 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Betcha
Expert Cheater
 Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
 Posted: Tue Oct 25, 2016 5:54 am Post subject: After cmp |
 |
|
Hello.
Below is same script, but edited in different way.
Wondering which is correct way to edit this kind injection..
1) Crash Game
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax]
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
jmp return
EverythingElse:
fld dword ptr [eax]
leave
ret
push 1A
jmp return |
2) Works
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
EverythingElse:
fld dword ptr [eax]
leave
ret
push 1A
jmp return |
3) Works
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax]
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
leave
ret
jmp return
EverythingElse:
fld dword ptr [eax]
leave
ret
push 1A
jmp return |
4) Works
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax]
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
leave
ret
push 1A
jmp return
EverythingElse:
fld dword ptr [eax]
leave
ret
push 1A
jmp return |
Yes can do injection one line up and there wont be lines like:
| Code: | leave
ret
push 1A
jmp return |
Left injection here for learning purpose.
I use Nr.3
|
|
| Back to top |
|
 |
sbryzl
Master Cheater
![]() Reputation: 6
Joined: 25 Jul 2016
Posts: 252
|
| Posted: Tue Oct 25, 2016 12:32 pm Post subject: |
|
|
| The one that works is best and instructions after "ret" will not be used. "jmp return" is likely what leads to the crash since the first example is the only one it is used under the restoreenergy pointer.
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Oct 25, 2016 1:52 pm Post subject: |
|
|
| sbryzl wrote: | | The one that works is best and instructions after "ret" will not be used. |
There is 3 working ones, Ummm, I guess you talk about Nr2.
Soo, if after ''ret'' instructions will not be used,
It means in 3rd and 4th script it kills/ignore label ''EverythingElse'' ?
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Oct 25, 2016 2:37 pm Post subject: Re: After cmp |
 |
|
As said before, instructions after ret will not be used.
This crash the game because after restoring energy, you changed the code flow, you used "jmp return" instead of "leave and ret".
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax]
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
jmp return
EverythingElse:
fld dword ptr [eax]
leave
ret |
Proper 1, using "leave & ret":
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
fld dword ptr [eax]
leave
ret
EverythingElse:
fld dword ptr [eax]
leave
ret |
Proper 2:
Works because you didn't change the code flow, whenever jne EverythingElse is taken or not, it will go to "ret"
| Code: | Separate:
cmp dword ptr [eax-4],(float)100.0
jne EverythingElse
RestoreEnergy:
push ecx
mov ecx, dword ptr [eax-4]
mov dword ptr [eax],ecx
pop ecx
EverythingElse:
fld dword ptr [eax]
leave
ret |
_________________
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Oct 25, 2016 3:22 pm Post subject: Re: After cmp |
|
|
Thank you guys for your time.
Now i see how this kind of injection must be.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Tue Oct 25, 2016 4:38 pm Post subject: |
|
|
I would also be concerned that your injection overwrote what appears to be the first instruction of a new method.
Or your injection is in the middle of an alternate return path for the current method.
The code push 1A is likely there for a reason and your injection prevents the game from getting there.
This is likely to cause a crash at some point.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Oct 25, 2016 4:49 pm Post subject: |
|
|
yes, assuming "fld dword ptr [eax]" is the injection point, and original code looks like this
| Code: | ...
D9 00 - fld dword ptr [eax]
C9 - leave
C3 - ret
6A 1A - push 1A
... |
Using AA template will generate something like this:
| Code: | originalcode:
fld dword ptr [eax]
leave
ret
push 1A
exit:
jmp returnhere
modulename+moduleoffset:
jmp newmem
nop
returnhere: |
So, better use "one line up" as injection point.
_________________
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Wed Oct 26, 2016 12:57 am Post subject: |
|
|
Zanzer:
You are true about ''Push 1A''
It is ''injection in the middle of an alternate return path for the current method''
Cause above lea eax,[eax+ecx*4+10] have jbe 13DB9C16 and it jumps to push 1A
(I guess its same method.. or... not... idk im lost with this one  )
mgr.inz.Player:
Yes original injection point was this.
| Code: | 83 7D 0C 39 - cmp dword ptr [ebp+0C],39
7C 08 - jl 13DB9BFC
D9 05 60 1A ED 27 - fld dword ptr [27ED1A60]
EB 18 - jmp 13DB9C14
8B 45 08 - mov eax,[ebp+08]
8B 40 0C - mov eax,[eax+0C]
8B 4D 0C - mov ecx,[ebp+0C]
39 48 0C - cmp [eax+0C],ecx
0F 86 08 00 00 00 - jbe 13DB9C16
8D 44 88 10 - lea eax,[eax+ecx*4+10]
// ---------- INJECTING HERE ----------
D9 00 - fld dword ptr [eax]
C9 - leave
C3 - ret
6A 1A - push 1A
// ---------- DONE INJECTING ----------
68 43 01 00 00 - push 00000143
E8 16 73 2A F2 - call 06060F38
00 00 - add [eax],al
00 00 - add [eax],al
00 00 - add [eax],al
55 - push ebp
8B EC - mov ebp,esp
83 EC 08 - sub esp,08
8B 45 08 - mov eax,[ebp+08]
8B 40 10 - mov eax,[eax+10] |
Edit:
After injecting one line up, script looks like this:
| Code: | Separate:
cmp [eax+3C],(float)100.0
jne EverythingElse
RestoreEnergy:
push ecx
mov ecx,[eax+3C]
mov [eax+40],ecx
pop ecx
lea eax,[eax+ecx*4+10]
fld dword ptr [eax]
jmp return
EverythingElse:
lea eax,[eax+ecx*4+10]
fld dword ptr [eax]
jmp return |
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Wed Oct 26, 2016 4:50 am Post subject: |
|
|
yes, there is a "jbe mem+28", it jumps to "push 1A"
| Code: | mem - 83 7D 0C 39 - cmp dword ptr [ebp+0C],39
mem+4- 7C 08 - jl mem+E
mem+6- D9 05 601AED27 - fld dword ptr [27ED1A60]
mem+C- EB 18 - jmp mem+26
mem+E- 8B 45 08 - mov eax,[ebp+08]
mem+11- 8B 40 0C - mov eax,[eax+0C]
mem+14- 8B 4D 0C - mov ecx,[ebp+0C]
mem+17- 39 48 0C - cmp [eax+0C],ecx
mem+1A- 0F86 08000000 - jbe mem+28
mem+20- 8D 44 88 10 - lea eax,[eax+ecx*4+10]
mem+24- D9 00 - fld dword ptr [eax]
mem+26- C9 - leave
mem+27- C3 - ret
mem+28- 6A 1A - push 1A
mem+2A- 68 43010000 - push 00000143
mem+2F- E8 16732AF2 - call F26A784A
|
So, you have to execute "lea eax,[eax+ecx*4+10]" first.
| Code: | Separate:
lea eax,[eax+ecx*4+10]
cmp [eax+3C],(float)100.0
jne EverythingElse
RestoreEnergy:
push ecx
mov ecx,[eax+3C]
mov [eax+40],ecx
pop ecx
EverythingElse:
fld dword ptr [eax]
jmp return |
Or without push an pop:
| Code: | Separate:
lea eax,[eax+ecx*4+10]
cmp [eax+3C],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax+3C]
fstp dword ptr [eax+40]
EverythingElse:
fld dword ptr [eax]
jmp return |
To simplify it even more (RestoreEnergy is taken only when [eax+3C] is 100):
| Code: | Separate:
lea eax,[eax+ecx*4+10]
cmp [eax+3C],(float)100.0
jne EverythingElse
RestoreEnergy:
mov dword ptr [eax+40],(float)100.0
EverythingElse:
fld dword ptr [eax]
jmp return |
_________________
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Wed Oct 26, 2016 6:05 am Post subject: |
|
|
Sad to say, but none of examples work.
Energy keep decreasing.
All examples work only when:
Remove from ''Separate'' ''lea eax,[eax+ecx*4+10]''
And place it back in ''EverythingElse''
| Code: | ecx*4+10 = 3C
eax+3C = Max Energy
eax+40 = Exact Energy |
Just to be sure here is full script with one of the examples.
If place ''lea eax,[eax+ecx*4+10]'' in ''Separate'' Energy keep decreasing.
If ''lea eax,[eax+ecx*4+10]'' stays by default in label ''EverythingElse'' script works.
| Code: |
aobscan(InfinityEnergy,8D 44 88 10 D9 00 C9)
alloc(Separate,$100)
label(RestoreEnergy)
label(EverythingElse)
label(return)
Separate:
cmp [eax+3C],(float)100.0
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax+3C]
fstp dword ptr [eax+40]
EverythingElse:
lea eax,[eax+ecx*4+10] // lea eax,[eax+3C]
fld dword ptr [eax]
jmp return
InfinityEnergy:
jmp Separate
nop
return:
registersymbol(InfinityEnergy)
[DISABLE]
InfinityEnergy:
db 8D 44 88 10 D9 00
unregistersymbol(InfinityEnergy)
dealloc(Separate) |
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed Oct 26, 2016 4:19 pm Post subject: |
|
|
| Code: | aobscan(InfinityEnergy,8D 44 88 10 D9 00 C9)
alloc(Separate,$100)
label(RestoreEnergy)
label(EverythingElse)
label(return)
Separate:
lea eax,[eax+ecx*4+10]
cmp ecx,B
jne EverythingElse
RestoreEnergy:
fld dword ptr [eax]
fst dword ptr [eax+4]
jmp return
EverythingElse:
fld dword ptr [eax]
jmp return
InfinityEnergy:
jmp Separate
nop
return:
registersymbol(InfinityEnergy)
[DISABLE]
InfinityEnergy:
db 8D 44 88 10 D9 00
unregistersymbol(InfinityEnergy)
dealloc(Separate) |
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Wed Oct 26, 2016 4:35 pm Post subject: |
|
|
| Code: | mem - 83 7D 0C 39 - cmp dword ptr [ebp+0C],39
mem+4- 7C 08 - jl mem+E
mem+6- D9 05 601AED27 - fld dword ptr [27ED1A60]
mem+C- EB 18 - jmp mem+26
mem+E- 8B 45 08 - mov eax,[ebp+08]
mem+11- 8B 40 0C - mov eax,[eax+0C]
mem+14- 8B 4D 0C - mov ecx,[ebp+0C]
mem+17- 39 48 0C - cmp [eax+0C],ecx
mem+1A- 0F86 08000000 - jbe mem+28
mem+20- 8D 44 88 10 - lea eax,[eax+ecx*4+10]
mem+24- D9 00 - fld dword ptr [eax]
mem+26- C9 - leave
mem+27- C3 - ret
mem+28- 6A 1A - push 1A
mem+2A- 68 43010000 - push 00000143
mem+2F- E8 16732AF2 - call F26A784A |
We see those jumps:
| Code: | jl mem+E
jmp mem+26
jbe mem+28 |
But, maybe there is a jump to mem+24 somewhere above, you know.
You initial injection was on mem+24, at this point you have EAX set by:
- instruction at mem+20
- or much earlier, and then there is a jump to mem+24
Do "code dissection" and post a screenshot.
_________________
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Thu Oct 27, 2016 3:48 pm Post subject: |
|
|
Was wondering where from Zanzer you got ''B'' in cmp.
Till i found mistake in my last post.
I wrote that the ''ecx'' is B*4+10 = 3c
Actually ''ecx'' is C*4+10 = 40
...
Tried your method Zanzer.
It basically kill the energy cause doesnt Increase/Decrease.
Works like inf. energy, but crash game after some time.
I bet, that i mess up smthg.
Well...
Was about only the ''Leave and Ret'' For learning purpose..
Turned into something more than i thought.. *in mind complete mess*
Changed inject location and came up with this:
| Code: | [ENABLE]
aobscan(INJECT,D9 18 8B 46 08 8B)
alloc(newmem,$100)
label(RestoreEnergy)
label(code)
label(return)
newmem:
cmp [eax-AC],(float)100.0
jne code
RestoreEnergy:
mov [eax-A8],(float)100.0
fstp dword ptr [eax]
mov eax,[esi+08]
jmp return
code:
fstp dword ptr [eax]
mov eax,[esi+08]
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 18 8B 46 08
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 28D95FD5
""+28D95FB1: 83 EC 04 - sub esp,04
""+28D95FB4: D9 1C 24 - fstp dword ptr [esp]
""+28D95FB7: E8 EC 99 5C DD - call 0635F9A8
""+28D95FBC: 83 C4 10 - add esp,10
""+28D95FBF: D9 5D F4 - fstp dword ptr [ebp-0C]
""+28D95FC2: 8B 46 0C - mov eax,[esi+0C]
""+28D95FC5: D9 45 F4 - fld dword ptr [ebp-0C]
""+28D95FC8: 39 78 0C - cmp [eax+0C],edi
""+28D95FCB: 0F 86 46 00 00 00 - jbe 28D96017
""+28D95FD1: 8D 44 B8 10 - lea eax,[eax+edi*4+10]
// ---------- INJECTING HERE ----------
""+28D95FD5: D9 18 - fstp dword ptr [eax]
""+28D95FD7: 8B 46 08 - mov eax,[esi+08]
// ---------- DONE INJECTING ----------
""+28D95FDA: 8B C8 - mov ecx,eax
""+28D95FDC: 39 09 - cmp [ecx],ecx
""+28D95FDE: 8B 40 20 - mov eax,[eax+20]
""+28D95FE1: 89 45 F0 - mov [ebp-10],eax
""+28D95FE4: 83 EC 0C - sub esp,0C
""+28D95FE7: 68 BC E2 26 11 - push 1126E2BC
""+28D95FEC: E8 27 B6 57 DD - call 06311618
""+28D95FF1: 83 C4 10 - add esp,10
""+28D95FF4: 8B C8 - mov ecx,eax
""+28D95FF6: 8B 45 F0 - mov eax,[ebp-10]
} |
If ask about ''lea eax,[eax+edi*4+10]''
edi is ''C''
Script works.
No crashes , No Leave & Ret , cmp works smooth, but..
The only thing if want modify some values who are shared in eax.
Must go with negative offsets... well.. To be exact i dont know other way.
Cause If do dissect data structure with any of shared values, it appears on 0000
So..
I left dissect data alone..
Added globalalloc and found what by default is on 0000 ..
And from that found that the:
Max Energy is ''-AC''
Exact Energy is ''-A8''
lol
I bet everything is easy, just missing knowledge
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Oct 27, 2016 4:48 pm Post subject: |
|
|
C*4+10==40 (what you claim is current energy)
B*4+10==3C (what you claim is maximum energy)
| Code: | [ENABLE]
aobscan(INJECT,D9 18 8B 46 08 8B)
alloc(newmem,$100)
label(code)
label(return)
newmem:
cmp edi,C
jne code
// from here, we should assume eax points to current energy because C*4+10==40
fstp st(0) // toss out whatever was on the stack
fld dword ptr [eax-4] // offset -4==3C
// let the original code execute to pop the now maximum energy
code:
fstp dword ptr [eax]
mov eax,[esi+08]
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 18 8B 46 08
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Fri Oct 28, 2016 2:05 am Post subject: |
|
|
| Thank you.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
