Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Help with injecting a code *2
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Tue Dec 06, 2016 2:15 pm    Post subject: Help with injecting a code *2 Reply with quote

Having fun with Hitman Absolution, and have found the AOB for focus can anyone help me with the code injection please.

User jungletek made a table which works, but when playing on later levels and harder difficulty's you start with zero focus, and if you use that table it freezes at zero, so i would like to make a table that first adds focus then freezes the added value if possible.

jungletek table -
Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(aobfocus,89 01 EB ?? DD D8 D9 ?? ?? DA E9)
registersymbol(focus)
label(focus)

"aobfocus":
focus:
db 90 90
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
focus:
mov [ecx],eax
//Alt: db 89 01
unregistersymbol(focus)


My table "unedited"
Code:
[ENABLE]

aobscanmodule(focus,HMA.exe,89 01 EB 02 DD D8) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //mov [ecx],eax
  //jmp HMA.NMP::Vector<float>::median+3394
  //fstp st(0)
  jmp return

focus:
  jmp newmem
  nop
return:
registersymbol(focus)

[DISABLE]

focus:
  db 89 01 EB 02 DD D8

unregistersymbol(focus)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "HMA.exe"+60013E

"HMA.exe"+600127: DE D9              -  fcompp
"HMA.exe"+600129: DF E0              -  fnstsw ax
"HMA.exe"+60012B: F6 C4 05           -  test ah,05
"HMA.exe"+60012E: 7A 09              -  jp HMA.exe+600139
"HMA.exe"+600130: 8B 4E 0C           -  mov ecx,[esi+0C]
"HMA.exe"+600133: 33 C0              -  xor eax,eax
"HMA.exe"+600135: 89 01              -  mov [ecx],eax
"HMA.exe"+600137: EB 0B              -  jmp HMA.exe+600144
"HMA.exe"+600139: 8B C1              -  mov eax,ecx
"HMA.exe"+60013B: 8B 4E 0C           -  mov ecx,[esi+0C]
// ---------- INJECTING HERE ----------
"HMA.exe"+60013E: 89 01              -  mov [ecx],eax
"HMA.exe"+600140: EB 02              -  jmp HMA.exe+600144
"HMA.exe"+600142: DD D8              -  fstp st(0)
// ---------- DONE INJECTING  ----------
"HMA.exe"+600144: D9 46 14           -  fld dword ptr [esi+14]
"HMA.exe"+600147: DA E9              -  fucompp
"HMA.exe"+600149: DF E0              -  fnstsw ax
"HMA.exe"+60014B: F6 C4 44           -  test ah,44
"HMA.exe"+60014E: 7B 19              -  jnp HMA.exe+600169
"HMA.exe"+600150: 8B 4E 0C           -  mov ecx,[esi+0C]
"HMA.exe"+600153: D9 46 14           -  fld dword ptr [esi+14]
"HMA.exe"+600156: D9 01              -  fld dword ptr [ecx]
"HMA.exe"+600158: DE D9              -  fcompp
"HMA.exe"+60015A: DF E0              -  fnstsw ax
}

Any help would be appreciated, thanks.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Dec 06, 2016 3:57 pm    Post subject: Reply with quote

Code:
[ENABLE]
alloc(newmem_focus,64)
label(return_focus)

newmem_focus:
  mov ecx,[esi+0C]
  mov [ecx],(float)1000
  jmp return_focus

"HMA.exe"+60013B:
  jmp newmem_focus
return_focus:

[DISABLE]
"HMA.exe"+60013B:
  db 8B 4E 0C 89 01

dealloc(newmem_focus)



Maybe 1000 would be too much. Try also 100, 10 or 1.

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Dec 06, 2016 4:00 pm    Post subject: Reply with quote

I would first recommend checking to see if there is a better injection location (e.g. read vs. write). It may not matter - I do not know about this game.
Back to top
View user's profile Send private message
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Tue Dec 06, 2016 5:00 pm    Post subject: Reply with quote

[ENABLE]
aobscanmodule(Instinct,HMA.exe,8B C1 8B 4E 0C) // should be unique
label(isntny)
registersymbol(isntny)

Instinct:
isntny:
nop
nop


[DISABLE]
//code from here till the end of the code will be used to disable the cheat
isntny:
db 8B C1

unregistersymbol(isntny)

_________________
...
Back to top
View user's profile Send private message
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Tue Dec 06, 2016 5:50 pm    Post subject: Reply with quote

@mgr.inz.Player Hi again, thanks for the reply, have just tested the code you posted and it says -
error in line 19 "HMA.exe"+60013B: the address specifier is not valid.
Also should i have left this line in -
Code:
aobscanmodule(focus,HMA.exe,89 01 EB 02 DD D8) // should be unique

Here is what i tried -
Code:
[ENABLE]

alloc(newmem_focus,64)
label(return_focus)

newmem_focus:
  mov ecx,[esi+0C]
  mov [ecx],(float)100
  jmp return_focus

"HMA.exe"+60013B:
  jmp newmem_focus
return_focus:

[DISABLE]
"HMA.exe"+60013B:
  db 8B 4E 0C 89 01

dealloc(newmem_focus)




@ ++METHOS Thanks, any help is welcome,, as far as i know this game is a bit more difficult than just finding pointers and static addresses, but just wanted to have a go at it, although i don't know assembly, so i have to get some help at the last.

On an old thread - http://forum.cheatengine.org/viewtopic.php?t=559632&postdays=0&postorder=asc&start=0 people have found some hacks, and Dark Byte did some things i don't fully understand to find a health cheat. but it seems the way to go with this game is use AOB search.



@ViZZion Thank you for the table, didn't see your post initially, your code does work, but it doesn't add any focus when the script is activated, when you gain some focus the bar fills and stays full, (only did a quick test) so could your script be changed to add focus when it's activated and then freeze it ?
Code:
[ENABLE]
aobscanmodule(Instinct,HMA.exe,8B C1 8B 4E 0C) // should be unique

label(isntny)
registersymbol(isntny)

Instinct:
isntny:
nop
nop


[DISABLE]
//code from here till the end of the code will be used to disable the cheat
isntny:
 db 8B C1

unregistersymbol(isntny)


Thanks for the help guys, off to bed now.
Back to top
View user's profile Send private message
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Tue Dec 06, 2016 6:56 pm    Post subject: Reply with quote

Sure, all it does is nop this

// ---------- INJECTING HERE ----------
"HMA.exe"+600139: 8B C1 - mov eax,ecx
"HMA.exe"+60013B: 8B 4E 0C - mov ecx,[esi+0C]
// ---------- DONE INJECTING ----------
"HMA.exe"+60013E: 89 01 - mov [ecx],eax

So just write your desired value to [ecx] which is the address of focus.


[ENABLE]
aobscanmodule(Instinct,HMA.exe,8B C1 8B 4E 0C) // should be unique
alloc(newmem_focus,64)
label(return_focus)

label(isntny)
registersymbol(isntny)

newmem_focus:
mov eax,ecx
mov ecx,[esi+0C]
mov [ecx],(float)100
jmp return_focus

Instinct:
isntny:
jmp newmem_focus
return_focus:


[DISABLE]
//code from here till the end of the code will be used to disable the cheat
isntny:
db 8B C1 8B 4E 0C
unregistersymbol(isntny)

_________________
...
Back to top
View user's profile Send private message
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Wed Dec 07, 2016 10:08 am    Post subject: Reply with quote

@ViZZion Hi, i just tried the updated code, and it has no effect, strangely focus seems to work as normal, it adds and decreases as if the code wasn't active.
So i tried i this again
Code:
[ENABLE]
aobscanmodule(Instinct,HMA.exe,8B C1 8B 4E 0C) // should be unique

label(isntny)
registersymbol(isntny)

Instinct:
isntny:
nop
nop


[DISABLE]
//code from here till the end of the code will be used to disable the cheat
isntny:
 db 8B C1

unregistersymbol(isntny)

And its fine, when you gain some focus the bar fills and stays full.

Is it possible that i need to find a different injection location like ++METHOS said earlier, or maybe use two scripts, say one to add focus and the script above to freeze it ?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Dec 07, 2016 10:23 am    Post subject: Reply with quote

Flux. wrote:
Is it possible that i need to find a different injection location like ++METHOS said earlier, or maybe use two scripts, say one to add focus and the script above to freeze it ?
-Yes. The original injection point was probably the instruction that writes to the focus value. That means, nop'ing it will prohibit that value from changing at all. It also means, that, the focus value will not change according to your script until the focus value changes in game (it is either increased or decreased due to in-game events).

By using a different injection location that reads the value, constantly, you can set the value instantly, to whatever you want, without having to wait for any changes in the game.

If you prefer, you can make two injections - one at the write instruction (NOP it to keep it from changing at all due to in-game events), and one at a read instruction (to allow you to set the value to whatever you want, instantly).
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Dec 07, 2016 11:08 am    Post subject: Reply with quote

Flux. wrote:
@mgr.inz.Player Hi again, thanks for the reply, have just tested the code you posted and it says -
error in line 19 "HMA.exe"+60013B: the address specifier is not valid.

Did you add this script while CE being attached to the game process?

_________________
Back to top
View user's profile Send private message MSN Messenger
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Wed Dec 07, 2016 11:53 am    Post subject: Reply with quote

@++METHOS Thank you for the reply, just looking to find a alternate code now (will post results soon)

@mgr.inz.Player My apologies, Sorry yeah, i meant to say last night but i was too tired, once i attached the process (no error) the code injected but it didn't add any focus when starting a level.
Back to top
View user's profile Send private message
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Wed Dec 07, 2016 12:07 pm    Post subject: Reply with quote

Oh okay then, i just pasted my old code for the trainer i made ages ago...not really sure what registers contain what.

But yeah do like METHOS suggested, maybe this place is only accessed when you decrease instinct or not a lot.

_________________
...
Back to top
View user's profile Send private message
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Wed Dec 07, 2016 12:22 pm    Post subject: Reply with quote

@ViZZion Thanks for your help, the first code you gave works great so thank you for that.


A possible fix (maybe hopefully), after doing another search on the focus from scratch, one of the results was the actual value in hex that went up and down when the focus bar did, i think 48 was full, and it went down to 3f and then all the way to zero after use (changing this value had no effect in game) so using the debugger, here's what writing to this address -

First result popped up after a decrease -
Code:
[ENABLE]

aobscanmodule(focus,HMA.exe,89 BE C4 00 00 00 E8 11) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [esi+000000C4],edi
  jmp return

focus:
  jmp newmem
  nop
return:
registersymbol(focus)

[DISABLE]

focus:
  db 89 BE C4 00 00 00

unregistersymbol(focus)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "HMA.exe"+8B5B84

"HMA.exe"+8B5B63: 50                             -  push eax
"HMA.exe"+8B5B64: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5B66: C7 45 D4 32 00 00 00           -  mov [ebp-2C],00000032
"HMA.exe"+8B5B6D: 89 75 F8                       -  mov [ebp-08],esi
"HMA.exe"+8B5B70: C7 45 FC 01 00 00 00           -  mov [ebp-04],00000001
"HMA.exe"+8B5B77: E8 C4 40 FF FF                 -  call HMA.exe+8A9C40
"HMA.exe"+8B5B7C: 6A 04                          -  push 04
"HMA.exe"+8B5B7E: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5B81: 51                             -  push ecx
"HMA.exe"+8B5B82: 8B CE                          -  mov ecx,esi
// ---------- INJECTING HERE ----------
"HMA.exe"+8B5B84: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
// ---------- DONE INJECTING  ----------
"HMA.exe"+8B5B8A: E8 11 F0 FF FF                 -  call HMA.exe+8B4BA0
"HMA.exe"+8B5B8F: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5B92: E8 79 91 FF FF                 -  call HMA.exe+8AED10
"HMA.exe"+8B5B97: EB 06                          -  jmp HMA.exe+8B5B9F
"HMA.exe"+8B5B99: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
"HMA.exe"+8B5B9F: 57                             -  push edi
"HMA.exe"+8B5BA0: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5BA2: E8 79 58 FF FF                 -  call HMA.exe+8AB420
"HMA.exe"+8B5BA7: 8D 8E B0 00 00 00              -  lea ecx,[esi+000000B0]
"HMA.exe"+8B5BAD: E8 4E EE FC FF                 -  call HMA.exe+884A00
}

Then these next 2 after an increase -
Code:
[ENABLE]

aobscanmodule(focus2,HMA.exe,89 BE C4 00 00 00 E8 6D) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //mov [esi+000000C4],edi
  jmp return

focus2:
  jmp newmem
  nop
return:
registersymbol(focus2)

[DISABLE]

focus2:
  db 89 BE C4 00 00 00

unregistersymbol(focus2)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "HMA.exe"+8B5C28

"HMA.exe"+8B5C13: 53                             -  push ebx
"HMA.exe"+8B5C14: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5C16: E8 95 40 FF FF                 -  call HMA.exe+8A9CB0
"HMA.exe"+8B5C1B: 43                             -  inc ebx
"HMA.exe"+8B5C1C: 3B DF                          -  cmp ebx,edi
"HMA.exe"+8B5C1E: 72 F3                          -  jb HMA.exe+8B5C13
"HMA.exe"+8B5C20: 6A 04                          -  push 04
"HMA.exe"+8B5C22: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5C25: 51                             -  push ecx
"HMA.exe"+8B5C26: 8B CE                          -  mov ecx,esi
// ---------- INJECTING HERE ----------
"HMA.exe"+8B5C28: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
// ---------- DONE INJECTING  ----------
"HMA.exe"+8B5C2E: E8 6D EF FF FF                 -  call HMA.exe+8B4BA0
"HMA.exe"+8B5C33: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5C36: E8 D5 90 FF FF                 -  call HMA.exe+8AED10
"HMA.exe"+8B5C3B: EB 06                          -  jmp HMA.exe+8B5C43
"HMA.exe"+8B5C3D: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
"HMA.exe"+8B5C43: 57                             -  push edi
"HMA.exe"+8B5C44: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5C46: E8 D5 57 FF FF                 -  call HMA.exe+8AB420
"HMA.exe"+8B5C4B: 5F                             -  pop edi
"HMA.exe"+8B5C4C: C7 86 C0 00 00 00 01 00 00 00  -  mov [esi+000000C0],00000001
}

