|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Erik9631 Newbie cheater Reputation: 0
Joined: 24 Aug 2014 Posts: 10
|
Posted: Fri Jun 26, 2015 3:54 am Post subject: How to replace certain bytes in a byte array? |
|
|
Hello guys.
As the title says, in one game I am searching for byte array based on a signature... basically a bunch of values which are always the same, but between them the values change.
I look it up with cheat engine by using this array.
72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22
and replace the value with edited array:
72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 00
Which gives you speed boost for example.
I found an autoassembly code:
Code: | [ENABLE]
aobscan(nodamage, 2B C8 66 89 0D CC E6 49 00 8B 15 50 E6 49 00 81 E2 80 00 00 00 74 1C)
label(_nodamage)
registersymbol(_nodamage)
nodamage:
_nodamage:
db 90 90
[DISABLE]
_nodamage:
db 2B C8
unregistersymbol(_nodamage) |
which I would like to use to speed up the process, but the issue is that I can not replace the values without keeping the ?? ones.
using db 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 00
simply gives me errors.
To clear things up. I only want to change the values that are not ??, for instance 32 to 00 and so on, without changing the values in between them.
My cheat engine coding skills totally suck, so I would appreciate if someone simply sent me a code sample which I would replace with my edited array.
Thank you.
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Fri Jun 26, 2015 6:51 am Post subject: |
|
|
Only change the bytes that are different ?, in your example both the sig and replace array are similar so i can't give an example. Or Do it like this (your example)
mem+0:
db 72
mem+5: (Notice the offset)
db 28
and so on.
Or write the instruction instead of byte code.
_________________
|
|
Back to top |
|
|
Erik9631 Newbie cheater Reputation: 0
Joined: 24 Aug 2014 Posts: 10
|
Posted: Fri Jun 26, 2015 8:46 am Post subject: |
|
|
So as far as I understand, if I wanted to change 28 to 20 in this array:
72 ?? ?? ?? ?? 28
I would have to do:
mem + 5
db 20
right?
EDIT:
It does not work. I used this code. The injection was successful but it made no changes. The hack did not work...
Code: | [ENABLE]
aobscan(speedboost, 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
label(_speedboost)
registersymbol(_speedboost)
speedboost+20:
_speedboost:
db 00
[DISABLE] |
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Fri Jun 26, 2015 10:13 am Post subject: |
|
|
It is hex notation. +20 went over 32 bytes.
Code: | [ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
alloc(speedboost_save,1)
speedboost_save:
readmem(speedboost+14,1)
speedboost+14:
db 00
registersymbol(speedboost)
registersymbol(speedboost_save)
[DISABLE]
speedboost+14:
readmem(speedboost_save,1)
unregistersymbol(speedboost)
unregistersymbol(speedboost_save)
dealloc(speedboost_save) |
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Fri Jun 26, 2015 11:04 am Post subject: |
|
|
Erik9631 wrote: | So as far as I understand, if I wanted to change 28 to 20 in this array:
72 ?? ?? ?? ?? 28
I would have to do:
mem + 5
db 20
right?
EDIT:
It does not work. I used this code. The injection was successful but it made no changes. The hack did not work...
Code: | [ENABLE]
aobscan(speedboost, 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
label(_speedboost)
registersymbol(_speedboost)
speedboost+20:
_speedboost:
db 00
[DISABLE] |
|
I just gave an example, didn't really calculate offsets. But yeah, its like Zanzer said, you have to take hexadecimal and numeric into consideration.
20decimal is 14 in hex so use 14 as hex like in Z's example.
_________________
|
|
Back to top |
|
|
Erik9631 Newbie cheater Reputation: 0
Joined: 24 Aug 2014 Posts: 10
|
Posted: Sat Jun 27, 2015 3:11 am Post subject: |
|
|
Zanzer wrote: | It is hex notation. +20 went over 32 bytes.
Code: | [ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
alloc(speedboost_save,1)
speedboost_save:
readmem(speedboost+14,1)
speedboost+14:
db 00
registersymbol(speedboost)
registersymbol(speedboost_save)
[DISABLE]
speedboost+14:
readmem(speedboost_save,1)
unregistersymbol(speedboost)
unregistersymbol(speedboost_save)
dealloc(speedboost_save) |
|
Tried it... used exactly this code and it did not work.
Maybe I am missing something more?
|
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 942
|
Posted: Sat Jun 27, 2015 11:39 am Post subject: |
|
|
I think I got why it don't work, given your aob is right.
The aob is to modify unity bytecode, in browser environment, there will be 2 copy of aob bytecode of the dll assembly in memory.
When the aa activated, it will find the 1st copy (in order), make the change, however, usually it is the second copy that has actual effect (ie. the jit-compiler read bytecode from 2nd copy but not 1st).
For this particular aa script, applying a second time still won't work, because the modification doesn't change the 1st copy of the aob, so a seconnd activation still find the 1st copy and miss the 2nd one.
Try this:
Code: |
[ENABLE]
aobscan(speedboost,72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22)
speedboost+13:
db 33 00
[DISABLE]
|
32 ?? in bytecode is a cil instruction for a short jump, the modification replace this with another type of short jump with zero offfset, so the 1st copy of aob will be changed, activating a 2nd time the aa should now modify the second copy of the aob in memory.
(check cil byecode/instruction here : https://en.wikipedia.org/wiki/List_of_CIL_instructions )
btw, [disable] part in most case is not necessary for modifying bytecode to to be jit-compiling (same for modern flash bytecode), unless there is a specially purpose (eg. restore assembly integrity in memory, for anti-anti-cheat )
_________________
- Retarded. |
|
Back to top |
|
|
Erik9631 Newbie cheater Reputation: 0
Joined: 24 Aug 2014 Posts: 10
|
Posted: Sat Jun 27, 2015 12:03 pm Post subject: |
|
|
You are right with multiple addreses thing. There are 3 addreses that have to be changed in order for this to work, so unfortunatelly the code you posted does not work.
Is there a way to script is so basically cheat engine changes ALL The addreses at once without having to mess around with the instructions?
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Sat Jun 27, 2015 1:04 pm Post subject: |
|
|
I don't get what is the big issue here. You can write 3 aobscan in the same script and then change each one of them.
The 3 addresses all have different byte codes right ? or those 3 are all similar(copies) of eachother ?. If its the latter, i believe there was a code posted by someone here that outputs all the instances of the same aob/signature found.
I will post the code in a while if you can't find it, busy with something else atm.
_________________
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Sat Jun 27, 2015 1:13 pm Post subject: |
|
|
How about this?
Code: | [ENABLE]
{$lua}
local aob = AOBScan("72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 25 26 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 22")
for i=0,aob.Count-1 do
writeBytes(aob[i] .. "+14", 0)
end
aob.Destroy()
aob = nil
[DISABLE] |
|
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 942
|
Posted: Sat Jun 27, 2015 1:46 pm Post subject: |
|
|
The following may consider an upgraded version AOBSWAP function used in DaSpamar's Easy Trainer, that patch multiple aob result in one scan.
It will make the AA entry behave as normal AA that 'crossed' only if success and modification is made in batch.
Code: | {$lua}
function AOB(skip,aob,...)
if skip==true then return '' end
local metatemp = [[<@@>+%X:
%s]]
local offsetPairs = {...}
local template = {}
local script = {}
assert(#offsetPairs % 2 == 0,'offset and modification should be paired')
for i=1,#offsetPairs,2 do
local s = string.format(metatemp,offsetPairs[i],offsetPairs[i+1])
table.insert(template,s)
end
assert(#template > 0, 'nothing to modify')
template = table.concat(template,"\n")
local found = AOBScan(aob)
if found~=nil then
for i=0,found.Count - 1 do
local s = template:gsub('<@@>',found[i])
table.insert(script, s)
end
found.Destroy()
end
return assert(#script > 0) and table.concat(script,"\n")
end
{$asm}
[ENABLE]
{$lua}
return AOB(syntaxcheck,'11 22 55 88 99',
0x7,
"db ff",
0xc,
"readmem(<@@>-2,5)",
0x10,[[
mov eax,#100
push edi
pop edi
jmp <@@>+6
]])
{$asm}
[DISABLE]
|
For Erik9631 your aob, I'll suggest you manually make the aob change first, and make sure the aob work as your expected.
_________________
- Retarded. |
|
Back to top |
|
|
Erik9631 Newbie cheater Reputation: 0
Joined: 24 Aug 2014 Posts: 10
|
Posted: Sun Jun 28, 2015 2:02 am Post subject: |
|
|
Thanks for the help everyone.
I made a lua script that does what I expected. I will post the code in case anyone had simmilar issue.
Code: | AoB = AOBScan("72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 32 ?? 22 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 0A 02 7B ?? ?? ?? ?? 2D ?? 17 80 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28")
if (AoB and AoB.getCount()==3) then
print("Damage boost OK")
writeBytes(tonumber(AoB[0],16)+18, 0x00)
writeBytes(tonumber(AoB[1],16)+18, 0x00)
writeBytes(tonumber(AoB[2],16)+18, 0x00)
AoB.Destroy()
AoB = nil
else
print("Damage boost ERROR")
end |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|