Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Injection not the same every time

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
noyuw
Newbie cheater
Reputation: 0

Joined: 26 Oct 2015
Posts: 12

PostPosted: Tue Oct 27, 2015 6:27 pm    Post subject: AOB Injection not the same every time Reply with quote

Hi,

I have a little problem.
Here's it what i do :

I find the right address, i do a AOB injection on it, everything works.
I close the game and CE, i relaunch both, research the new address, do an AOB injection again..and then..bim, i don't have the same code as before, and i'm sure i'm on the exact same pointer since my cheat work on the new adress and there are no other address for this one.

This prevent me to add the AOB injection into a standalone trainer, since the code will work only for the current "session".



Here is the first AOB :

Code:

[ENABLE]

aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 18) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //fstp dword ptr [edi+000000DC]
  mov dword ptr [edi+000000DC],(float)1.0
  jmp return

INJECT:
  jmp code
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db D9 9F DC 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)


And here is the second


Code:
[ENABLE]

aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 90) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //fstp dword ptr [edi+000000DC]
mov dword ptr [edi+000000DC],(float)1.0
  jmp return

INJECT:
  jmp code
  nop
return:
registersymbol(INJECT)


[DISABLE]

INJECT:
  db D9 9F DC 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)



As you can see the "aobscan" has not the same values
Back to top
View user's profile Send private message
lolAnonymous
Expert Cheater
Reputation: 1

Joined: 19 Jul 2015
Posts: 154

PostPosted: Tue Oct 27, 2015 6:35 pm    Post subject: Vote Me :p Reply with quote

Try This noyuw Smile

Code:
[ENABLE]

aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 ??) // The Last Byte Was Changing So We Will Replace It With ?? -- A Wild Card Character
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //fstp dword ptr [edi+000000DC]
mov dword ptr [edi+000000DC],(float)1.0
  jmp return

INJECT:
  jmp code
  nop
return:
registersymbol(INJECT)


[DISABLE]

INJECT:
  db D9 9F DC 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)
Back to top
View user's profile Send private message
noyuw
Newbie cheater
Reputation: 0

Joined: 26 Oct 2015
Posts: 12

PostPosted: Tue Oct 27, 2015 7:15 pm    Post subject: Reply with quote

Thanks for your answer, sadly it's not working Sad

It's only working when i get the correct last byte
Back to top
View user's profile Send private message
lolAnonymous
Expert Cheater
Reputation: 1

Joined: 19 Jul 2015
Posts: 154

PostPosted: Tue Oct 27, 2015 7:30 pm    Post subject: Reply with quote

Hmmm... Find the value again, copy its aob and find the difference between this D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 ?? And the new aobs and put ?? Then try again...

Good luck :
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Tue Oct 27, 2015 8:16 pm    Post subject: Reply with quote

It's probably not working because that's not a unique AoB. To check if it's a unique AoB:
  1. Set the "Writable" checkbox to grey (don't care if it's writable memory or not)
  2. Search for your AoB
  3. Make sure CE only finds 1 result
  4. If it does, use that. If it doesn't, make a better AoB signature.

For finding out how to make a good AoB signature, see this topic and go to the section called "A Good Signature".

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Oct 27, 2015 8:45 pm    Post subject: Reply with quote

Those last couple of bytes are changing because it's calling a function located in memory.
When the game reloads, that function is in a new place within memory, so the bytes have changed.
You need to add several more bytes to the end of your AOB (or include some at the beginning).
Since E8 is the beginning of the call statement, you need to use E8 ?? ?? ?? ?? and follow up with more bytes.
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 43

Joined: 09 Nov 2005
Posts: 2676

PostPosted: Wed Oct 28, 2015 3:56 am    Post subject: Reply with quote

Do NOT use Calls, Long JMPs, harcoded values as a signature ever!. As you can see they will always change.

Wildcard (?? or xx) the bytes after E8 and your aob should be fine.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
noyuw
Newbie cheater
Reputation: 0

Joined: 26 Oct 2015
Posts: 12

PostPosted: Wed Oct 28, 2015 6:00 am    Post subject: Reply with quote

Thanks a lot for all your answers !

To be more clear i did a screenshot of all windows and added some explanations you will understand it a lot more :


imgur[dot]com/yeiAFFg


What i noticed is the last byte is very often 90, and if in my AOB i let 90 when the last should be 90 it works obviously, but sometimes the last one is not 90, i'm gonna try to find all the last byte possible maybe there is only a few ones ?

Actually for the last byte i got for now : 18, 90, 90, A4, 90, A4, 90

One thing is sure, replacing the last byte by ?? or xx doesn't work at all in my case

Again thanks for your support


Last edited by noyuw on Wed Oct 28, 2015 6:30 am; edited 1 time in total
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Oct 28, 2015 6:30 am    Post subject: Reply with quote

Just remove the 90 and then see what you get when doing that signature as a scan in the main CE window?
_________________
Back to top
View user's profile Send private message
noyuw
Newbie cheater
Reputation: 0

Joined: 26 Oct 2015
Posts: 12

PostPosted: Wed Oct 28, 2015 6:34 am    Post subject: Reply with quote

Rydian wrote:
Just remove the 90 and then see what you get when doing that signature as a scan in the main CE window?


Just tried this, if i remove the last byte (90 this time) the AOB will not work (the float will go down as i use my stamina)

I also tried to replace the last byte by : ?? or ?? ?? or ?? ?? ?? or ?? ?? ?? ?? or ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? ?? ?? but same result


Last edited by noyuw on Wed Oct 28, 2015 6:40 am; edited 1 time in total
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 62

Joined: 01 Oct 2008
Posts: 958

PostPosted: Wed Oct 28, 2015 6:39 am    Post subject: Reply with quote

From the pic, probably the aob should include a few instruction before the hack point instruction, as they are more characteristic. The following use an aob pattern start from 0x642e44f @the aa script of the pic, so its hack point need an offset adjust. May try:

Code:

[ENABLE]
//             00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c<
aobscan(INJECT,d9 87 a0 00 00 00 dd 5d ?? e8 ?? ?? ?? ?? dd 45 ?? dd 45 ?? d9 c9 d9 ca de c9 de c1 d9 9f dc 00 00 00)
// negative offset with ebp usually is for local variable, they should wild-carded for non static code
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
fstp dword ptr [edi+000000DC]  // don't comment out original fpu code
mov dword ptr [edi+000000DC],(float)1.0
  jmp return

INJECT+1c:
  jmp code
  nop
return:
registersymbol(INJECT)


[DISABLE]

INJECT+1c:
  db D9 9F DC 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)

_________________
- Retarded.
Back to top
View user's profile Send private message
noyuw
Newbie cheater
Reputation: 0

Joined: 26 Oct 2015
Posts: 12

PostPosted: Wed Oct 28, 2015 6:57 am    Post subject: Reply with quote

panraven wrote:
From the pic, probably the aob should include a few instruction before the hack point instruction, as they are more characteristic. The following use an aob pattern start from 0x642e44f @the aa script of the pic, so its hack point need an offset adjust. May try:

Code:

[ENABLE]
//             00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c<
aobscan(INJECT,d9 87 a0 00 00 00 dd 5d ?? e8 ?? ?? ?? ?? dd 45 ?? dd 45 ?? d9 c9 d9 ca de c9 de c1 d9 9f dc 00 00 00)
// negative offset with ebp usually is for local variable, they should wild-carded for non static code
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
fstp dword ptr [edi+000000DC]  // don't comment out original fpu code
mov dword ptr [edi+000000DC],(float)1.0
  jmp return

INJECT+1c:
  jmp code
  nop
return:
registersymbol(INJECT)


[DISABLE]

INJECT+1c:
  db D9 9F DC 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)


It works perfectly ! tried when the last bit is 90 and when it is A4 and both time it worked !

Thanks a lot !
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites