| View previous topic :: View next topic |
| Author |
Message |
ubiByte
Advanced Cheater
 Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
 Posted: Sat May 02, 2015 6:17 pm Post subject: AOB Script Issue |
 |
|
Hi, I have been reading so many tutorials in the tutorials section I am really starting to master cheating games, it's pretty awesome. Thanks to everyone who put up tutorials they have been extremely helpful.
There is one problem that I have run into however that I can't seem to figure out. Check out this code below, I am using this for infinite consumables which works fine but there's a problem with it.
| Code: | [ENABLE]
aobscan(items, 88 54 37 08 8B 0D 5C 38 3C 03 8B 79 18 3B 77 04)
alloc(newmem, $1000)
label(return)
newmem:
nop
//mov [edi+esi+08],dl
mov ecx,[033C385C]
jmp return
items:
jmp newmem
nop
nop
nop
nop
nop
return:
registersymbol(items)
[DISABLE]
items:
db 88 54 37 08 8B 0D 5C 38 3C 03
unregistersymbol(items)
dealloc(newmem) |
The problem is this game changes memory locations every time the game restarts. So right now this cheat works great, but when I turn off the game and turn it back on even though I am using AOB we have this code here:
The 033C385C will change every time the game is reset. So how can I use my script without having to change the address manually, I know I can't use questions marks like you can inside of the aobscan function. Any ideas?
|
|
| Back to top |
|
 |
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Sat May 02, 2015 6:57 pm Post subject: |
|
|
Read the variable (pointer to somewhere in the data segment for a global variable/static member, I'm pretty sure) into memory using a decorated (symbol/module) name for the address.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sat May 02, 2015 7:05 pm Post subject: |
|
|
| I'm not quite sure what you mean, you want me to create a symbol for 033C385C? but that address will change every restart. Can you clarify please, I don't think I understood you right.
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Sat May 02, 2015 7:23 pm Post subject: |
|
|
I guess
mov ecx,[033C385C]
is the original code and it's not necessary for your cheat, so you could try to change the point of code injection to not include this code.
And you can also try to look around in registers or stack to see if any of them contains this address (or an address close to this one). Eg if it happens that eax is always equal to the address you need, you can just replace this code with
mov ecx,[eax]
_________________
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sat May 02, 2015 7:45 pm Post subject: |
|
|
Hey thanks Geri, I have tried replacing that piece of code but if I remove that the game crashes, it seems it needs to use that address, I'll give you the rest here.
| Code: | 07BAE287 - 88 54 37 08 - mov [edi+esi+08],dl
07BAE28B - 8B 0D 5C383C03 - mov ecx,[033C385C] : [024D5D6C]
07BAE291 - 8B 79 18 - mov edi,[ecx+18]
07BAE294 - 3B 77 04 - cmp esi,[edi+04]
07BAE297 - 73 40 - jae 07BAE2D9
|
That's what follows after that part, but like I said taking out the mov ecx, [033C385C] kills the game.
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Sat May 02, 2015 7:47 pm Post subject: |
|
|
What is above your code? You could shift the code injection to include the code you need and the code above it.
If that code is more suitable for an aob script.
