bit better and see what the debugger could do. Is there any way to set a breakpoint, once hit dump a register to the CE watch window as a pointer, and then unset the breakpoint ? I am sure I can google all of the other stuff as far as the general funct for keypresses to engage the code. I would assume polling for the current address of the Index pointer would bring everything to a crawl...

As far as code injection goes if it is the only route you would suggest, I guess I could inject that addy, save registers move my reg (which is ptr to my stats page) to a static location, and then reload the regs....


what ever happened to the DSA interrupt I guess cracking with debug and int 3 days are gone LoL..

Since the pointer to the memory that stores the stats changes every level, I probably could have traced my calls up the chain and tried to nop out the part that changes that address, at the head of it all... but learning LUA and simplicity seems to be my target. My game cracking days are over since I haven't played in years !

The last real games I cracked were battle chess, and golden axe LoL !!! still have the actual patch in hex and offsets some where in a notebook

Thx in advance for your help... I definitely appreciate the input.

[daspamer]

If that game is like candy crush.
Post it, I'll send you an example.

[QnD]

Right on,
Its bubble witch. Hopefully candy crush keeps changing the location it stores its vars like BW does. Dynamically changing the data area is such a cheap way of crack aversion.
I havent mapped out all of the offsets, just the ones for rainbow balls and ball counts and such.. I figured I would map after I had a plan of attack...


edit:
aobresult=AOBScan("89 42 44 8D 89 48 19 00 00 8D 55 F0") //mov [edx+44],eax

^^ is the last asm sub that writes to the data page. EDX points to the data page.


Not used to tools LoL...

Kinda miss the oldskool ways..

latching on to interrupts to go back in to txt mode so you could see the debug prompt n such...

Even asm got soooo bloated over the years. I dont understand why you need a set of ten opcodes that all do just about the same thing.

Very much appreciated !!!

[daspamer]

So why not to do

[QnD]

Will load up n try. Sorry if I seem a bit outdated. I was alot more comfortable in just plain ol asm (via debug) which didnt allow for labels... it was just straight up asm in which mem mapping was all manual and lables only existed in structured assembly language...

Getting used to LUA so I can get up to speed is something I want to tackle !
I miss actual game cracking and all the cool evasion techniques that make an app behave differently in a debugger environment. I would assume that this case can now be buried since actually latching on to resources is now a possibility. Even related calls to other resources can be bounces off of ... kinda like heap / stack overflow techniques when writing shellcode (for a dynamic OS like windowze(well the inbetween between nop sledge and bouncing off a static sys resource to gain your footing as far as a static and addressable spot on the stage)).

I definitely appreciate the time you took putting things in basic terms for me ! I guess some of the oldskool morals still survived over the years !

will post results..


Thanks DaSpammer !!!

[daspamer]

This is not LUA script,
You don't need to use LUA.
It's auto assembler script.

[QnD]

New EDIT again:
OK here is what I have. I can now reference a symbol that contains a pointer. So static foothold is achieved. Wrapped and dropped to table done.

Just need final touch....
See below.

Code:
autoAssemble([[alloc(newmem,2048)
alloc(myArea,16)
registersymbol(myArea)
label(returnhere)
label(originalcode)
label(exit)
aobscan(_Address,89 42 44 8D 89 48 19 00 00 8D 55 F0)


newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov [myArea],edx

originalcode:
mov [edx+44],eax
lea ecx,[ecx+00001948]

exit:
jmp returnhere

_Address:
jmp newmem
nop
nop
nop
nop
returnhere:]])

Record = getAddressList().createMemoryRecord()
Record.Address="myArea"
Record.OffsetCount=1
Record.Offset[0]=0x44
Record.Type=vtByte
memoryrecord_setDescription(Record,"Balls")

Record1=getAddressList().createMemoryRecord()
Record1.Address="myArea"
Record1.OffsetCount=1
Record1.Offset[0]=0x2C
Record1.Type=vtByte
memoryrecord_setDescription(Record1,"Color")

Record2=getAddressList().createMemoryRecord()
Record2.Address="myArea"
Record2.OffsetCount=1
Record2.Offset[0]=0x5C
Record2.Type=vtByte
memoryrecord_setDescription(Record2,"Rainbow")


Now here is where I am stuck....
Used AA in LUA to finish the job.
I want to do the following

LUA Script:
1 run my Lua script on keypress (or whatever) while keeping CE open
2 nop
3 smoke a cigarette or 2