 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
 Posted: Sat Mar 15, 2014 12:56 pm Post subject: Please Help... |
 |
|
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
mov esi,(int)2
mov [ebx+08],esi
cmp esi,01
originalcode:
mov [ebx+08],esi
cmp esi,01
exit:
jmp returnhere
"game.exe"+1219A8:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+1219A8:
mov [ebx+08],esi
cmp esi,01
//Alt: db 89 73 08 83 FE 01 |
I want to include this on my script
| Code: | | aobscan(scan1, 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00) |
but i dont know where,all i ask is a script with aobscan,i would appreciate if someone change this script,so i can understand the next time i make a script.
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Mar 15, 2014 1:28 pm Post subject: Re: Please Help... |
|
|
For CE 6.3:
| Code: | [ENABLE]
aobscan(scan1,89730883FE01)
alloc(newmem,2048)
label(returnhere)
registersymbol(scan1)
newmem:
mov esi,(int)2
mov [ebx+08],esi
cmp esi,01
jmp returnhere
scan1:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
scan1:
mov [ebx+08],esi
cmp esi,01
unregistersymbol(scan1)
|
|
|
| Back to top |
|
|
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
| Posted: Sat Mar 15, 2014 2:47 pm Post subject: Re: Please Help... |
|
|
| ++METHOS wrote: | For CE 6.3:
| Code: | [ENABLE]
aobscan(scan1,89730883FE01)
alloc(newmem,2048)
label(returnhere)
registersymbol(scan1)
newmem:
mov esi,(int)2
mov [ebx+08],esi
cmp esi,01
jmp returnhere
scan1:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
scan1:
mov [ebx+08],esi
cmp esi,01
unregistersymbol(scan1)
|
|
can't active,freeze for some seconds and thats all,the game is mark of the ninja,to aways stay in shadow mode,my other code just work fine,but i want aobscan on it
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Sat Mar 15, 2014 10:23 pm Post subject: |
|
|
Probably because your signature/aob is bad. Change this
aobscan(scan1,89730883FE01)
to a better aob you can find. Or post the whole instruction and we will figure out what aob you can use
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Mar 15, 2014 11:50 pm Post subject: |
|
|
Search for array of bytes, with 'Hex' box checked and 'Writable' box filled-in, this value:
89730883FE01
If zero results, your AOB signature is no good or needs to be improved. If more than 1 result, your AOB signature needs to be improved.
|
|
| Back to top |
|
|
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
| Posted: Sun Mar 16, 2014 8:19 am Post subject: |
|
|
| ++METHOS wrote: | Search for array of bytes, with 'Hex' box checked and 'Writable' box filled-in, this value:
89730883FE01
If zero results, your AOB signature is no good or needs to be improved. If more than 1 result, your AOB signature needs to be improved. |
1* Script
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
mov esi,(int)2
mov [ebx+08],esi
cmp esi,01
originalcode:
mov [ebx+08],esi
cmp esi,01
exit:
jmp returnhere
"game.exe"+1219A8:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+1219A8:
mov [ebx+08],esi
cmp esi,01
//Alt: db 89 73 08 83 FE 01 |
Work ,can change from shadow mode to visible mode anytime,but without aob.
2* Script
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
mov esi,#2
mov [ebx+08],esi
cmp esi,01
originalcode:
mov [ebx+08],esi
cmp esi,01
exit:
jmp returnhere
"game.exe"+1219A8:
jmp newmem
nop
returnhere:
label(code1)
registersymbol(code1)
aobscan(aob1, EB 02 B1 01 89 73 08 83 FE 01 74 09)
aob1:
code1:
db EB 02 B1 01 90 90 90 83 FE 01 74 09
[DISABLE]
dealloc(newmem)
"game.exe"+1219A8:
mov [ebx+08],esi
cmp esi,01
//Alt: db 89 73 08 83 FE 01
code1:
db EB 02 B1 01 89 73 08 83 FE 01 74 09
unregistersymbol(code1) |
work,but unable to change from visible to shadow mode
2* Script
| Code: | mov esi,#1
mov [ebx+08],esi
cmp esi,01 |
to
| Code: | mov esi,#2
mov [ebx+08],esi
cmp esi,01 |
have no affect in game.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Mar 16, 2014 10:14 am Post subject: |
|
|
One thing at a time. First:
| Quote: | | Work ,can change from shadow mode to visible mode anytime,but without aob. |
So let's look at that. Your injection point and AOB is this:
Address:
"game.exe"+1219A8:
AOB:
89 73 08 83 FE 01
Did you perform the steps outlined above? What were your results? Zero?
Please do this:
Copy your injection address: "game.exe"+1219A8 and go to memory viewer. In the upper window, right-click and select 'go to address'. Paste the address that you copied from your script. Now, scroll the window a couple of lines so that we can see a couple of lines above your injection point. Take a screenshot of the memory viewer at this location and upload it so that we can see it. We can look at what your AOB signature should be.
|
|
| Back to top |
|
|
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
| Posted: Sun Mar 16, 2014 10:56 am Post subject: |
|
|
| ++METHOS wrote: | One thing at a time. First:
| Quote: | | Work ,can change from shadow mode to visible mode anytime,but without aob. |
So let's look at that. Your injection point and AOB is this:
Address:
"game.exe"+1219A8:
AOB:
89 73 08 83 FE 01
Did you perform the steps outlined above? What were your results? Zero?
Please do this:
Copy your injection address: "game.exe"+1219A8 and go to memory viewer. In the upper window, right-click and select 'go to address'. Paste the address that you copied from your script. Now, scroll the window a couple of lines so that we can see a couple of lines above your injection point. Take a screenshot of the memory viewer at this location and upload it so that we can see it. We can look at what your AOB signature should be. |
1 -Yes,zero.
2 - Can't use url yet
| Code: |
game.exe+1219A4 - EB 02 - jmp game.exe+1219A8
game.exe+1219A6 - B1 01 - mov cl,01
game.exe+1219A8 - 89 73 08 - mov [ebx+08],esi
game.exe+1219AB - 83 FE 01 - cmp esi,01
game.exe+1219AE - 74 09 - je game.exe+1219B9
|
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Mar 16, 2014 12:28 pm Post subject: |
|
|
This is only an excerpt. Please show more.
Anyway, you can try searching for this:
89 73 08 83 FE ??
If you get 0 results, then you did not follow my instructions. (make sure 'writable' box is filled-in; not checked and not empty)
|
|
| Back to top |
|
|
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
| Posted: Sun Mar 16, 2014 12:55 pm Post subject: |
|
|
| ++METHOS wrote: | This is only an excerpt. Please show more.
Anyway, you can try searching for this:
89 73 08 83 FE ??
If you get 0 results, then you did not follow my instructions. (make sure 'writable' box is filled-in; not checked and not empty) |
Finally working..
| Code: |
[ENABLE]
aobscan(scan1,89730883FE01)
alloc(newmem,2048)
label(returnhere)
registersymbol(scan1)
newmem:
mov esi,(int)2
mov [ebx+08],esi
cmp esi,01
jmp returnhere
scan1:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
scan1:
mov [ebx+08],esi
cmp esi,01
unregistersymbol(scan1)
|
last (2) annoying questions...
where i do include wildcards in this script now?
should [DISABLE] have 89730883FE01 inside it too?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Mar 16, 2014 1:26 pm Post subject: |
|
|
| SayWhatAgain wrote: | | where i do include wildcards in this script now? |
-Without seeing more code, I can not answer that question. However, if the script is working now, but wasn't working before, you may want to include a wildcard as I have shown above:
89 73 08 83 FE ??
Why? Because:
cmp esi,01
the 01 may change, causing your injection to fail. This is the only thing that stands out as a possibility to me, given the simplicity of the instructions. However, I do not think that is happening in this case.
That being said, by including the wildcard, you may find that multiple instructions are found when you perform an array of byte search. If that is the case, you may need to tack on more bytes to make it unique:
89 73 08 83 FE ?? 74 09 etc. etc. etc.
| SayWhatAgain wrote: | | should [DISABLE] have 89730883FE01 inside it too? |
-No need. You define your injection point with this:
aobscan(scan1,89730883FE??7409)
scan1 now replaces "game.exe"+1219A8:
Since you have no offset defined, the injection will occur at the start of your AOB signature:
aobscan(scan1,89730883FE??7409)
game.exe+1219A4 - EB 02 - jmp game.exe+1219A8
game.exe+1219A6 - B1 01 - mov cl,01
game.exe+1219A8 - 89 73 08 - mov [ebx+08],esi
game.exe+1219AB - 83 FE 01 - cmp esi,01
game.exe+1219AE - 74 09 - je game.exe+1219B9
|
|
| Back to top |
|
|
SayWhatAgain
Newbie cheater
![]() Reputation: 2
Joined: 08 Mar 2014
Posts: 10
|
| Posted: Sun Mar 16, 2014 2:00 pm Post subject: |
|
|
| ++METHOS wrote: | | SayWhatAgain wrote: | | where i do include wildcards in this script now? |
-Without seeing more code, I can not answer that question. However, if the script is working now, but wasn't working before, you may want to include a wildcard as I have shown above:
89 73 08 83 FE ??
Why? Because:
cmp esi,01
the 01 may change, causing your injection to fail. This is the only thing that stands out as a possibility to me, given the simplicity of the instructions. However, I do not think that is happening in this case.
That being said, by including the wildcard, you may find that multiple instructions are found when you perform an array of byte search. If that is the case, you may need to tack on more bytes to make it unique:
89 73 08 83 FE ?? 74 09 etc. etc. etc.
| SayWhatAgain wrote: | | should [DISABLE] have 89730883FE01 inside it too? |
-No need. You define your injection point with this:
aobscan(scan1,89730883FE??7409)
scan1 now replaces "game.exe"+1219A8:
Since you have no offset defined, the injection will occur at the start of your AOB signature:
aobscan(scan1,89730883FE??7409)
game.exe+1219A4 - EB 02 - jmp game.exe+1219A8
game.exe+1219A6 - B1 01 - mov cl,01
game.exe+1219A8 - 89 73 08 - mov [ebx+08],esi
game.exe+1219AB - 83 FE 01 - cmp esi,01
game.exe+1219AE - 74 09 - je game.exe+1219B9 |
Woah,thank you so much,now become alot easy to understand,remember me when i become able to give rep,so i can give you one =D
(sometimes just a "thank you" don't worth much)
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Mar 16, 2014 2:22 pm Post subject: |
|
|
| ++METHOS wrote: | | If zero results, your AOB signature is no good or needs to be improved. If more than 1 result, your AOB signature needs to be improved. |
About "more than 1 result" I want to add:
1) If we have "more than 1 result" AND the address we want is always the first one, we can still use that signature (pattern).
2) Also, if we want to inject our code inside known module, and inside that module there is only "one hit" we can use aobscanmodule AA command.
Example for first case, we have three hits (three results):
xrEngine.dll+105A: there is 89 73 08 83 FE
xrEngine.dll+1734: there is 89 73 08 83 FE
xrEngine.dll+78AC: there is 89 73 08 83 FE
And we want "xrEngine.dll+105A", we can still use this signature.
Yes, some games after update can have completely rebuilt DLL, and order may change. Odds that order will change are very rare, there are much higher chances that signature just will stop working.
Example for second case, we have five hits:
Again, "xrEngine.dll+105A" is our target.
xrPhysics.dll+435: there is 89 73 08 83 FE
xrPhysics.dll+1334: there is 89 73 08 83 FE
xrEngine.dll+105A: there is 89 73 08 83 FE
ode.dll+4503: there is 89 73 08 83 FE
ode.dll+7845: there is 89 73 08 83 FE
we can use
aobscanmodule(scan1,xrEngine.dll,89 73 08 83 FE )
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Mar 16, 2014 2:36 pm Post subject: |
|
|
| mgr.inz.Player wrote: | 1) If we have "more than 1 result" AND the address we want is always the first one, we can still use that signature (pattern).
2) Also, if we want to inject our code inside known module, and inside that module there is only "one hit" we can use aobscanmodule AA command. |
-Yes.
Also, LUA can be used to select 2nd, 3rd or whatever result.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Mar 16, 2014 2:56 pm Post subject: |
|
|
Yes, Lua native functions (added by DB) are very handy.
Also, CE6.4 (in the near future, I think) will allow to mix more complex Lua scripts with AA scripts.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