_________________
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sat May 02, 2015 8:12 pm Post subject: |
|
|
Above it is this:
| Code: | 07BAE265 - E8 A289F567 - call System.Math::Max
07BAE26A - DD 5D D8 - fstp qword ptr [ebp-28]
07BAE26D - DD 45 D8 - fld qword ptr [ebp-28]
07BAE270 - DD 5D D8 - fstp qword ptr [ebp-28]
07BAE273 - F2 0F10 45 D8 - movsd xmm0,[ebp-28]
07BAE278 - F2 0F2C D0 - cvttsd2si edx,xmm0
07BAE27C - 81 E2 FF000000 - and edx,000000FF
07BAE282 - 3B 77 04 - cmp esi,[edi+04]
07BAE285 - 73 52 - jae 07BAE2D9
|
Can you explain what you mean by shifting the code, I'm not an expert or anything just figuring things out one at a time 
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat May 02, 2015 8:38 pm Post subject: |
|
|
Since you're just NOP'ing the instruction:
| Code: | [ENABLE]
aobscan(items, 88 54 37 08 8B 0D * * * * 8B 79 18 3B 77 04)
items:
db 90 90 90 90
registersymbol(items)
[DISABLE]
items:
db 88 54 37 08
unregistersymbol(items) |
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sat May 02, 2015 8:50 pm Post subject: |
|
|
| Zanzer wrote: | Since you're just NOP'ing the instruction:
| Code: | [ENABLE]
aobscan(items, 88 54 37 08 8B 0D * * * * 8B 79 18 3B 77 04)
items:
db 90 90 90 90
registersymbol(items)
[DISABLE]
items:
db 88 54 37 08
unregistersymbol(items) |
|
I didn't think about that I guess that would work in this case, but in the future what is the best way to deal with this situation? what if I didn't nop it and wrote a script to do something, how do you deal with this problem? I just want to learn.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat May 02, 2015 8:54 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscan(items, 88 54 37 08 8B 0D * * * * 8B 79 18 3B 77 04)
alloc(newmem, $1000)
label(return)
label(backup)
newmem:
nop
//mov [edi+esi+08],dl
readmem(items+4,6)
//mov ecx,[033C385C]
jmp return
backup:
readmem(items+4,6)
items:
jmp newmem
nop
nop
nop
nop
nop
return:
registersymbol(items)
registersymbol(backup)
[DISABLE]
items:
db 88 54 37 08
readmem(backup,6)
unregistersymbol(items)
unregistersymbol(backup)
dealloc(newmem) |
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sat May 02, 2015 9:03 pm Post subject: |
|
|
| Code: | readmem(items+4,6)
backup:
readmem(items+4,6) |
Can you explain what you did there please?
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sun May 03, 2015 11:40 am Post subject: |
|
|
I've actually noticed something very interesting here, look at this:
aobscan(items, 88 54 37 08 8B 0D 5C 38 3C 03 8B 79 18 3B 77 04)
mov ecx,[033C385C]
I restarted the game several times just to make sure, and it is the case every single time. The 9th byte shown in the aobscan is always the one that gets replaced right after mov ecx, [03__385C]. Now my question is can I somehow copy the 9th byte and put it in that location in my script? If so how can I do something like this?
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun May 03, 2015 1:56 pm Post subject: |
|
|
readmem(items+8, 1)
Reads the [1] byte at the address [items+8] into your code wherever it is placed.
|
|
| Back to top |
|
|
ubiByte
Advanced Cheater
Reputation: 1
Joined: 08 Mar 2013
Posts: 57
|
| Posted: Sun May 03, 2015 2:32 pm Post subject: |
|
|
| Zanzer wrote: | readmem(items+8, 1)
Reads the [1] byte at the address [items+8] into your code wherever it is placed. |
Just a few questions
Shouldn't it be items+9? or does it start counting from zero? Also how would I implement that into my code?
I can use readmem(items+8, 1) to grab 3C in this case if I am not mistaken. But how do I use that, is it possible to create a variable to hold that value like you can in java or vb or something like that?
mov ecx, [03[items+8]385C] --> you can't actually do anything like this right?
| Code: | [ENABLE]
aobscan(combo, FF 40 64 8B 15 5C 38 ?? 03 D9 45 0C DD 9D 10 FF FF FF)
alloc(newmem, $1000)
label(return)
newmem:
add [eax+64], #3
mov edx,[0332385C]
jmp return
combo:
jmp newmem
nop
nop
nop
nop
return:
registersymbol(combo)
[DISABLE]
combo:
db FF 40 64 8B 15 5C 38 61 03
unregistersymbol(combo)
dealloc(newmem) |
How would I use readmem(items+7,1) here for example to insert into mov edx, [03__385C] into that spot?
I have this figured out in my head only if I could code it. I want to basically use readmem(items+7,1) grab that value which in the example I just gave would be whatever the ?? turns out to be. Once I grab that, put that into mov edx, [03__385C] into that spot somehow.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
