 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Kawaii desu ne
How do I cheat?
![]() Reputation: 0
Joined: 13 Sep 2016
Posts: 7
|
 Posted: Thu Sep 15, 2016 8:52 am Post subject: AOB Scan problem |
 |
|
So I have a problem. I want this script to work but its just crashing after disabling the script. Enabling works just perfect and the script also does what it should do. The only bytes that change are the 53 and 01 the rest stays the same. What should I put into the disable so that it wont crash?
| Code: |
[ENABLE]
aobscanmodule(INJECT,Game.exe,F3 0F 11 05 58 4B ?? ??)
alloc(newmem,$1000)
alloc(backup,16)
registersymbol(backup)
label(code)
label(return)
newmem:
code:
push eax
mov eax,(float)26
movd xmm0,eax
pop eax
movss [Game.exe+534B58],xmm0
jmp return
INJECT:
jmp code
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db F3 0F 11 05 58 4B 53 01
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Game.exe"+14C17F
"Game.exe"+14C15A: F3 0F 58 05 50 47 4B 01 - addss xmm0,[Game.exe+4B4750]
"Game.exe"+14C162: 5F - pop edi
"Game.exe"+14C163: 5E - pop esi
"Game.exe"+14C164: 5B - pop ebx
"Game.exe"+14C165: F3 0F 58 C8 - addss xmm1,xmm0
"Game.exe"+14C169: F3 0F 10 44 24 14 - movss xmm0,[esp+14]
"Game.exe"+14C16F: F3 0F 58 C1 - addss xmm0,xmm1
"Game.exe"+14C173: 66 0F 6E 48 2C - movd xmm1,[eax+2C]
"Game.exe"+14C178: 0F 5B C9 - cvtdq2ps xmm1,xmm1
"Game.exe"+14C17B: F3 0F 58 C1 - addss xmm0,xmm1
// ---------- INJECTING HERE ----------
"Game.exe"+14C17F: F3 0F 11 05 58 4B 53 01 - movss [Game.exe+534B58],xmm0
// ---------- DONE INJECTING ----------
"Game.exe"+14C187: 8B E5 - mov esp,ebp
"Game.exe"+14C189: 5D - pop ebp
"Game.exe"+14C18A: C2 08 00 - ret 0008
"Game.exe"+14C18D: CC - int 3
"Game.exe"+14C18E: CC - int 3
"Game.exe"+14C18F: CC - int 3
"Game.exe"+14C190: 55 - push ebp
"Game.exe"+14C191: 8B EC - mov ebp,esp
"Game.exe"+14C193: 83 EC 08 - sub esp,08
"Game.exe"+14C196: FF 75 0C - push [ebp+0C]
} |
[/code]
|
|
| Back to top |
|
 |
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Thu Sep 15, 2016 9:09 am Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.exe,F3 0F 11 05 58 4B ?? ??)
alloc(originalBytes,20)
alloc(newmem,$1000)
alloc(backup,16)
registersymbol(originalBytes)
label(code)
label(return)
originalBytes:
readMem("Game.exe"+14C17F, 8)
newmem:
code:
push eax
mov eax,(float)26
movd xmm0,eax
pop eax
//movss [Game.exe+534B58],xmm0
readMem(originalBytes, 8)
jmp return
INJECT:
jmp code
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
//db F3 0F 11 05 58 4B 53 01
readMem(originalBytes, 8)
unregistersymbol(INJECT)
unregistersymbol(originalBytes)
dealloc(newmem)
dealloc(originalBytes)
{
// ORIGINAL CODE - INJECTION POINT: "Game.exe"+14C17F
"Game.exe"+14C15A: F3 0F 58 05 50 47 4B 01 - addss xmm0,[Game.exe+4B4750]
"Game.exe"+14C162: 5F - pop edi
"Game.exe"+14C163: 5E - pop esi
"Game.exe"+14C164: 5B - pop ebx
"Game.exe"+14C165: F3 0F 58 C8 - addss xmm1,xmm0
"Game.exe"+14C169: F3 0F 10 44 24 14 - movss xmm0,[esp+14]
"Game.exe"+14C16F: F3 0F 58 C1 - addss xmm0,xmm1
"Game.exe"+14C173: 66 0F 6E 48 2C - movd xmm1,[eax+2C]
"Game.exe"+14C178: 0F 5B C9 - cvtdq2ps xmm1,xmm1
"Game.exe"+14C17B: F3 0F 58 C1 - addss xmm0,xmm1
// ---------- INJECTING HERE ----------
"Game.exe"+14C17F: F3 0F 11 05 58 4B 53 01 - movss [Game.exe+534B58],xmm0
// ---------- DONE INJECTING ----------
"Game.exe"+14C187: 8B E5 - mov esp,ebp
"Game.exe"+14C189: 5D - pop ebp
"Game.exe"+14C18A: C2 08 00 - ret 0008
"Game.exe"+14C18D: CC - int 3
"Game.exe"+14C18E: CC - int 3
"Game.exe"+14C18F: CC - int 3
"Game.exe"+14C190: 55 - push ebp
"Game.exe"+14C191: 8B EC - mov ebp,esp
"Game.exe"+14C193: 83 EC 08 - sub esp,08
"Game.exe"+14C196: FF 75 0C - push [ebp+0C]
} |
Not tested but should do what you want to achieve.
In general, don't try to inject your scripts on instructions with absolute addresses, because potentially the last four bytes could change (not only 53 and 01), which would also render your AOB pattern useless.
|
|
| Back to top |
|
|
Kawaii desu ne
How do I cheat?
![]() Reputation: 0
Joined: 13 Sep 2016
Posts: 7
|
| Posted: Thu Sep 15, 2016 9:37 am Post subject: |
|
|
Well the script does not activate at all now.
Can you explain what you did with ReadMem and why you "removed" the movss and db?
Sadly I didnt found another way to do the thing I want without injecting the instruction with the absolute address.
The instruction is always changing the red part: movss [Game.exe+534B5B],xmn[41DC3051]
Also is there not an easier solution?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu Sep 15, 2016 9:56 am Post subject: |
|
|
You can try injecting above/below the injection point. You should not use wildcard variables at the end of your AOB signature, otherwise, they are meaningless. You need to have something defined at the end, or you could literally have 1000 wildcard variables that do nothing.
Also, what are these for? (remove them):
| Code: | alloc(backup,16)
registersymbol(backup) |
|
|
| Back to top |
|
|
Kawaii desu ne
How do I cheat?
![]() Reputation: 0
Joined: 13 Sep 2016
Posts: 7
|
| Posted: Thu Sep 15, 2016 10:17 am Post subject: |
|
|
Well that works.
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.exe,0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
push eax
mov eax,(float)26
movd xmm0,eax
movss [Game.exe+534B58],xmm0
pop eax
jmp return
code:
cvtdq2ps xmm1,xmm1
addss xmm0,xmm1
jmp newmem
INJECT:
jmp code
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 0F 5B C9 F3 0F 58 C1
unregistersymbol(INJECT)
dealloc(newmem) |
But why does it work? If my understanding is right shouldnt the value I just wrote in [Game.exe+534B58] be overwritte by the movss [Game.exe+534B58],xmm0 that comes after I jumped to return?
And can I optimize the script in any way?
Edit: Didnt look at it too much now I understand why it works because its obvious 
Last edited by Kawaii desu ne on Thu Sep 15, 2016 10:41 am; edited 1 time in total |
|
| Back to top |
|
|
sbryzl
Master Cheater
![]() Reputation: 6
Joined: 25 Jul 2016
Posts: 252
|
| Posted: Thu Sep 15, 2016 10:31 am Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(INJECT,Game.exe,0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58 4B)
alloc(newmem,$1000,"Game.exe"+14C178)
label(code)
label(return)
registersymbol(INJECT)
newmem:
code:
cvtdq2ps xmm1,xmm1
push eax
mov eax,(float)26
movd xmm0,eax
pop eax
jmp return
INJECT:
jmp code
nop
nop
return:
[DISABLE]
INJECT:
db 0F 5B C9 F3 0F 58 C1 F3 0F 11 05 58 4B
unregistersymbol(INJECT)
dealloc(newmem)
|
some kind of forum error, 3rd post was the last post that showed to me
You don't need to include movss [Game.exe+534B58],xmm0 , that will be the instruction you return to in the game.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
