| View previous topic :: View next topic |
| Author |
Message |
erfg1
Cheater
 Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
 Posted: Fri Jan 01, 2016 12:44 pm Post subject: AoB Scan Newb |
 |
|
I'm new to this AoB scan thing and I've watched all of what youtube has to offer, and I've read several articles and I still can't get it right.
The game I'm using is Psychonauts, and I'm trying to find the arrowheads quantity float value.
1) I have 733 arrowheads, so I search for the float value 733. I purchase an item for 10 arrowheads, so I do a next scan of 723 and it narrows it to 1 result. If I modify this value to 750, my arrowheads immediately changes to 750. This is the result I want.
2) I right click on the address and select "Find out what writes to this address". I then purchase another item for 10 arrow heads and I get my opcode, so I press the "Show disassembler" button.
3) Press Tools > Auto Assemble. In the Auto assemble window I press Template > AOB Injection. I press OK on the next 2 prompts. I press File > Assign to current cheat table.
Now is the point where I get confused. The tutorials seem to drift off here to their own destinations of where they want the code to go. Personally, I just want to find where this integer is located and modify it to 999. In the game, when you go to a new scene or level the integer jumps somewhere else so I figure this is the best way of locating it.
Some things I tried was changing the sub opcodes to add and dec to inc but that just caused a crash.
| Description: |
|
| Filesize: |
77.29 KB |
| Viewed: |
11570 Time(s) |
|
| Description: |
|
| Filesize: |
33.54 KB |
| Viewed: |
11570 Time(s) |
|
| Description: |
|
| Filesize: |
58.64 KB |
| Viewed: |
11570 Time(s) |
|
_________________
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Jan 01, 2016 1:12 pm Post subject: |
|
|
Replace mov [eax+04],edx
If it's a float, use
| Code: | | mov [eax+04],(float)999 |
If it's an integer, use
| Code: | | mov [eax+04],(int)999 |
Note that this instruction probably accesses all inventory items.
So prepare to have 999 of everything.
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 1:19 pm Post subject: |
|
|
Says this error message and then the game crashes.
| Description: |
|
| Filesize: |
7.91 KB |
| Viewed: |
11563 Time(s) |
|
_________________
|
|
| Back to top |
|
|
akumakuja28
Master Cheater
 Reputation: 16
Joined: 28 Jun 2015
Posts: 432
|
| Posted: Fri Jan 01, 2016 1:27 pm Post subject: |
|
|
Thats a shared opcode. Its crashing cause its writing 999 to evrry location thats accessed with that code.
Find out the arrows base address.
_________________
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Jan 01, 2016 1:31 pm Post subject: |
|
|
| No, no, no... Replace that instruction within your AOB Injection template!
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 1:39 pm Post subject: |
|
|
Like this? Still crashes.
| Description: |
|
| Filesize: |
69.14 KB |
| Viewed: |
11546 Time(s) |
|
_________________
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Jan 01, 2016 1:40 pm Post subject: |
|
|
| Code: | code:
mov [eax+04],(float)999
xor ecx,ecx
jmp return
INJET:
jmp code
return: |
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 1:45 pm Post subject: |
|
|
| akumakuja28 wrote: | | ... Find out the arrows base address. |
I tried, but the hex value returned gives 5000 results. I also tried with a pointer scan, but after I left the scene (level) and tried to match the re-scan to find the value again none of them matched.
---------------------------------
| Zanzer wrote: | | Code: | code:
mov [eax+04],(float)999
xor ecx,ecx
jmp return
INJET:
jmp code
return: |
|
That crashed as well.
_________________
|
|
| Back to top |
|
|
akumakuja28
Master Cheater
Reputation: 16
Joined: 28 Jun 2015
Posts: 432
|
| Posted: Fri Jan 01, 2016 1:50 pm Post subject: |
|
|
Instead of using what writes use what access's.
Post your screen cap on that.
_________________
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 1:55 pm Post subject: |
|
|
Basically the same thing.
When I leave the scene I get more data.
| Description: |
| leaving the scene (level) |
|
| Filesize: |
10.81 KB |
| Viewed: |
11519 Time(s) |
|
| Description: |
| selling an item (accessing) |
|
| Filesize: |
55.37 KB |
| Viewed: |
11523 Time(s) |
|
_________________
Last edited by erfg1 on Fri Jan 01, 2016 1:58 pm; edited 1 time in total |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Jan 01, 2016 1:58 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(INJECT,Psychonauts.exe,89 50 04 33 C9 75 DA E9)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax+04],(float)999
xor ecx,ecx
jmp return
INJECT:
jmp code
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 50 04 33 C9
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 2:02 pm Post subject: |
|
|
| Zanzer wrote: | | Code: | [ENABLE]
aobscanmodule(INJECT,Psychonauts.exe,89 50 04 33 C9 75 DA E9)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax+04],(float)999
xor ecx,ecx
jmp return
INJECT:
jmp code
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 50 04 33 C9
unregistersymbol(INJECT)
dealloc(newmem) |
|
crashes.
_________________
|
|
| Back to top |
|
|
akumakuja28
Master Cheater
Reputation: 16
Joined: 28 Jun 2015
Posts: 432
|
| Posted: Fri Jan 01, 2016 2:04 pm Post subject: |
|
|
Click the top code and click "show dissassbler"
Right click on that opcode and select "replace with code that does nothing".
Try shooting an arrow. If it doesnt decrement like its supposed to you found the injection point.
Check and make sure your other items count up and down accordingly
If so use that point as an injection pointer for your arrows.
_________________
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Jan 01, 2016 2:04 pm Post subject: |
|
|
Right-click on the instruction in memory viewer and select Find out what addresses this instruction accesses.
If thousands appear, this hack is going to be too complicated to walk you through.
|
|
| Back to top |
|
|
erfg1
Cheater
Reputation: 0
Joined: 14 Jul 2013
Posts: 49
|
| Posted: Fri Jan 01, 2016 2:09 pm Post subject: |
|
|
| akumakuja28 wrote: | Click the top code and click "show dissassbler"
Right click on that opcode and select "replace with code that does nothing".
|
Immediately crashed after doing that.
------------------------------
| Zanzer wrote: | Right-click on the instruction in memory viewer and select Find out what addresses this instruction accesses.
If thousands appear, this hack is going to be too complicated to walk you through. |
Pretty much thousands.
| Description: |
|
| Filesize: |
18.99 KB |
| Viewed: |
11496 Time(s) |
|
_________________
Last edited by erfg1 on Fri Jan 01, 2016 2:18 pm; edited 2 times in total |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
