Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


My AOB Injection script crashes game (solved)

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Nessin
Advanced Cheater
Reputation: 1

Joined: 29 Oct 2015
Posts: 69
PostPosted: Sat Oct 31, 2015 6:35 pm    Post subject: My AOB Injection script crashes game (solved) Reply with quote
Hello guys

I was wondering if someone could take a quick peek at my script and see why it could cause the game to instantly crash when activated.

The game I'm working in, is using lua. I am looking for the health address. I was planning to use the descriptor of this address, located at [x+8]+10 (where x is the address containing the health value) to make sure the address found is in fact ... the health address.
If the descriptor of the address is "current_amount", I am sure this is the right address and will store it inside [_HEALTH] Smile

Code:
[ENABLE]

aobscanmodule(INJECT,speargame.exe,8B 56 FC 83 C2 04) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(originalcode)

globalalloc(_HEALTH,4)

newmem:

code:
  pushfd
  pushad

  mov eax, [esi+4]   // <--- Game crashes in this block
  cmp dword ptr [eax+10],'curr'
  jne originalcode
  cmp dword ptr [eax+14],'ent_'
  jne originalcode
  cmp dword ptr [eax+18],'amou'
  jne originalcode  // <-----

  mov [_HEALTH],esi

  jmp originalcode

originalcode:
  popad
  popfd
  mov edx,[esi-04]
  add edx,04
  jmp return


INJECT:
  jmp code
  nop

return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 8B 56 FC 83 C2 04

unregistersymbol(INJECT)
dealloc(newmem)


Last edited by Nessin on Mon Nov 02, 2015 11:18 am; edited 1 time in total
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Sat Oct 31, 2015 7:43 pm    Post subject: Re: My AOB Injection script crashes game Reply with quote
Nessin wrote:
where x is the address containing the health value
...
mov [_HEALTH],esi
So I assume x=esi.

Nessin wrote:
descriptor of this address, located at [x+8]+10
...
mov eax, [esi+4] // <--- Game crashes in this block
To +4 or to +8, that's the question. Wink
If I'm wrong, is mov edx,[esi-04] accessing your health?

Side note, the jmp originalcode is useless since originalcode is located immediately after it.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278
PostPosted: Sat Oct 31, 2015 7:58 pm    Post subject: Reply with quote
Are you sure it's crashing on
Code:
mov eax, [esi+4]   // <--- Game crashes in this block

Try placing a NOP after it and see if that executes.
It's more likely crashing on
Code:
cmp dword ptr [eax+10],'curr'

Because [esi+4] doesn't contain what you think it does.
Back to top
View user's profile Send private message
Nessin
Advanced Cheater
Reputation: 1

Joined: 29 Oct 2015
Posts: 69
PostPosted: Sun Nov 01, 2015 5:23 am    Post subject: Reply with quote
Thanks guys, however I don't understand why it crashes

The address for the health is esi-4 (Pretty sure of this one)
The pointer to the descriptor is esi+4
The descriptor (text) is located at [esi+4]+10
However, the part where I injected my code isn't only used to access health. So esi isn't always the health, sometimes its ammo, mana, or something completely different. But I only care about the health. That's why I compare the descriptor with "current_amount".

The game does indeed crash on the compares, but I don't understand why Confused
If [esi+4] doesn't contain what I think it does, the cmp should just return 0, right?
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278
PostPosted: Sun Nov 01, 2015 6:20 am    Post subject: Reply with quote
Add these two lines before the first CMP.
Code:
  mov eax, [esi+4]
  test eax,eax
  je originalcode
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
PostPosted: Sun Nov 01, 2015 7:49 am    Post subject: Reply with quote
better:
Code:
cmp [esi+4],00010000
jb originalcode
mov eax, [esi+4]




@Nessin
To be completely sure, do this:
find health address, add to the list, double click address (column 'address') and copy it to the clipboard.
open "structure dissect" (ctrl+m, then ctrl+d)
paste address into editbox and press ctrl+n, then click yes/ok few times.

try to find descriptor (or as I prefer to call it: "a key"), open some nodes. If you find it, do a screenshot and post it here.





Also, do a "find out what accesses..." on that address, there should be few opcodes, find the first one in the "memory browser", do a screenshot, post it here.
_________________
Back to top
View user's profile Send private message MSN Messenger
Nessin
Advanced Cheater
Reputation: 1

Joined: 29 Oct 2015
Posts: 69
PostPosted: Sun Nov 01, 2015 8:20 am    Post subject: Reply with quote
Thanks, guys

Adding that test fixed the crashing, not sure why it's needed tho Shocked

Also the pictures you requested Very Happy

cheatenginepicturetest.PNG
 Description:
Picture of the structure dissect and "find out what accesses" the health address :)
 Filesize:  153.73 KB
 Viewed:  12565 Time(s)

cheatenginepicturetest.PNG
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
PostPosted: Sun Nov 01, 2015 8:31 am    Post subject: Reply with quote
Nessin wrote:
not sure why it's needed tho Shocked

Because that piece of code also accesses other things than {key,value} pairs.



About the top part of your picture, I asked for screenshot of "memory browser" (click "show disassembler"). Currently we only see few lines, with more lines (in memory browser) we can tell much more.
_________________
Back to top
View user's profile Send private message MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4709
PostPosted: Sun Nov 01, 2015 10:16 am    Post subject: Reply with quote
Nessin wrote:
Adding that test fixed the crashing, not sure why it's needed tho Shocked

If you even try to access memory that doesn't exist, your program will crash.

Let's assume it's possible that [esi+4] could equal 0, and that the address 0x00000000 doesn't exist (has a bunch of question marks in the memory view). You move 0 into eax, then try to access the memory at that address with [eax+10], which doesn't exist. That's why your program crashes.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Nessin
Advanced Cheater
Reputation: 1

Joined: 29 Oct 2015
Posts: 69
PostPosted: Mon Nov 02, 2015 11:15 am    Post subject: Reply with quote
Thanks, that cleared it up for me Smile

I actually had to resort to isbadreadptr (forum.cheatengine.org/viewtopic.php?t=511049) to completely fix my issue.

Code:
mov eax, [esi+4]
  test eax,eax
  je originalcode

and
Code:
cmp [esi+4],00010000
jb originalcode
mov eax, [esi+4]

were not enough. Sometimes [esi+4] was still a bad pointer

This is what completely fixed it for me:

Code:
mov eax, [esi+4]
push 00000004
push eax
call isbadreadptr   //make sure [esi+4] points to valid memory
cmp eax,0
jne originalcode

Kudos to mgr.inz.Player's Don't starve assembly script, teehee Razz
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
PostPosted: Mon Nov 02, 2015 12:33 pm    Post subject: Reply with quote
ehh, I thought you will post a screenshot of memory browser (I asked two times...).
_________________
Back to top
View user's profile Send private message MSN Messenger
Nessin
Advanced Cheater
Reputation: 1

Joined: 29 Oct 2015
Posts: 69
PostPosted: Sun Nov 08, 2015 2:47 pm    Post subject: Reply with quote
Apologies, I didn't see the relevance of it anymore, until your reply on my other thread Embarassed

Also, now that I revisited these pictures, it appears the health address was actually esi-8 , not esi-4. It's stored as a double (or 'number' as lua docs call it)

This is what I used to fix the crashing
Code:

//Health value is potentially at [esi-8]

mov eax, [esi]
add eax,C
push 00000004
push eax
call isbadreadptr   //make sure [esi]+C points to valid memory
cmp eax,0
jne originalcode


membrowser1.PNG
 Description:
 Filesize:  107.96 KB
 Viewed:  12332 Time(s)

membrowser1.PNG
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites