 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
 Posted: Mon Sep 24, 2018 9:15 pm Post subject: AoB Injection Help |
 |
|
Hello,
I have been emulating a game with Citra, and have been unable to find a pointer. So I decided to attempt injection.
I first found the value I needed a pointer for and found what wrote to the address:
Then I ran the disassembler and made sure that was the only address writing to it.
Then I created an AOB template and added in the code to do the injection:
| Code: | [ENABLE]
aobscan(INJECT,46 88 04 10 EB 05 E8 AC 90) // should be unique
alloc(newmem,$1000,1C9EF6CD4E9)
label(code)
label(return)
globalalloc(_egg,4)
newmem:
code:
mov [_egg],rax
mov [rax+r10],r8l
jmp 1C9EF6CD4F4
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 46 88 04 10 EB 05
unregistersymbol(INJECT)
dealloc(newmem) |
Then I'll add manual address:
And after the value updates in game, it eventually shows up.
Unfortunately, between game launches, this script doesn't work, even once the value has updated.
It was my understanding that an injection like this is good when finding a pointer isn't working out. Am I doing anything blatantly wrong?
Something I did notice, is that, when viewing what writes to the address (every time I restart the game and lose the value and have to re-find it), it's always mov rax+r10, and r10 always equals 1E8. I'm not sure if this can be explored further.. I know just the basics of using CE.
| Description: |
|
| Filesize: |
16.42 KB |
| Viewed: |
6327 Time(s) |
|
|
|
| Back to top |
|
 |
TheyCallMeTim13
Wiki Contributor
 Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Mon Sep 24, 2018 9:59 pm Post subject: |
|
|
Don't use hardcoded addresses in your scripts, it defeats the purpose of using an AOB. The addresses are most likely changing. And you can use the AOB symbol for the "nearAddress" of the "alloc" call (i.e.: "alloc(mem, 0x100, INJECT)". And make sure you're using unique AOB symbols, you can just number them like "INJECT01" and so on.
Move the injection to a better spot (like up one line), or use "reassemble".
https://wiki.cheatengine.org/index.php?title=Auto_Assembler:reassemble
_________________
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Mon Sep 24, 2018 10:05 pm Post subject: |
|
|
| TheyCallMeTim13 wrote: | Don't use hardcoded addresses in your scripts, it defeats the purpose of using an AOB. The addresses are most likely changing. And you can use the AOB symbol for the "nearAddress" of the "alloc" call (i.e.: "alloc(mem, 0x100, INJECT)". And make sure you're using unique AOB symbols, you can just number them like "INJECT01" and so on.
Move the injection to a better spot (like up one line), or use "reassemble".
https://wiki.cheatengine.org/index.php?title=Auto_Assembler:reassemble |
Thanks. Still very new to this, and I was just following along with a Youtube video/a post on these forums for the most part.
Do you have any examples I could look at that does the things you're doing so I get a better idea? I'm dead new at this. Sorry to be a hassle. I greatly appreciate your help
|
|
| Back to top |
|
|
Betcha
Expert Cheater
 Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Mon Sep 24, 2018 10:27 pm Post subject: Re: AoB Injection Help |
|
|
| CursedToast wrote: | | Unfortunately, between game launches, this script doesn't work, even once the value has updated. |
1. Replace that address with exact name you named your injection,
In this case your script name is INJECT, so should look like this:
| Code: | aobscan(INJECT,46 88 04 10 EB 05 E8 AC 90)
alloc(newmem,$1000,INJECT) |
Reason why, is that the address changes each time game is restarted.
And when activate script it tries to allocate memory near that address
But that address may not exist anymore, so prevents script to work.
2. For 64 bit game with globalalloc use 8, instead of 4.
| Code: | | globalalloc(_egg,8) |
Cause, when you try to move this size of address example 00000000000
Into place which was specified to use only 32 bit address, 00000000
Can clearly see it wouldnt fit, and can cause globalalloc not work.
3. Try to inject your code one line up, just to avoid jmp 1C9EF6CD4F4
Cause each time you restart game that jmp address will change.
Can cause crash or some other weird things when script active.
Last edited by Betcha on Mon Sep 24, 2018 10:45 pm; edited 1 time in total |
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Mon Sep 24, 2018 10:32 pm Post subject: |
|
|
| Thank you! I'll give it a shot the next time I'm at my PC. I appreciate it.
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Tue Sep 25, 2018 8:07 am Post subject: |
|
|
Okay, what do you mean by "Try to inject your code one line up"?
I tried the following, and this crashed the game as soon as the value would have changed:
| Code: | [ENABLE]
aobscan(INJECT,46 88 04 10 EB 05 E8 7C B9 B7) // should be unique
alloc(newmem,$1000,INJECT)
label(code)
label(return)
globalalloc(_egg,4)
newmem:
code:
mov [_egg],rax
mov [rax+r10],r8l
jmp 2527378EC24
INJECT:
jmp newmem
nop
jmp return
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 46 88 04 10 EB 05
unregistersymbol(INJECT)
dealloc(newmem) |
I'm assuming I'm doing something blatantly wrong. [/code]
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Sep 25, 2018 8:15 am Post subject: |
|
|
| CursedToast wrote: | | Okay, what do you mean by "Try to inject your code one line up"? |
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Tue Sep 25, 2018 8:45 am Post subject: |
|
|
Okay, so just take the same code I would normally write and create it one line up instead?
Edit:
Okay, so I created the script one line up and added information from prior, this is what the template + my code looked like:
| Code: | [ENABLE]
aobscan(INJECT,41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 EC 09 B9) // should be unique
alloc(newmem,$1000,INJECT)
label(code)
label(return)
globalalloc(_egg,4)
newmem:
code:
and r10d,00000FFF
mov [_egg],rax
mov [rax+r10],r8l
jmp return
INJECT:
jmp newmem
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 41 81 E2 FF 0F 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
This worked until I restarted the game. Now I can't enable script. I'm assuming I misinterpreted something.
After re-finding the value manually, and going to create a new script at the new location I noticed something.
Old script (before restart) that worked:
| Code: | | aobscan(INJECT,41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 EC 09 B9) |
New location templated script (after restart):
| Code: | | aobscan(INJECT,41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 8C 71) |
So most of the information is the same.
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Sep 25, 2018 10:48 am Post subject: |
|
|
Replace the changing bytes with ?? and should look like this:
| Code: | | aobscan(INJECT,41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 ?? ?? ??) |
Before activate script scan your Array of Byte to see how many results you get.
If you get one result, then your script is done and should run smooth from now on.
If you get multiple results, then you have to update your Array of Byte till its unique.
To do that open your script and scroll down till you see Blue snippet of your injection.
From there have to add bytes to your original AoB, till scanning gives you only one result.
If you not sure how to use that Blue snippet to update your AoB, paste that Blue snippet here.
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Tue Sep 25, 2018 10:56 am Post subject: |
|
|
I get thousands of results, searching for that. Here is the blue snippet:
| Code: | {
// ORIGINAL CODE - INJECTION POINT: 1C1131B7042
1C1131B7014: 41 89 87 58 01 00 00 - mov [r15+00000158],eax
1C1131B701B: 44 89 F2 - mov edx,r14d
1C1131B701E: 45 8B 87 58 01 00 00 - mov r8d,[r15+00000158]
1C1131B7025: 48 B8 20 E1 D4 11 C1 01 00 00 - mov rax,000001C111D4E120
1C1131B702F: 41 89 D3 - mov r11d,edx
1C1131B7032: 41 C1 EB 0C - shr r11d,0C
1C1131B7036: 4A 8B 04 D8 - mov rax,[rax+r11*8]
1C1131B703A: 48 85 C0 - test rax,rax
1C1131B703D: 74 10 - je 1C1131B704F
1C1131B703F: 41 89 D2 - mov r10d,edx
// ---------- INJECTING HERE ----------
1C1131B7042: 41 81 E2 FF 0F 00 00 - and r10d,00000FFF
// ---------- DONE INJECTING ----------
1C1131B7049: 46 88 04 10 - mov [rax+r10],r8l
1C1131B704D: EB 05 - jmp 1C1131B7054
1C1131B704F: E8 4C E5 99 FF - call 1C112B555A0
1C1131B7054: 41 8B 47 38 - mov eax,[r15+38]
1C1131B7058: 41 89 C6 - mov r14d,eax
1C1131B705B: 41 83 E6 01 - and r14d,01
1C1131B705F: 45 89 77 40 - mov [r15+40],r14d
1C1131B7063: 47 8D 74 36 FC - lea r14d,[r14+r14-04]
1C1131B7068: 44 21 F0 - and eax,r14d
1C1131B706B: 41 89 47 3C - mov [r15+3C],eax
} |
I appreciate your help, I'm learning a lot.
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Sep 25, 2018 11:10 am Post subject: |
|
|
Scan for this:
| Code: | | 41 81 E2 FF 0F 00 00 46 88 04 10 EB ?? E8 ?? ?? ?? ?? 41 8B 47 38 |
// ---------- INJECTING HERE ----------
1C1131B7042: 41 81 E2 FF 0F 00 00 - and r10d,00000FFF
// ---------- DONE INJECTING ----------
1C1131B7049: 46 88 04 10 - mov [rax+r10],r8l
1C1131B704D: EB ?? - jmp 1C1131B7054
1C1131B704F: E8 ?? ?? ?? ?? - call 1C112B555A0
1C1131B7054: 41 8B 47 38 - mov eax,[r15+38]
1C1131B7058: 41 89 C6 - mov r14d,eax
1C1131B705B: 41 83 E6 01 - and r14d,01
1C1131B705F: 45 89 77 40 - mov [r15+40],r14d
1C1131B7063: 47 8D 74 36 FC - lea r14d,[r14+r14-04]
1C1131B7068: 44 21 F0 - and eax,r14d
1C1131B706B: 41 89 47 3C - mov [r15+3C],eax
If still multiple results when scan, then keep adding new bytes down the list.
If 0 results, remove bytes till you get results and replace the bytes with ?? who give you 0 results
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Tue Sep 25, 2018 11:23 am Post subject: |
|
|
I ended up getting it down to 580 results.
This is my latest search:
| Code: | | 41 81 E2 FF 0F 00 00 46 88 04 10 EB ?? E8 ?? ?? ?? ?? 41 8B 47 38 41 89 C6 41 83 E6 01 45 89 77 40 47 8D 74 36 FC 44 21 F0 41 89 47 3C |
Hope I did it right?
Then I started over:
| Code: | | aobscan(INJECT,41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 CC 1D) |
| Code: | // ---------- INJECTING HERE ----------
225CD08E7C2: 41 81 E2 FF 0F 00 00 - and r10d,00000FFF
// ---------- DONE INJECTING ----------
225CD08E7C9: 46 88 04 10 - mov [rax+r10],r8l
225CD08E7CD: EB 05 - jmp 225CD08E7D4
225CD08E7CF: E8 CC 1D B1 FE - call 225CBBA05A0
225CD08E7D4: 41 8B 47 38 - mov eax,[r15+38]
225CD08E7D8: 41 89 C6 - mov r14d,eax
225CD08E7DB: 41 83 E6 01 - and r14d,01
225CD08E7DF: 45 89 77 40 - mov [r15+40],r14d
225CD08E7E3: 47 8D 74 36 FC - lea r14d,[r14+r14-04]
225CD08E7E8: 44 21 F0 - and eax,r14d
225CD08E7EB: 41 89 47 3C - mov [r15+3C],eax |
And then I got down to 169 results adding one at a time, eventually my final search which lead to 169 was:
| Code: | | 41 81 E2 FF 0F 00 00 46 88 04 10 EB 05 E8 ?? ?? ?? ?? 41 8B 47 38 41 89 C6 41 83 E6 01 45 89 77 40 47 8D 74 36 FC 44 21 F0 41 89 47 3C |
Last edited by CursedToast on Tue Sep 25, 2018 11:41 am; edited 1 time in total |
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Tue Sep 25, 2018 11:39 am Post subject: |
|
|
So latest scan is 580 results ...
Should consider of creating new script in different location..
By checking what Accessess / Writes to your value address..
If other values will access that instruction, then this Video will help out.
|
|
| Back to top |
|
|
CursedToast
Cheater
![]() Reputation: 0
Joined: 25 Jan 2017
Posts: 30
|
| Posted: Tue Sep 25, 2018 11:48 am Post subject: |
|
|
Thanks for your help, I'll dig further into this. Though at this point, I'm thinking the efforts put into this is taking up more time than just finding the value each time I start my bot program haha.
Thank you for everything, it's greatly appreciated.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
