Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need help with a script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Kyurino
How do I cheat?
Reputation: 0

Joined: 13 Mar 2015
Posts: 1

PostPosted: Fri Mar 13, 2015 6:39 pm    Post subject: Need help with a script Reply with quote

Hey!

I'm having some issues with this script:

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

aobscan(nodamage, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
label(_nodamage)
registersymbol(_nodamage)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
//sub [ebx+00000200],eax

exit:
jmp returnhere

nodamage:
_nodamage:
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
sub [ebx+00000200],eax
//Alt: db 80 7B 28 00 D9 18


Its a script that makes me not take any damage in Terraria.
When I activate the script its working as intended but the issue is that when i disable the script im still taking no damage until i restart the game. Anyone who can help me with that?

Thanks.
Back to top
View user's profile Send private message
hhhuut
Grandmaster Cheater
Reputation: 6

Joined: 08 Feb 2015
Posts: 607

PostPosted: Fri Mar 13, 2015 6:52 pm    Post subject: Reply with quote

Hm, did you have a look into the disassembler? Did CE rewrite the memory correctly?

Btw: I'd recommend you to unregister the symbols your preivously registered:

Code:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
sub [ebx+00000200],eax
unregistersymbol(_nodamage)
//Alt: db 80 7B 28 00 D9 18
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891

PostPosted: Sat Mar 14, 2015 12:49 am    Post subject: Reply with quote

hhhuut wrote:
Btw: I'd recommend you to unregister the symbols your preivously registered


Why? If it's still registered, it is much easier to troubleshoot, among other things. He can just open up the memory window and ctrl-g (goto) his symbol name to see what's going on.

_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sat Mar 14, 2015 2:56 am    Post subject: This post has 1 review(s) Reply with quote

May be your game is updated, the offset in aobscan (after 29 83) no longer is +200.
Try check and fix the [DISABLE] section as hhhuut suggested.
Or try this, hope it work.
Code:
[ENABLE]
//               00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12
alloc(mcode,1024)
aobscan(_dmg,    29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? DD 45 ?? D9 E8 DF F1) // make sure the aob pattern is unique
mcode+100://     <-jmp from here->
readmem(_dmg,6) //      (*) run original code 1st
mcode+00:
dd 0            //       this will be the VALUE of mcode, used in the Enabled flag Memory Record
mcode+04:       //       this is Enabled flag -> make a MemoryRecord, AddressType=pointer, base = mcode, offset = 04, ValueType = dword
dd 1            //       default Enabled      -> the memoryRecord can preset values as dropdown menu by 'Set/Change dropdown selection options'
mcode+106:      //       continue (*) code from here
// actuall modification
cmp  dword ptr[mcode+04],1
jne  @f         //       do nothing if the Enabled flag is not 1
push ecx
mov  ecx,[mcode+102] //   mcode+102 point to the wildcarded offset
add  [ebx+ecx],eax  //   undo the subtraction by original code
pop  ecx
@@:
jmp  _dmg+06        //   return and continue original code

_dmg:               //   now hook the original code to our code cave
jmp  mcode+100
nop                 //   pad the sixth byte

registerSymbol(mcode) // save symbols for use in [DISABLE]
registerSymbol(_dmg)

// original code
//026C0080 - 29 83 ????????        - sub [ebx+offset1],eax
//026C0086 - C6 83 ???????? 01     - mov byte ptr [ebx+offset2],01
//026C008D - DD 45 ??              - fld qword ptr [ebp-18]
//026C0090 - D9E8                  - fld1
//026C0092 - DFF1                  - fcomip st(0),st(1)

mcode+180:       // this part is to setup mcode+00, not necessary if the Enabled flag Memory Record is not needed.
push eax
mov  eax,mcode
mov  [eax],eax
pop  eax
ret
createThread(mcode+180) // run it once and only once

[DISABLE]
_dmg:
readmem(mcode+100,6)
unregisterSymbol(_dmg)
dealloc(mcode)
unregisterSymbol(mcode)

Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sat Mar 14, 2015 9:50 am    Post subject: Reply with quote

This may be simpler:

Code:
[ENABLE]
aobscanmodule(nodamage,29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
alloc(nodamage_backup,6)
nodamage_backup:
  readmem(nodamage,6)
nodamage:
  db 90 90 90 90 90 90
registersymbol(nodamage)
registersymbol(nodamage_backup)

[DISABLE]
nodamage:
  readmem(nodamage_backup,6)
unregistersymbol(nodamage)
unregistersymbol(nodamage_backup)
dealloc(nodamage_backup)
Back to top
View user's profile Send private message
Rissorr
Master Cheater
Reputation: 3

Joined: 17 Sep 2013
Posts: 273
Location: Israel!

PostPosted: Sat Mar 14, 2015 2:08 pm    Post subject: Reply with quote

I just checked it out, and yes! the code is rewritten on disable as:
sub [ebx-672352],eax (for me)

i never saw things like that!
Back to top
View user's profile Send private message
hhhuut
Grandmaster Cheater
Reputation: 6

Joined: 08 Feb 2015
Posts: 607

PostPosted: Sat Mar 14, 2015 3:56 pm    Post subject: Reply with quote

Strange ...
Perhaps it works when commenting the "sub [ebx+200],eax" and using the "db"-instruction instead:

Code:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
//sub [ebx+00000200],eax
db 80 7B 28 00 D9 18
Back to top
View user's profile Send private message
Rissorr
Master Cheater
Reputation: 3

Joined: 17 Sep 2013
Posts: 273
Location: Israel!

PostPosted: Sat Mar 14, 2015 4:43 pm    Post subject: Reply with quote

@hhhuut
Nope, I've tried, its the same as writing the instruction itself, and its not working.
Back to top
View user's profile Send private message
hhhuut
Grandmaster Cheater
Reputation: 6

Joined: 08 Feb 2015
Posts: 607

PostPosted: Sat Mar 14, 2015 5:14 pm    Post subject: Reply with quote

Wow, that's weird ...

Any ideas @Dark Byte?

@Kyurino:

Can you do a code injection one (or two) instruction(s) above or isn't that possible?
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sat Mar 14, 2015 9:06 pm    Post subject: Reply with quote

Writing the same bytes back at the address location in my script causes the pointer offset to change?
Back to top
View user's profile Send private message
vng21092
Grandmaster Cheater
Reputation: 15

Joined: 05 Apr 2013
Posts: 644

PostPosted: Sat Mar 14, 2015 9:24 pm    Post subject: Reply with quote

umm... I'm PRETTY sure this has something to do with it... But I might be wrong

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

aobscan(nodamage, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1) <--HERES THE AOBSCAN
label(_nodamage) <--HERES SOMETHING HE CREATED
registersymbol(_nodamage)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
//sub [ebx+00000200],eax

exit:
jmp returnhere

nodamage: <--THIS IS THE AOBSCAN
_nodamage: <--THIS IS NOT THE AOBSCAN (Why is it acting like an injection point?)
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage: <--THIS IS NOT THE AOBSCAN
sub [ebx+00000200],eax
//Alt: db 80 7B 28 00 D9 18

the aobscan is named "nodamage", yet in all places where hes suppose to reference the aobscan he puts "_nodamage" which is just a symbol he created... thoughts? Rolling Eyes Which also means when he disables the code, hes not returning the aobscan to its original state (explaining why you still don't take damage), hes leaving the symbol he created with the aobscans original code.

Try this instead:
Code:
[ENABLE]

alloc(noDamage,32)
aobscan(noDamage_aob1, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
registersymbol(noDamage_aob1)
label(returnhere_noDamage)

//--------------------------------------------------//
noDamage:
//sub [ebx+00000200],eax
jmp returnhere_noDamage
//--------------------------------------------------//

noDamage_aob1:
jmp noDamage
nop
returnhere_noDamage:

[DISABLE]

noDamage_aob1:
sub [ebx+00000200],eax
unregistersymbol(noDamage_aob1)
dealloc(noDamage)
//Alt: db 80 7B 28 00 D9 18
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891

PostPosted: Sat Mar 14, 2015 10:30 pm    Post subject: Reply with quote

vng21092 wrote:
umm... I'm PRETTY sure this has something to do with it... But I might be wrong...
the aobscan is named "nodamage", yet in all places where hes suppose to reference the aobscan he puts "_nodamage" which is just a symbol he created... thoughts? :roll: Which also means when he disables the code, hes not returning the aobscan to its original state (explaining why you still don't take damage), hes leaving the symbol he created with the aobscans original code.

Because he's altering the memory at the aobscan, it's not going to be the same when he goes to disable. That's why he's creating a label and assigning it to the appropriate memory address. It's the way DB taught us to do it.

I own Terraria, but the aobscan doesn't find anything on my machine. So it's hard to suggest what might be going on. If I were personally troubleshooting this issue, I would begin by searching for the array of bytes in the memory scanner... then, activate my cheat and note what changes. After disabling the cheat, I would check to see if the code had been properly replaced with whatever was originally there. I am seeing some folks report seeing weird instructions, but without proper context it is difficult to know if bad code has been rewritten or if we're just failing to re-assemble correctly because we're not aligned on an instruction boundry.

edit: derp, I really should know by now that I have to take damage to generate the code that the aob seeks! After taking some damage, the aobscan works. The aobscan finds code that modifies ebx+258, as correctly alluded to by panraven, above. Changing the disable section to
Code:

[DISABLE]
_nodamage:
sub [ebx+00000258],eax
dealloc(newmem)

seems to fix the problem.

_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...


Last edited by justa_dude on Sat Mar 14, 2015 10:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
vng21092
Grandmaster Cheater
Reputation: 15

Joined: 05 Apr 2013
Posts: 644

PostPosted: Sat Mar 14, 2015 10:50 pm    Post subject: Reply with quote

well I was intrigued so I gave it a shot, here is what I whipped up, tested and works fine. Made this in Terraria 1.2.4.1

Code:
[Enable]

//Infinite Health
aobscan(ih_aob1,F2 0F 2C C0 29 83 58 02 00 00)
registersymbol(ih_aob1)

ih_aob1+4:
db 90 90 90 90 90 90

[Disable]

ih_aob1+4:
db 29 83 58 02 00 00
unregistersymbol(ih_aob1)
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Sat Mar 14, 2015 11:11 pm    Post subject: Reply with quote

The AOB scan uses wildcards to account for the health offset changing.

My script (and panraven's?) should restore whatever the original code happened to be.

Trying to make the script future proof, in case the offset ever changes again.
Back to top
View user's profile Send private message
Rissorr
Master Cheater
Reputation: 3

Joined: 17 Sep 2013
Posts: 273
Location: Israel!

PostPosted: Sun Mar 15, 2015 3:58 pm    Post subject: Reply with quote

@vng12092 Thanks bro Very Happy
Ill try to combine your code with some wildcards to ensure future efficiency (just like Zanzer said )
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites