| View previous topic :: View next topic |
| Author |
Message |
noyuw
Newbie cheater
![]() Reputation: 0
Joined: 26 Oct 2015
Posts: 12
|
 Posted: Tue Oct 27, 2015 6:27 pm Post subject: AOB Injection not the same every time |
 |
|
Hi,
I have a little problem.
Here's it what i do :
I find the right address, i do a AOB injection on it, everything works.
I close the game and CE, i relaunch both, research the new address, do an AOB injection again..and then..bim, i don't have the same code as before, and i'm sure i'm on the exact same pointer since my cheat work on the new adress and there are no other address for this one.
This prevent me to add the AOB injection into a standalone trainer, since the code will work only for the current "session".
Here is the first AOB :
| Code: |
[ENABLE]
aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 18) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//fstp dword ptr [edi+000000DC]
mov dword ptr [edi+000000DC],(float)1.0
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9F DC 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
And here is the second
| Code: | [ENABLE]
aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 90) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//fstp dword ptr [edi+000000DC]
mov dword ptr [edi+000000DC],(float)1.0
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9F DC 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
As you can see the "aobscan" has not the same values
|
|
| Back to top |
|
 |
lolAnonymous
Expert Cheater
![]() Reputation: 1
Joined: 19 Jul 2015
Posts: 154
|
| Posted: Tue Oct 27, 2015 6:35 pm Post subject: Vote Me :p |
|
|
Try This noyuw 
| Code: | [ENABLE]
aobscan(INJECT,D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 ??) // The Last Byte Was Changing So We Will Replace It With ?? -- A Wild Card Character
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//fstp dword ptr [edi+000000DC]
mov dword ptr [edi+000000DC],(float)1.0
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9F DC 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
| Back to top |
|
|
noyuw
Newbie cheater
![]() Reputation: 0
Joined: 26 Oct 2015
Posts: 12
|
| Posted: Tue Oct 27, 2015 7:15 pm Post subject: |
|
|
Thanks for your answer, sadly it's not working 
It's only working when i get the correct last byte
|
|
| Back to top |
|
|
lolAnonymous
Expert Cheater
![]() Reputation: 1
Joined: 19 Jul 2015
Posts: 154
|
| Posted: Tue Oct 27, 2015 7:30 pm Post subject: |
|
|
Hmmm... Find the value again, copy its aob and find the difference between this D9 9F DC 00 00 00 83 7D E0 00 74 04 85 DB 74 15 83 EC 04 6A 00 6A 02 57 E8 ?? And the new aobs and put ?? Then try again...
Good luck :
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Tue Oct 27, 2015 8:16 pm Post subject: |
|
|
It's probably not working because that's not a unique AoB. To check if it's a unique AoB:
- Set the "Writable" checkbox to grey (don't care if it's writable memory or not)
- Search for your AoB
- Make sure CE only finds 1 result
- If it does, use that. If it doesn't, make a better AoB signature.
For finding out how to make a good AoB signature, see this topic and go to the section called "A Good Signature".
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Tue Oct 27, 2015 8:45 pm Post subject: |
|
|
Those last couple of bytes are changing because it's calling a function located in memory.
When the game reloads, that function is in a new place within memory, so the bytes have changed.
You need to add several more bytes to the end of your AOB (or include some at the beginning).
Since E8 is the beginning of the call statement, you need to use E8 ?? ?? ?? ?? and follow up with more bytes.
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Wed Oct 28, 2015 3:56 am Post subject: |
|
|
Do NOT use Calls, Long JMPs, harcoded values as a signature ever!. As you can see they will always change.
Wildcard (?? or xx) the bytes after E8 and your aob should be fine.
_________________
|
|
| Back to top |
|
|
noyuw
Newbie cheater
![]() Reputation: 0
Joined: 26 Oct 2015
Posts: 12
|
| Posted: Wed Oct 28, 2015 6:00 am Post subject: |
|
|
Thanks a lot for all your answers !
To be more clear i did a screenshot of all windows and added some explanations you will understand it a lot more :
imgur[dot]com/yeiAFFg
What i noticed is the last byte is very often 90, and if in my AOB i let 90 when the last should be 90 it works obviously, but sometimes the last one is not 90, i'm gonna try to find all the last byte possible maybe there is only a few ones ?
Actually for the last byte i got for now : 18, 90, 90, A4, 90, A4, 90
One thing is sure, replacing the last byte by ?? or xx doesn't work at all in my case
Again thanks for your support
Last edited by noyuw on Wed Oct 28, 2015 6:30 am; edited 1 time in total |
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Wed Oct 28, 2015 6:30 am Post subject: |
|
|
Just remove the 90 and then see what you get when doing that signature as a scan in the main CE window?
_________________
|
|
| Back to top |
|
|
noyuw
Newbie cheater
![]() Reputation: 0
Joined: 26 Oct 2015
Posts: 12
|
| Posted: Wed Oct 28, 2015 6:34 am Post subject: |
|
|
| Rydian wrote: | | Just remove the 90 and then see what you get when doing that signature as a scan in the main CE window? |
Just tried this, if i remove the last byte (90 this time) the AOB will not work (the float will go down as i use my stamina)
I also tried to replace the last byte by : ?? or ?? ?? or ?? ?? ?? or ?? ?? ?? ?? or ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? ?? or ?? ?? ?? ?? ?? ?? ?? ?? but same result
Last edited by noyuw on Wed Oct 28, 2015 6:40 am; edited 1 time in total |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Wed Oct 28, 2015 6:39 am Post subject: |
|
|
From the pic, probably the aob should include a few instruction before the hack point instruction, as they are more characteristic. The following use an aob pattern start from 0x642e44f @the aa script of the pic, so its hack point need an offset adjust. May try:
| Code: |
[ENABLE]
// 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c<
aobscan(INJECT,d9 87 a0 00 00 00 dd 5d ?? e8 ?? ?? ?? ?? dd 45 ?? dd 45 ?? d9 c9 d9 ca de c9 de c1 d9 9f dc 00 00 00)
// negative offset with ebp usually is for local variable, they should wild-carded for non static code
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fstp dword ptr [edi+000000DC] // don't comment out original fpu code
mov dword ptr [edi+000000DC],(float)1.0
jmp return
INJECT+1c:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1c:
db D9 9F DC 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
_________________
- Retarded. |
|
| Back to top |
|
|
noyuw
Newbie cheater
![]() Reputation: 0
Joined: 26 Oct 2015
Posts: 12
|
| Posted: Wed Oct 28, 2015 6:57 am Post subject: |
|
|
| panraven wrote: | From the pic, probably the aob should include a few instruction before the hack point instruction, as they are more characteristic. The following use an aob pattern start from 0x642e44f @the aa script of the pic, so its hack point need an offset adjust. May try:
| Code: |
[ENABLE]
// 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c<
aobscan(INJECT,d9 87 a0 00 00 00 dd 5d ?? e8 ?? ?? ?? ?? dd 45 ?? dd 45 ?? d9 c9 d9 ca de c9 de c1 d9 9f dc 00 00 00)
// negative offset with ebp usually is for local variable, they should wild-carded for non static code
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fstp dword ptr [edi+000000DC] // don't comment out original fpu code
mov dword ptr [edi+000000DC],(float)1.0
jmp return
INJECT+1c:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1c:
db D9 9F DC 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
|
It works perfectly ! tried when the last bit is 90 and when it is A4 and both time it worked !
Thanks a lot !
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
