 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
PinPoint
Expert Cheater
 Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
 Posted: Fri Apr 15, 2016 9:23 am Post subject: Is this some kind of anti cheat? |
 |
|
hacking the old avp2 game to practice AA and came into this problem.
find a value of something i want (crosshair in this instance), I know the address changes on reload etc so find out what writes etc and get the pointer. however the pointer base address is wow64cpu.dll+46D8. shouldn't it be lithtech.exe or something.?
also, after i leave it for a while it points to nothing but the original address still works as haven't reloaded or anything.
then as soon as i attach the debugger to the game the pointer i got works again.
all of the addresses in the dissembler seem to be cshell.dll also which i dont think can be right. |
|
| Back to top |
|
 |
Cake-san
Grandmaster Cheater
 Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
| Posted: Fri Apr 15, 2016 9:30 am Post subject: |
|
|
Just some traps,desu.
_________________
... |
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Fri Apr 15, 2016 9:37 am Post subject: |
|
|
got the right one with pointer scan anyway but i usually go through the debugger.
how could you incorporate the pointer scan pointer into an aob injection? as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value? |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Apr 15, 2016 10:31 am Post subject: |
|
|
| PinPoint wrote: | | how could you incorporate the pointer scan pointer into an aob injection? |
The same way you'd use any pointer in any code injection.
| Code: | mov eax,[base.exe+1234]
mov eax,[eax+offset1]
mov eax,[eax+offset2]
// ...
// last offset:
lea edx,[eax+offsetN] // edx is the final address
mov eax,[eax+offsetN] // eax is the final value
// you usually don't need both; use whichever you want |
| PinPoint wrote: | | as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value? |
I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
| Code: | // continuing from the previous code
mov [edx],3E8 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Fri Apr 15, 2016 7:50 pm Post subject: |
|
|
| ParkourPenguin wrote: | | PinPoint wrote: | | how could you incorporate the pointer scan pointer into an aob injection? |
The same way you'd use any pointer in any code injection.
| Code: | mov eax,[base.exe+1234]
mov eax,[eax+offset1]
mov eax,[eax+offset2]
// ...
// last offset:
lea edx,[eax+offsetN] // edx is the final address
mov eax,[eax+offsetN] // eax is the final value
// you usually don't need both; use whichever you want |
| PinPoint wrote: | | as in to find a base address and use globalalloc(blah,x) so activating the script will give addresses with [blah]+offset a value? |
I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
| Code: | // continuing from the previous code
mov [edx],3E8 |
|
Damn, this interests very much to me. I tried to combine our example with some checks I do while calculating the final address:
| Code: | [ENABLE]
alloc(cave,256)
label(invalid)
cave:
Push EAX
Push ECX
Push EDX
Push EBX
Push ESP
Push EBP
Push ESI
Push EDI
mov eax,["solitaire.exe"+000F8E38]
or eax,eax
je short invalid
mov eax,[eax+cc]
or eax,eax
je short invalid
mov eax,[eax+40]
or eax,eax
je short invalid
mov eax,[eax+124]
or eax,eax
je short invalid
mov eax,[eax+8]
or eax,eax
je short invalid
mov [eax],#100 // <- i set here the value to 100
invalid:
push #100
call sleep
Pop EAX
Pop ECX
Pop EDX
Pop EBX
Pop ESP
Pop EBP
Pop ESI
Pop EDI
jmp cave
createthread(cave)
[DISABLE] |
since pushad/popad doesn't exist on a 64-bit platform, i replaced them with Push eax, ecx etc.
yeah the game crashes. but i would know why? |
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Fri Apr 15, 2016 8:20 pm Post subject: |
|
|
| ParkourPenguin wrote: |
I'm not sure I understand this, but if you want to write a value to the address pointed at by a pointer:
| Code: | // continuing from the previous code
mov [edx],3E8 |
|
as an example, in this script i use globalalloc(_base2,4) and mov [_base2],ebx so i can use [_base2]+494 in the cheat lists as a base address.
| Code: | [ENABLE]
aobscanmodule(aob4,Tutorial-i386.exe,D9 9B 94 04 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
globalalloc(_base2,4)
newmem:
code:
mov [_base2],ebx
fstp dword ptr [ebx+00000494]
jmp return
aob4:
jmp code
nop
return:
registersymbol(aob4)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
aob4:
db D9 9B 94 04 00 00
unregistersymbol(aob4)
dealloc(newmem)
|
am i right in thinking that this would work for putting _base2 in the cheatlist as a pointer?(assuming the pointer was correct) or is there no point in doing this?(my thoughts while i was doing the cave.
| Code: |
[ENABLE]
aobscanmodule(aob4,Tutorial-i386.exe,D9 9B 94 04 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
label(pointercave)
globalalloc(_base2,4)
newmem:
code:
mov [_base2],ebx
jmp return
pointercave:
push eax
mov eax [program.exe+9999]
mov eax [eax+offest1]
mov eax [eax+offset2]
lea ebx [eax+offset3]
pop eax
jmp code
nop
aob4:
jmp pointercave
nop
return:
registersymbol(aob4)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
aob4:
db D9 9B 94 04 00 00
unregistersymbol(aob4)
dealloc(newmem)
|
I'm basically wanting the pointer to lead back to the opcodes so i can use _base2 +offsets in the cheatlists OR so I can nop functions. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Apr 15, 2016 9:01 pm Post subject: |
|
|
The last thing that's pushed onto the stack is the first thing that's popped off.
With that in mind, one of the reasons why it's messing up should be clear. You're effectively moving EDI into EAX, ESI into ECX, EBP into EDX, etc...
Another thing that's wrong is that you're not using the 64-bit version of the registers. If you're in a 64-bit process with a 64-bit address space, don't try to store an address that could be 64-bits long into a 32-bit register. It's not very well going to like that.
Why are you even pushing those registers? The only thing you're modifying is rax, and even then, that code is an infinite loop being run by a thread you created. There is absolutely no reason why you should back up any registers.
You checking for an invalid pointer with the or instruction is neither comprehensive nor optimized. If you're certain the only value in the pointer path that could result in a segfault is 0, then use the test instruction. If you're not certain, call Kernel32.isBadReadPtr, or use structured exception handling.
Checking for bad pointers usually isn't even needed, so don't do this unless you have to.
| PinPoint wrote: | | as an example, in this script i use globalalloc(_base2,4) and mov [_base2],ebx so i can use [_base2]+494 in the cheat lists as a base address. |
Assuming the base address of the pointer is static, you can just add that to the address list and it'll work even when you restart the game. There's no need to store the end address and register it as a symbol. Check out the CE tutorial if you want to learn more.
| PinPoint wrote: | | I'm basically wanting the pointer to lead back to the opcodes so i can use _base2 +offsets in the cheatlists OR so I can nop functions. |
Again, this sentence makes no sense, but I'll try to comment on it regardless.
If you need to find out what accesses the address being pointed at by the pointer, right click on the pointer in the address list, select "Find out what accesses this address", and select "Find out what accesses the address pointed at by this pointer". If you need to find out what instructions access the pointer's address instead, select that option.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Fri Apr 15, 2016 10:10 pm Post subject: |
|
|
| ParkourPenguin wrote: |
Again, this sentence makes no sense, but I'll try to comment on it regardless.
If you need to find out what accesses the address being pointed at by the pointer, right click on the pointer in the address list, select "Find out what accesses this address", and select "Find out what accesses the address pointed at by this pointer". If you need to find out what instructions access the pointer's address instead, select that option. |
Sorry if im not making sense. Ive done the tutorial. currently doing it again and want to do every step with scripts for practice with AA. I can do it on all of them fine except step 6 and 8 when you need to use the pointer to change the value.
here is my pointer for step 6:
["Tutorial-i386.exe"+00245360]+0
this is a script i wrote to try and get it to work without manually typing in 5000 and freezing it. I linked the pointer with this so they toggle at the same time but it doesnt work. Ive not much experience using codecaves etc
| Code: | [Enable]
alloc(newmem,1024)
newmem:
push eax
mov eax ["Tutorial-i386.exe"+00245360]
mov [eax+0],#5000
//mov ["Tutorial-i386.exe"+00245360]+0,#5000
[Disable]
dealloc(newmem) |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Apr 15, 2016 10:33 pm Post subject: |
|
|
| Code: | [ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)
createthread(newmem)
newmem:
mov eax,["Tutorial-i386.exe"+00245360]
mov [eax],#5000
push #50
call kernel32.Sleep
mov cl,byte ptr[shouldExit]
test cl,cl
je newmem
// dealloc and kill thread
pop eax
push 8000
push 0
push newmem
push eax
jmp kernel32.VirtualFree
db CC CC CC CC CC
shouldExit:
db 0
[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
db 1 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Fri Apr 15, 2016 10:41 pm Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | [ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)
createthread(newmem)
newmem:
mov eax,["Tutorial-i386.exe"+00245360]
mov [eax],#5000
push #50
call kernel32.Sleep
mov cl,byte ptr[shouldExit]
test cl,cl
je newmem
// dealloc and kill thread
pop eax
push 8000
push 0
push newmem
push eax
jmp kernel32.VirtualFree
db CC CC CC CC CC
shouldExit:
db 0
[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
db 1 |
|
that's brilliant. thanks alot for you help. I had a couple of lines right  |
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Sat Apr 16, 2016 5:59 am Post subject: |
|
|
(Sorry if I'm replying in this thread, just avoiding to make another).
I'm trying to do the same with solitaire for testing purposes:
| Code: | [ENABLE]
alloc(newmem,1024)
label(shouldExit)
registersymbol(shouldExit)
createthread(newmem)
newmem:
push rax
mov rax,["solitaire.exe"+000BB0E8]
mov rax,[rax+10]
mov rax,[rax+248]
mov rax,[rax+20]
mov rax,[rax+790]
mov rax,[rax+7dc]
mov [rax],#0
push #50
call kernel32.Sleep
mov cl,byte ptr[shouldExit]
test cl,cl
je newmem
// dealloc and kill thread
pop rax
push 8000
push 0
push newmem
push rax
jmp kernel32.VirtualFree
db CC CC CC CC CC
shouldExit:
db 0
[DISABLE]
unregistersymbol(shouldExit)
shouldExit:
db 1 |
ye, it crashes.... did i do something wrong? |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Apr 16, 2016 10:26 am Post subject: |
|
|
x64 is significantly different from x86. Don't think that they'll work the same. Here's an example script of freezing a value in a 64-bit process:
| Code: | [ENABLE]
alloc(mythread,2048,kernel32.dll)
label(value)
label(mythreadKill)
registersymbol(mythreadKill)
createthread(mythread)
mythread:
sub rsp,20
@@:
mov dword ptr[value],#5000
mov ecx,#500
call kernel32.Sleep
mov al,[mythreadKill]
test al,al
jz @b
// dealloc and kill thread
add rsp,20
mov rcx,mythread
xor rdx,rdx
mov r8d,8000
jmp kernel32.VirtualFree
db CC CC CC CC
value:
dd 0
mythreadKill:
db 0
[DISABLE]
mythreadKill:
db 1
unregistersymbol(mythreadKill) |
Feel free to ask any questions.
Your pointer path might also be wrong. If your code were to work, this is what your pointer path would be:
| Code: | base: "solitaire.exe"+000BB0E8
offs1: 10
offs2: 248
offs3: 20
offs4: 790
offs5: 7dc
offs6: 0 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Sat Apr 16, 2016 11:26 am Post subject: |
|
|
| ParkourPenguin wrote: | x64 is significantly different from x86. Don't think that they'll work the same. Here's an example script of freezing a value in a 64-bit process:
| Code: | [ENABLE]
alloc(mythread,2048,kernel32.dll)
label(value)
label(mythreadKill)
registersymbol(mythreadKill)
createthread(mythread)
mythread:
sub rsp,20
@@:
mov dword ptr[value],#5000
mov ecx,#500
call kernel32.Sleep
mov al,[mythreadKill]
test al,al
jz @b
// dealloc and kill thread
add rsp,20
mov rcx,mythread
xor rdx,rdx
mov r8d,8000
jmp kernel32.VirtualFree
db CC CC CC CC
value:
dd 0
mythreadKill:
db 0
[DISABLE]
mythreadKill:
db 1
unregistersymbol(mythreadKill) |
Feel free to ask any questions.
Your pointer path might also be wrong. If your code were to work, this is what your pointer path would be:
| Code: | base: "solitaire.exe"+000BB0E8
offs1: 10
offs2: 248
offs3: 20
offs4: 790
offs5: 7dc
offs6: 0 |
|
Ok, isn't there a way to integrate it in c++?
ot: watch out when you want the topic about that lua plugin we talked about pls |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Apr 16, 2016 11:49 am Post subject: |
|
|
Yes, there is. I'm not going to comment on that since "how do I use pointers in [high-level language]" is one of the most frequently asked questions in the general programming forum. Using google can also get you tons of results on many different forums.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Sat Apr 16, 2016 4:37 pm Post subject: |
|
|
| ParkourPenguin wrote: | | Yes, there is. I'm not going to comment on that since "how do I use pointers in [high-level language]" is one of the most frequently asked questions in the general programming forum. Using google can also get you tons of results on many different forums. |
k, but i was wondering if, as I have my own injected dll, it was better to do manual pointer reading/writing without readprocessmemory, writeprocessmemory funcs etc ... or is also better doing this way? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
