View previous topic :: View next topic |
Author |
Message |
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 10, 2018 10:26 am Post subject: |
|
|
You can always constrain the address with an if statement eg.
Code: |
for i=0,results.Count-1 do
local numberAddress = getAddress(results[i]) -- will translate hex string to number
if numberAddress > 0x17000000 and numberAddress < 0x1BFFFFFF then
print(results[i])
end
end
|
It's code so there are various ways you can narrow down the one(s) you want, it's just up to the programmer to figure out what they can use to do so
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Thu Jan 11, 2018 2:46 am Post subject: |
|
|
So I've made a tiny lua script that stores multiple results, however there is just this one result in this case.
And whenever I find the right pattern, I'm getting that wrong Address.
I just don't understand what is actually happening in the background. What exactly could be a possible reason for that AOBScan to return me a wrong address, although the pattern totally seems to be uniqe..?
Does anyone got some other idea?
Thanks for helping me into lua nevertheless .. It's good that I finally could get a reason to crawl myself through the syntax.
Summary:
LuaAOBScan for multiple results -> gives one result
-->(pattern is apperently unique)
still returning the wrong Address
--> is there something like a complex function describtion to look into that describes how the aob scan works in detail?
EDIT: I found out that I'm always getting the same address from that scan, which is 05656C6D - no matter how often I try to start the game under different circumstances.
It seems to be some kind of static, which I will try to analyze in order to understand, what's happening
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Thu Jan 11, 2018 2:58 pm Post subject: |
|
|
if I add that address as a pointer, it's pointing at 05656C6D.
Is there a way to initialize some variable with the address, not the value it's pointing at? using auto assembler? I'm totally new to auto assembler to tell the truth.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Thu Jan 11, 2018 6:53 pm Post subject: |
|
|
should be able to do something like
Code: | alloc(copy,$1000)
registerSymbol(copy)
aobscan(base,....)
copy:
readmem(base,8) |
you'd only need to copy 4 for an x86 game. Or if you were using actual code (hook/createThread) then you could use mov or lea.
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Fri Jan 12, 2018 12:25 am Post subject: |
|
|
it's pointing at that value again..
I just don't understand this
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Fri Jan 12, 2018 7:51 am Post subject: |
|
|
Honestly, I don't either. The only thing I can vaguely think of is some anti-cheat thing working like stealthedit but I really don't have any experience with that kind of thing...
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Sat Jan 13, 2018 6:15 pm Post subject: |
|
|
I think that the address I'm getting is where the calculations take place in order to create that specific block or AOB. That AOB is unique because it has something to do with gained experience. So as soon as I get my skill experience, I'd have to find a new pattern.
I was actually trying to do this, because I felt like the time for auto assembly, and Lua had ctome.
Now I understand how assembly works.. It's not that hard, I'd have to understand more of the syntax though.
I've took another way to solve that problem.. The normal way.
AOB injection, and copying the address from the right register.
I've also understood what push and pop do, and that's a good step for me. So thank you for all your help. I've learned a lot while monitoring this thread, in order to try out. Now I'm trying to learn a bit more about what the best solutions to approach fstp, using those jne/jn/je -if-statements.
Again I want to say thank you to everybody who tried to help me on this one.
Thank you FreeER for all you hints.
___________________________________________________
EDIT: so many hours, and it's still counting as a double post?
I mean.. come on. I've even got a new question..
___________________________________________________
is there a possibilty to check either a register is pointing at certain bytes?
for example
I'm using edi to initialize a label I wanna use outside assembly later.
now let's say, this edi at that very spot does access more than one addresses.
so I would like to have a code that compares the bytes of the address it's pointing to, to something static I've defined before.
something like the first 3 bytes of a certain position.
let's say, that esi is accessing 25430123, and at a different player behavior it's accessing 34234312. Let's say, we take the first 3 bytes as hexadecimal from 25430123, and compare it to a predefined 3-byte label
so I'd want to check if the place edi is pointing at has the bytes I defined before, or not.
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Sun Jan 14, 2018 4:08 am Post subject: |
|
|
okay, I've done it this way..:
Code: | condition:
cmp [myLabel]-2cc,'s'
je code
cmp [myLabel]-2cb,'k'
je code
cmp [myLabel]-2ca,'l'
je code
mov [myLabel],eax
jmp code
code:
//original code here
jmp return |
I don't know why. Although I can monitor all the values, [myLabel] is still changing to something where the condition doesn't meet.
however, [myLabel] became much more stable as a pointer (less switching to other addresses)
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Sun Jan 14, 2018 1:04 pm Post subject: |
|
|
Quote: | Let's say, we take the first 3 bytes as hexadecimal from 25430123, and compare it to a predefined 3-byte label | sounds like a good use case for and
Code: | mov eax, [myLabel] // load saved pointer
sub eax, 2CA // subtract offset
and eax, 0xFFFFFF00 // ignore last byte by making it zero
cmp eax, 0x25430100 // check value
je code
... |
The reason behind doing the load in two steps is because [myLabel]-2CA isn't actually valid assembly code, CE will quietly assemble it when the script is enabled by figuring out what [myLabel] is and then subtracting 2CA and using that constant value in the code, but separating it into two valid assembly instructions means it'll load the value every time the code runs rather than just when it's first assembled.
at least... I thought it would lol apparently CE just assembles it as [myLabel]
I thought it would because I know it'll assemble something like [[myLabel]+4] that way
You could use lea to get that effect
but... if the address stored in [myLabel] can change during the game then that's not really what you want anyways otherwise the code would only use the original address from when it was enabled.
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Mon Jan 15, 2018 3:10 pm Post subject: |
|
|
thank you very much, FreeEr. I'd like to give you reputation, if I knew how.
I found out that my comparisons didn't work, because I compared dword to byte..
This is how it works..
Code: | code:
cmp byte ptr [edx+04],61 //compare the byte at edx+04
je initPointer //if yes, initialize the pointer
jmp oCode //if no, just go on with the original code
initPointer:
mov [myLabeledPointer],edx
jmp oCode
oCode:
... //original code here |
so.. Edx is switching between 4 different addresses.
This code initializes myLabeledPointer only if the right address is found, which has an 'a' at the position
the axtual thing I was missing, was the "byte ptr" which was necessary to do a comparison of the same types
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Jan 15, 2018 3:17 pm Post subject: |
|
|
ah yeah, that byte ptr makes sense in context with the string/char
as far as reputation um, you click the thumbs up icon next to "reputation"
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Mon Jan 15, 2018 4:34 pm Post subject: |
|
|
I see. Thank you again. I guess, I'm too new to this forum, in order to be able to thumb someone up, yet.
Thank you very much for all your help. I appreciate it.
I think the next thing I'm going to write is something that analyzes an AOB, and search it for a specific string.. If I'll be able to do that, I think I'll be able to create own pointers for almost every game I ever played.. Even if you have a dynamic subclass allocation ..
But I think I'm going to use Lua for that next step
|
|
Back to top |
|
|
|