And -
Code:
[ENABLE]

aobscanmodule(focus3,HMA.exe,89 BE C4 00 00 00 57 8B CE E8 D5) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  //mov [esi+000000C4],edi
  jmp return

focus3:
  jmp newmem
  nop
return:
registersymbol(focus3)

[DISABLE]

focus3:
  db 89 BE C4 00 00 00

unregistersymbol(focus3)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "HMA.exe"+8B5C3D

"HMA.exe"+8B5C1E: 72 F3                          -  jb HMA.exe+8B5C13
"HMA.exe"+8B5C20: 6A 04                          -  push 04
"HMA.exe"+8B5C22: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5C25: 51                             -  push ecx
"HMA.exe"+8B5C26: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5C28: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
"HMA.exe"+8B5C2E: E8 6D EF FF FF                 -  call HMA.exe+8B4BA0
"HMA.exe"+8B5C33: 8D 4D CC                       -  lea ecx,[ebp-34]
"HMA.exe"+8B5C36: E8 D5 90 FF FF                 -  call HMA.exe+8AED10
"HMA.exe"+8B5C3B: EB 06                          -  jmp HMA.exe+8B5C43
// ---------- INJECTING HERE ----------
"HMA.exe"+8B5C3D: 89 BE C4 00 00 00              -  mov [esi+000000C4],edi
// ---------- DONE INJECTING  ----------
"HMA.exe"+8B5C43: 57                             -  push edi
"HMA.exe"+8B5C44: 8B CE                          -  mov ecx,esi
"HMA.exe"+8B5C46: E8 D5 57 FF FF                 -  call HMA.exe+8AB420
"HMA.exe"+8B5C4B: 5F                             -  pop edi
"HMA.exe"+8B5C4C: C7 86 C0 00 00 00 01 00 00 00  -  mov [esi+000000C0],00000001
"HMA.exe"+8B5C56: 5B                             -  pop ebx
"HMA.exe"+8B5C57: 5E                             -  pop esi
"HMA.exe"+8B5C58: 8B E5                          -  mov esp,ebp
"HMA.exe"+8B5C5A: 5D                             -  pop ebp
"HMA.exe"+8B5C5B: C2 04 00                       -  ret 0004
}

Changing these may have no effect, but the code is all identical, only the AOB has changed, could someone help me with a code to try to see if one of these are viable please.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Dec 07, 2016 1:00 pm    Post subject: Reply with quote

Have you completed the CE tutorial? If not, I would recommend doing that first.

There is no use in writing any scripts until you are certain that you have the correct value. Test the value by changing it and/or freezing it, then play the game for a while to see if it sticks. Once you have confirmed that you are working with the correct value, you have two choices-

1. Right-click the value to see what is 'writing' to it.
2. Right-click the value to see what is 'accessing' it.

Try the second option to get a 'read' instruction - preferably one that is accessing the address constantly (every second). When the debugger window pops up to show you the instruction(s) that are accessing the address, right-click inside the window somewhere, and click on the option that checks to see if found opcodes access other addresses. Doing so, will show you if the instructions that populate the list are exclusive to your focus value, or, if they also access other addresses in addition to your focus value. If possible, return to game-play for a moment to see if anything changes, then return to the debugger window. If any of the instructions show a (1) next to them still, then you are probably good to proceed with using that for your injection point. Once chosen, write a script that will constantly set the focus value to full. From here, you can repeat your steps by choosing 'what writes' to the focus value, and nop'ing that instruction to avoid any possible fluctuations.
Back to top
View user's profile Send private message
Flux.
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 88
Location: Another World - N5X2 106311411+2123518

PostPosted: Wed Dec 07, 2016 4:06 pm    Post subject: Reply with quote

@ ++METHOS Thanks for your help,

I thought i did find the correct value, its a 4 byte value that when you add it to your code list and check the box to activate, it freezes the focus and works fine.
After a restart of the game the address no longer worked, so i then did a pointer search and after the second round of searching within pointer results the search gave me nothing, so the address is dynamic, one more time i found the 4 byte focus value, then found what was writing to the address and created a AOB script which started this thread.

As to finding out what accesses the address, i followed your instructions, and checked to see if found opcodes access other addresses, by changing the focus (increase and decrease) a couple of times, the results i received are below -
7 results all with 1 next to them, could you please help in which to choose may be the correct value.



ce.jpg
 Description:
 Filesize:  80.78 KB
 Viewed:  8300 Time(s)

ce.jpg


Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Dec 07, 2016 4:41 pm    Post subject: Reply with quote

Any one of them.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites