Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Is this some kind of anti cheat?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
PinPoint
Expert Cheater
Reputation: 10

Joined: 07 Apr 2016
Posts: 223
Location: Scotland

PostPosted: Fri Apr 15, 2016 9:23 am    Post subject: Is this some kind of anti cheat? Reply with quote

hacking the old avp2 game to practice AA and came into this problem.

find a value of something i want (crosshair in this instance), I know the address changes on reload etc so find out what writes etc and get the pointer. however the pointer base address is wow64cpu.dll+46D8. shouldn't it be lithtech.exe or something.?

also, after i leave it for a while it points to nothing but the original address still works as haven't reloaded or anything.

then as soon as i attach the debugger to the game the pointer i got works again.

all of the addresses in the dissembler seem to be cshell.dll also which i dont think can be right.
Back to top
View user's profile Send private message
Cake-san
Grandmaster Cheater
Reputation: 8

Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung

PostPosted: Fri Apr 15, 2016 9:30 am    Post subject: Reply with quote

Just some traps,desu.
_________________
...
Back to top
View user's profile Send private message
PinPoint
Expert Cheater
Reputation: 10

Joined: 07 Apr 2016
Posts: 223
Location: Scotland

PostPosted: Fri Apr 15, 2016 9:37 am    Post subject: Reply with quote

got the right one with pointer scan anyway but i usually go through the debugger.

how could you incorporate the pointer scan pointer into an aob injection? as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Fri Apr 15, 2016 10:31 am    Post subject: Reply with quote

PinPoint wrote:
how could you incorporate the pointer scan pointer into an aob injection?

The same way you'd use any pointer in any code injection.
Code:
mov eax,[base.exe+1234]
mov eax,[eax+offset1]
mov eax,[eax+offset2]
// ...
// last offset:
lea edx,[eax+offsetN]   // edx is the final address
mov eax,[eax+offsetN]   // eax is the final value
// you usually don't need both; use whichever you want

PinPoint wrote:
as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value?

I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
Code:
// continuing from the previous code
mov [edx],3E8

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
itsoqrappy
Advanced Cheater
Reputation: 0

Joined: 24 Mar 2016
Posts: 67

PostPosted: Fri Apr 15, 2016 7:50 pm    Post subject: Reply with quote

ParkourPenguin wrote:
PinPoint wrote:
how could you incorporate the pointer scan pointer into an aob injection?

The same way you'd use any pointer in any code injection.
Code:
mov eax,[base.exe+1234]
mov eax,[eax+offset1]
mov eax,[eax+offset2]
// ...
// last offset:
lea edx,[eax+offsetN]   // edx is the final address
mov eax,[eax+offsetN]   // eax is the final value
// you usually don't need both; use whichever you want

PinPoint wrote:
as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value?

I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
Code:
// continuing from the previous code
mov [edx],3E8


Damn, this interests very much to me. I tried to combine our example with some checks I do while calculating the final address:
Code:
[ENABLE]
alloc(cave,256)
label(invalid)

cave:
Push EAX
Push ECX
Push EDX
Push EBX
Push ESP
Push EBP
Push ESI
Push EDI
mov eax,["solitaire.exe"+000F8E38]
or eax,eax
je short invalid
mov eax,[eax+cc]
or eax,eax
je short invalid
mov eax,[eax+40]
or eax,eax
je short invalid
mov eax,[eax+124]
or eax,eax
je short invalid
mov eax,[eax+8]
or eax,eax
je short invalid
mov [eax],#100 // <- i set here the value to 100
invalid:
push #100
call sleep
Pop EAX
Pop ECX
Pop EDX
Pop EBX
Pop ESP
Pop EBP
Pop ESI
Pop EDI
jmp cave

createthread(cave)

[DISABLE]


since pushad/popad doesn't exist on a 64-bit platform, i replaced them with Push eax, ecx etc.
yeah the game crashes. but i would know why?
Back to top
View user's profile Send private message
PinPoint
Expert Cheater
Reputation: 10

Joined: 07 Apr 2016
Posts: 223
Location: Scotland

PostPosted: Fri Apr 15, 2016 8:20 pm    Post subject: Reply with quote

ParkourPenguin wrote:

I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
Code:
// continuing from the previous code
mov [edx],3E8


as an example, in this script i use globalalloc(_base2,4) and mov [_base2],ebx so i can use [_base2]+494 in the cheat lists as a base address.
Code:
[ENABLE]

aobscanmodule(aob4,Tutorial-i386.exe,D9 9B 94 04 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_base2,4)

newmem:

code:
  mov [_base2],ebx
  fstp dword ptr [ebx+00000494]
  jmp return

aob4:
  jmp code
  nop
return:
registersymbol(aob4)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
aob4:
  db D9 9B 94 04 00 00

unregistersymbol(aob4)
dealloc(newmem)


am i right in thinking that this would work for putting _base2 in the cheatlist as a pointer?(assuming the pointer was correct) or is there no point in doing this?(my thoughts while i was doing the cave.

Code:

[ENABLE]

aobscanmodule(aob4,Tutorial-i386.exe,D9 9B 94 04 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(pointercave)

globalalloc(_base2,4)

newmem:

code:
  mov [_base2],ebx
  jmp return

pointercave:
 push eax
 mov eax [program.exe+9999]
 mov eax [eax+offest1]
 mov eax [eax+offset2]
 lea ebx [eax+offset3]
 pop eax

 jmp code
 nop


aob4:
  jmp pointercave
  nop
return:
registersymbol(aob4)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
aob4:
  db D9 9B 94 04 00 00

unregistersymbol(aob4)
dealloc(newmem)



I'm basically wanting the pointer to lead back to the opcodes so i can use _base2 +offsets in the cheatlists OR so I can nop functions.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Fri Apr 15, 2016 9:01 pm    Post subject: Reply with quote

itsoqrappy wrote:
...

The last thing that's pushed onto the stack is the first thing that's popped off.

With that in mind, one of the reasons why it's messing up should be clear. You're effectively moving EDI into EAX, ESI into ECX, EBP into EDX, etc...

Another thing that's wrong is that you're not using the 64-bit version of the registers. If you're in a 64-bit process with a 64-bit address space, don't try to store an address that could be 64-bits long into a 32-bit register. It's not very well going to like that.

Why are you even pushing those registers? The only thing you're modifying is rax, and even then, that code is an infinite loop being run by a thread you created. There is absolutely no reason why you should back up any registers.

You checking for an invalid pointer with the or instruction is neither comprehensive nor optimized. If you're certain the only value in the pointer path that could result in a segfault is 0, then use the test instruction. If you're not certain, call Kernel32.isBadReadPtr, or use structured exception handling.
Checking for bad pointers usually isn't even needed, so don't do this unless you have to.


PinPoint wrote:
as an example, in this script i use globalalloc(_base2,4) and mov [_base2],ebx so i can use [_base2]+494 in the cheat lists as a base address.

Assuming the base address of the pointer is static, you can just add that to the address list and it'll work even when you restart the game. There's no need to store the end address and register it as a symbol. Check out the CE tutorial if you want to learn more.

PinPoint wrote:
I'm basically wanting the pointer to lead back to the opcodes so i can use _base2 +offsets in the cheatlists OR so I can nop functions.

Again, this sentence makes no sense, but I'll try to comment on it regardless.

If you need to find out what accesses the address being pointed at by the pointer, right click on the pointer in the address list, select "Find out what accesses this address", and select "Find out what accesses the address pointed at by this pointer". If you need to find out what instructions access the pointer's address instead, select that option.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
PinPoint
Expert Cheater
Reputation: 10

Joined: 07 Apr 2016
Posts: 223
Location: Scotland

PostPosted: Fri Apr 15, 2016 10:10 pm    Post subject: Reply with quote

ParkourPenguin wrote:

Again, this sentence makes no sense, but I'll try to comment on it regardless.

If you need to find out what accesses the address being pointed at by the pointer, right click on the pointer in the address list, select "Find out what accesses this address", and select "Find out what accesses the address pointed at by this pointer". If you need to find out what instructions access the pointer's address instead, select that option.


Sorry if im not making sense. Ive done the tutorial. currently doing it again and want to do every step with scripts for practice with AA. I can do it on all of them fine except step 6 and 8 when you need to use the pointer to change the value.

here is my pointer for step 6:
["Tutorial-i386.exe"+00245360]+0

this is a script i wrote to try and get it to work without manually typing in 5000 and freezing it. I linked the pointer with this so they toggle at the same time but it doesnt work. Ive not much experience using codecaves etc
Code:
[Enable]
alloc(newmem,1024)

newmem:

push eax
mov eax ["Tutorial-i386.exe"+00245360]
mov [eax+0],#5000


//mov ["Tutorial-i386.exe"+00245360]+0,#5000

[Disable]
dealloc(newmem)
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Fri Apr 15, 2016 10:33 pm    Post subject: Reply with quote

Code:
[ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)

createthread(newmem)

newmem:
  mov eax,["Tutorial-i386.exe"+00245360]
  mov [eax],#5000
  push #50
  call kernel32.Sleep
  mov cl,byte ptr[shouldExit]
  test cl,cl
  je newmem
// dealloc and kill thread
  pop eax
  push 8000
  push 0
  push newmem
  push eax
  jmp kernel32.VirtualFree
  db CC CC CC CC CC
shouldExit:
  db 0

[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
  db 1

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
PinPoint
Expert Cheater
Reputation: 10

Joined: 07 Apr 2016
Posts: 223
Location: Scotland

PostPosted: Fri Apr 15, 2016 10:41 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Code:
[ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)

createthread(newmem)

newmem:
  mov eax,["Tutorial-i386.exe"+00245360]
  mov [eax],#5000
  push #50
  call kernel32.Sleep
  mov cl,byte ptr[shouldExit]
  test cl,cl
  je newmem
// dealloc and kill thread
  pop eax
  push 8000
  push 0
  push newmem
  push eax
  jmp kernel32.VirtualFree
  db CC CC CC CC CC
shouldExit:
  db 0

[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
  db 1


that's brilliant. thanks alot for you help. I had a couple of lines right Razz
Back to top
View user's profile Send private message
itsoqrappy
Advanced Cheater
Reputation: 0

Joined: 24 Mar 2016
Posts: 67

PostPosted: Sat Apr 16, 2016 5:59 am    Post subject: Reply with quote

ParkourPenguin wrote:


(Sorry if I'm replying in this thread, just avoiding to make another).
I'm trying to do the same with solitaire for testing purposes:
Code:
[ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)

createthread(newmem)

newmem:
  push rax
  mov rax,["solitaire.exe"+000BB0E8]
  mov rax,[rax+10]
  mov rax,[rax+248]
  mov rax,[rax+20]
  mov rax,[rax+790]
  mov rax,[rax+7dc]
  mov [rax],#0
  push #50
  call kernel32.Sleep
  mov cl,byte ptr[shouldExit]
  test cl,cl
  je newmem
// dealloc and kill thread
  pop rax
  push 8000
  push 0
  push newmem
  push rax
  jmp kernel32.VirtualFree
  db CC CC CC CC CC
shouldExit:
  db 0

[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
  db 1


ye, it crashes.... did i do something wrong?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Sat Apr 16, 2016 10:26 am    Post subject: Reply with quote

x64 is significantly different from x86. Don't think that they'll work the same. Here's an example script of freezing a value in a 64-bit process:
Code:
[ENABLE]
alloc(mythread,2048,kernel32.dll)
label(value)
label(mythreadKill)
registersymbol(mythreadKill)

createthread(mythread)

mythread:
  sub rsp,20
@@:
  mov dword ptr[value],#5000
  mov ecx,#500
  call kernel32.Sleep
  mov al,[mythreadKill]
  test al,al
  jz @b
// dealloc and kill thread
  add rsp,20
  mov rcx,mythread
  xor rdx,rdx
  mov r8d,8000
  jmp kernel32.VirtualFree
  db CC CC CC CC
value:
  dd 0
mythreadKill:
  db 0

[DISABLE]
mythreadKill:
  db 1
unregistersymbol(mythreadKill)
Feel free to ask any questions.

Your pointer path might also be wrong. If your code were to work, this is what your pointer path would be:
Code:
base:  "solitaire.exe"+000BB0E8
offs1: 10
offs2: 248
offs3: 20
offs4: 790
offs5: 7dc
offs6: 0

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
itsoqrappy
Advanced Cheater
Reputation: 0

Joined: 24 Mar 2016
Posts: 67

PostPosted: Sat Apr 16, 2016 11:26 am    Post subject: Reply with quote

ParkourPenguin wrote:
x64 is significantly different from x86. Don't think that they'll work the same. Here's an example script of freezing a value in a 64-bit process:
Code:
[ENABLE]
alloc(mythread,2048,kernel32.dll)
label(value)
label(mythreadKill)
registersymbol(mythreadKill)

createthread(mythread)

mythread:
  sub rsp,20
@@:
  mov dword ptr[value],#5000
  mov ecx,#500
  call kernel32.Sleep
  mov al,[mythreadKill]
  test al,al
  jz @b
// dealloc and kill thread
  add rsp,20
  mov rcx,mythread
  xor rdx,rdx
  mov r8d,8000
  jmp kernel32.VirtualFree
  db CC CC CC CC
value:
  dd 0
mythreadKill:
  db 0

[DISABLE]
mythreadKill:
  db 1
unregistersymbol(mythreadKill)
Feel free to ask any questions.

Your pointer path might also be wrong. If your code were to work, this is what your pointer path would be:
Code:
base:  "solitaire.exe"+000BB0E8
offs1: 10
offs2: 248
offs3: 20
offs4: 790
offs5: 7dc
offs6: 0


Ok, isn't there a way to integrate it in c++?
ot: watch out when you want the topic about that lua plugin we talked about pls
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702

PostPosted: Sat Apr 16, 2016 11:49 am    Post subject: Reply with quote

Yes, there is. I'm not going to comment on that since "how do I use pointers in [high-level language]" is one of the most frequently asked questions in the general programming forum. Using google can also get you tons of results on many different forums.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
itsoqrappy
Advanced Cheater
Reputation: 0

Joined: 24 Mar 2016
Posts: 67

PostPosted: Sat Apr 16, 2016 4:37 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Yes, there is. I'm not going to comment on that since "how do I use pointers in [high-level language]" is one of the most frequently asked questions in the general programming forum. Using google can also get you tons of results on many different forums.

k, but i was wondering if, as I have my own injected dll, it was better to do manual pointer reading/writing without readprocessmemory, writeprocessmemory funcs etc ... or is also better doing this way?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites