 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
guy960915
Expert Cheater
 Reputation: 2
Joined: 17 Sep 2007
Posts: 168
|
 Posted: Sun Apr 21, 2019 7:45 am Post subject: Problem with AA AOB Injection |
 |
|
Hello,
noticed this whenever i AA a 64bit Game, when i do not use near address or range address
Ex, only use this alloc(newmem,1000), but sometimes even with near range, jmp will take 18 bytes, alloc mem is FAR i guess.
it's destroying the ORIGINAL code after the AA is enabled,
Ex.
AA insert here 7FFBB4C94147
| Code: | -->7FFBB4C94147 - C4E17A1081 38 010000 - vmovss xmm0,[rcx+00000138]
7FFBB4C94150 - C4E17A5905 1F 000000 - vmulss xmm0,xmm0,[7FFBB4C94178]
7FFBB4C94159 - C4E17A5905 1A 000000 - vmulss xmm0,xmm0,[7FFBB4C9417C]
7FFBB4C94162 - C4E17A5AC0 - cvtss2sd xmm0,xmm0,xmm0
7FFBB4C94167 - E8 14AD915E - call clr.dll+1BEE80
|
after AA AOB Injection it took 18 bytes
| Code: | 7FFBB4C94147 - FF25 00000000 000084CBA3010000 - jmp 1A3CB840000
7FFBB4C94155 - 90 - nop
7FFBB4C94156 - 90 - nop
7FFBB4C94157 - 90 - nop
7FFBB4C94158 - 90 - nop
7FFBB4C94159 - C4E17A5905 1A 000000 - vmulss xmm0,xmm0,[7FFBB4C9417C]
7FFBB4C94162 - C4E17A5AC0 - cvtss2sd xmm0,xmm0,xmm0
7FFBB4C94167 - E8 14AD915E - call clr.dll+1BEE80
|
On the AA: Only the "vmovss xmm0,[rcx+00000138]" was added to the AA.
| Code: | 1A3CB840000 - C7 81 38010000 CDCC4C3D - mov [rcx+00000138],3D4CCCCD //set time
-->1A3CB84000A - C5FA1081 38 010000 - vmovss xmm0,[rcx+00000138]
1A3CB840012 - FF25 00000000 5941C9B4FB7F0000 - jmp 7FFBB4C94159
|
on the DISABLE part only the bytes of the injected code is present, "db C5 FA 10 81 38 01 00 00"
So, when AA is enabled, the Original Opcodes will be overwritten, will result in crash.
also, when AA is disabled it will only return the AA Opcode, the overwritten Opcodes are not, this will result in crash.
I guess i just want the AOB injection to compensate when game is 64bit.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25880
Location: The netherlands
|
| Posted: Sun Apr 21, 2019 12:58 pm Post subject: |
|
|
Just assume the jmp is 14 bytes and take that into account
so have
| Code: |
originalcode:
vmovss xmm0,[rcx+00000138]
vmulss xmm0,xmm0
jmp aobaddress+12
aobaddress:
jmp newmem
|
or, change your alloc(newmem,xxx) to alloc(newmem,xxx,aobscanresult)
(the aob script generator does that for you, I don't know why your script doesn't)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
guy960915
Expert Cheater
Reputation: 2
Joined: 17 Sep 2007
Posts: 168
|
| Posted: Sun Apr 21, 2019 9:59 pm Post subject: |
|
|
Game target is "They are Billions"
v 0.9.2 and 10.16.18
i was making AA AOB to work with different version,
then, i was puzzled when sometimes the game crashed on both version. so i took a closer look,
Address keep changing,
in 0.9.2
7FFCA2D01B98
7FFE9CC36D0A
7FFE9CBFE73C
in 10.16.18
7FFBBxxxxxxxx
7FFExxxxxxxxx
when alloc is close its fine, but when the alloc is far, my AA will crash the game,
i guess for the meantime i will always take account the 14bytes when dealing with 64bit games.
thank you very much,
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
