Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Help needed with a 'dynamic' register X3: Albion Prelude 3.1
Goto page Previous  1, 2, 3  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sat Jan 25, 2014 2:50 am    Post subject: Reply with quote

NP thanks for looking at it, I don't expect any help from you Razz

If you do find time to pursue it you can ask me more questions via email [email protected] or add me to steam using the same email address if you have a steam account.

I don't have high enough rank to PM anyone yet.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sat Jan 25, 2014 4:17 pm    Post subject: Reply with quote

This has not been thoroughly tested, but it should give you some idea:


X3AP.CT
 Description:

Download
 Filename:  X3AP.CT
 Filesize:  3.23 KB
 Downloaded:  844 Time(s)

Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sun Jan 26, 2014 1:44 am    Post subject: Reply with quote

Thanks I've taken a look at your shield capacity script but it crashes my game if I enable it.

The code looks good and the aobscans are correct. The only thing I can think that is causing it is the filter, it's probably creating a loop causing windows to crash the application. I'll have a further look at the compares and try and find alternatives.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jan 26, 2014 1:52 am    Post subject: Reply with quote

It shouldn't be crashing. There are no loops. It's possible that too many addresses are getting through. I would be surprised if that is the case, but I don't know what else it could be.

Be sure to close the game and start new. Make sure nothing else is turned on or interfering with the script etc., and make sure you save the table to your computer before you run it.

You should be able to dissect data structures on the address to see what is causing the problem.

I tested it on a handful of different levels, all with different shield/shield capacities, and I had no problems. I did notice that it crashed when I tried to load a different level, but that's not surprising at all.

You can test by doing this (see comments):

Code:

[ENABLE]
aobscan(aob2,8B 4F 01 89 4E 01 8B C6)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(shieldcap)
registersymbol(aob2)
registersymbol(shieldcap)

newmem:
cmp [edi+FA],0000001C
jne originalcode
cmp [edi+F6],0000001B
jne originalcode
cmp [edi+FE],0000001D
jne originalcode
mov [shieldcap],edi      ///////////////////////remove this
mov ecx,[edi+01]         ///////////////////////enable script and follow to this location; right-click on this instruction to see what addresses it accesses
mov [esi+01],ecx
jmp returnhere

originalcode:
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

shieldcap:
dd 0

aob2:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
aob2:
db 8B 4F 01 89 4E 01

//"X3AP.exe"+A5CD7:
//mov ecx,[edi+01]
//mov [esi+01],ecx

//Alt: db 8B 4F 01 89 4E 01

unregistersymbol(aob2)
unregistersymbol(shieldcap)
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sun Jan 26, 2014 2:38 am    Post subject: Reply with quote

I disabled that line as you suggested but the game still crashes immediately when turning it on.
Is alloc(newmem,2048) enough for this script? I assume CE would give an error if you didn't allocate enough?

I'll keep playing around with it to see if I can get it working.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jan 26, 2014 2:46 am    Post subject: Reply with quote

Add this script to your table and enable it to see if it crashes:

Code:
[ENABLE]
aobscan(aob2,8B 4F 01 89 4E 01 8B C6)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
registersymbol(aob2)

newmem:

originalcode:
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

aob2:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
aob2:
db 8B 4F 01 89 4E 01

//"X3AP.exe"+A5CD7:
//mov ecx,[edi+01]
//mov [esi+01],ecx

//Alt: db 8B 4F 01 89 4E 01

unregistersymbol(aob2)
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sun Jan 26, 2014 2:50 am    Post subject: Reply with quote

No that script didn't crash it.

I had already removed all the compare lines and jumps in your original just to see what was causing it and that also stopped it from crashing.

EDIT: Removed jumps and compares under the newmem: that is. Basically was just executing the original code.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jan 26, 2014 2:58 am    Post subject: Reply with quote

The next thing to do, then, is see what has changed in the structure. You need to find the shield capacity value again and dissect data structures on it. Look at the offsets and values that we are using for the compare:

cmp [edi+FA],0000001C

cmp [edi+F6],0000001B

cmp [edi+FE],0000001D

It is possible that one or more of these offsets is now being used for a pointer or something. Look at offset +FA, +F6 and +FE. You should quickly be able to determine what is causing the problem. Change the first 100 or so offsets to be 4 byte (hex) and look for a similar pattern to what we have above. Unfortunately, you may have to shift bytes to see them.

Regardless, you should be able to construct your own set of compares as I have done above. I know it works, you just have to find a couple of values that you can rely on.
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sun Jan 26, 2014 3:02 am    Post subject: Reply with quote

I just got it to work using a single filter, maybe it didn't like having 3 there?

Here are the changes:
Code:
[ENABLE]
aobscan(aob2,8B 4F 01 89 4E 01 8B C6)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(shieldcap)
registersymbol(aob2)
registersymbol(shieldcap)

newmem:
cmp [edi+05],0000E6001
jne originalcode
//cmp [edi+F6],0000001B
//jne originalcode
//cmp [edi+FE],0000001D
//jne originalcode
mov [shieldcap],edi
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

originalcode:
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

shieldcap:
dd 0

aob2:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
aob2:
db 8B 4F 01 89 4E 01

//"X3AP.exe"+A5CD7:
//mov ecx,[edi+01]
//mov [esi+01],ecx

//Alt: db 8B 4F 01 89 4E 01

unregistersymbol(aob2)
unregistersymbol(shieldcap)


Now I need to make a mega script to include all of the pointers I need Razz I'll use the same method you've done.

Thank you.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jan 26, 2014 3:05 am    Post subject: This post has 1 review(s) Reply with quote

Just to be sure, you should enable the script and follow the jump to the location of your code cave and right-click on the filtered address (or set a breakpoint) to see if you are really only accessing the 1 address for shield capacity. Play the game for a minute to see if any addresses populate or differ from your shield cap address.

If you're good to go, great...if not, you'll get it in due time. Very Happy

Let me know if you need any more help. I will probably remove this game from my computer soon.
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Sun Jan 26, 2014 3:41 am    Post subject: Reply with quote

I'm not sure why but when I have the pointer script enabled for more than several seconds the game will crash... As it did with your original script but after a delay.
Its usable but only if I toggle it on and off again before the game crashes, not an ideal solution.

I wonder if it's something to do with the code or constraints, maybe the jumps are causing a memory leak. Or maybe even using the wrong operands? for example jump near jump far or jnz instead of jne. I don't know a lot about ASM debugging Razz

Anyway just letting you know. There's no need to spend any more time on it, I can try and research it a bit myself.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jan 26, 2014 12:48 pm    Post subject: Reply with quote

There is nothing wrong with the code...the way you have it or the way I have it. Assuming you can run this for several minutes without a crash:

Code:
[ENABLE]
aobscan(aob2,8B 4F 01 89 4E 01 8B C6)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
registersymbol(aob2)

newmem:

originalcode:
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

aob2:
jmp newmem
nop
returnhere:

[DISABLE]
dealloc(newmem)
aob2:
db 8B 4F 01 89 4E 01

//"X3AP.exe"+A5CD7:
//mov ecx,[edi+01]
//mov [esi+01],ecx

//Alt: db 8B 4F 01 89 4E 01

unregistersymbol(aob2)


By running the above, we are essentially running the code as it was originally intended, but just relocating it. By doing so, we can eliminate the possibility of anti-cheat/CRC etc. crashing the game.

If there is no anti-cheat mechanisms at work, we are safe to assume that the crash is being caused by the offset(s) that we are using for the compare. You must keep digging to find a more reliable offset or set of offsets to use for your filtering. Like I said, you will have to continue filtering (even if you think you have the script working) to ensure that NOTHING else is getting through...only shield capacity. I managed to do this by comparing three different values. If you can find the new location for those values, it should work. However, I did not test it that much, so further work may be required. Not only that, but the game has been updated, so there's really no telling what you are working with. Just keep digging...you need to isolate that shield capacity address so that nothing else is getting through, and you need to do it with good, reliable offsets.
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Tue Jan 28, 2014 3:20 am    Post subject: Reply with quote

Thanks for your feedback I've been working on this extensively last night and today, just running the script (yours or mine) with the cmp's removed the game is stable. I've found that the larger the offset used in the cmp filter the quicker the game will crash, when using a very nearby offset it will be stable for a while. I've been researching different ways the script can be done and came up with the below code, if you do read this and get time let me know what you think of the format.

Code:
[ENABLE]
aobscan(aob1,8B 4F 01 89 4E 01 8B C6) //"x3ap.exe"+A87B7
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(AoBShields)
registersymbol(AoBShields)
label(Shieldcharge)
registersymbol(pShieldcharge)
alloc(pShieldcharge,8)
label(Shieldcapacity)
registersymbol(pShieldcapacity)
alloc(pShieldcapacity,8)

pShieldcharge:
dd 0
pShieldcapacity:
dd 0

newmem:
cmp [edi-04],26605810
je Shieldcharge
cmp [edi+06],00000E60
je Shieldcapacity
jmp originalcode

Shieldcharge:
mov [pShieldcharge],edi
jmp originalcode

Shieldcapacity:
mov [pShieldcapacity],edi
jmp originalcode

originalcode:
mov ecx,[edi+01]
mov [esi+01],ecx
jmp returnhere

aob1:
AoBShields:
jmp newmem
nop
returnhere:

[DISABLE]
AoBShields:
db 8B 4F 01 89 4E 01
dealloc(newmem)
unregistersymbol(AoBShields)
unregistersymbol(pShieldcharge)
dealloc(pShieldcharge)
unregistersymbol(pShieldcapacity)
dealloc(pShieldcapacity)


This is one of the most reliable I've managed to use so far, it is stable until I jump to another sector(zone to new area) and then the game will crash. You'll notice I've declared the aobscan with a label as well, this was following a guide on cheat engine forums saying its necessary but I doubt it has much effect. I've tried many different offset and filter options but the game just doesn't seem to like the cmp instruction injected.

I don't think I'll waste any more time on it, I'll have a crack at trying to do the same for 'reputation's' in game and see if its more forgiving.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Jan 28, 2014 4:14 am    Post subject: Reply with quote

Looks fine at first glance. You do not need to allocate for these:

alloc(pShieldcharge,8 )
alloc(pShieldcapacity,8 )

Also, adding the label for aobscan is not required for the latest version of CE...just register it as a symbol and you're good. Follow my scripts as a guide...there is no reason to change anything, assuming you are running the latest version of CE. My opinion still stands: the problem lies with the offset(s) and filtering etc.. The reason the game crashes when you jump to another sector is because the location of the instruction is probably changing due to a code shift. The aobscan only works when you enable it; it does not constantly scan and update its location when the code shifts. You have to disable the script before leaving a particular sector if the code is shifting. Once you have arrived at the new area and the code has been updated, you should be able to re-enable the script, and it should re-scan to find the new injection point/location. There may be a way to circumvent this problem with LUA or the like, but I couldn't tell you how at this point.
Back to top
View user's profile Send private message
Codcat
Advanced Cheater
Reputation: 0

Joined: 21 Aug 2007
Posts: 62

PostPosted: Tue Jan 28, 2014 4:55 am    Post subject: Reply with quote

CE says it cannot compile mov [pShieldcharge],edi or mov [pShieldcapacity],edi if I remove the alloc for them that you mentioned was not necessary. I tried moving the two dd 0 statements for them down below the originalcode: label part of the script where you place them but made no difference. Thanks I removed the unnecessary label for AOB.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites