Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Injection.. Could not find unique AOB

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Thu May 23, 2019 9:32 pm    Post subject: AOB Injection.. Could not find unique AOB Reply with quote

Hi there dear CE Forum.

Today I've encountered a problem I cannot solve usually I do not ask for help unless I've tried every single possibility and read forums threads and so on, even read the forum created by TwistedFate, but with no use I've tried several methods and I still can not make this work.

What I'm trying to do is scan for a certain AOB then inject it with assembly with a code I wrote, however it's not finding a unique AOB, tried setting several other bytes to make it unique, that works (script activates, but no changes were made, I'm afraid the changes are being made elsewhere and not where I actually want it to).

So here's the script:

Code:
http://prntscr dot com/nsmp5k




And here it is in assembly, with bytes around that I could use to make it unique:

Code:
http://prntscr dot com/nsmpjc



Sorry for the dot com but for some reason it wont let me post URL nor IMG. Just kindly add http and the rest. Sorry.

Red arrow indicates the OPcode I want to inject


Could anyone here please rewrite what I have and make it possible to work? Or even give me some instructions on how to, thank you in advance.

Here's the code:

Code:

[ENABLE]

aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,ERROR: Could not find unique AOB, tried code "89 41 1C 8B 42 20") // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5904A1)

label(code)
label(return)

newmem:
cmp [rcx+1BC],01
jne code
mov [rcx+1C],(float)1

code:
  mov [rcx+1C],eax
  mov eax,[rdx+20]
  jmp return

INJECT+BE7268:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+BE7268:
  db 89 41 1C 8B 42 20

unregistersymbol(INJECT)
dealloc(newmem)


Here are the bytes I've marked that should make it unique (I guess):

Code:
8B 42 08 89 41 08 8B 42 0C 89 41 0C 8B 42 10 89 41 10 8B 42 14 89 41 14 8B 42 18 89 41 18 8B 42 1C [b]89 41 1C[/b]


The broad bytes are the ones I want to inject.

If additional information needed please let me know Exclamation[/url]
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Thu May 23, 2019 10:41 pm    Post subject: Reply with quote

Why are you using an offset for the AOB that large? The module offset for the code is less than the offset you have for the AOB, so it's not even inside the same module.
Code:

Address +5904A1
AOB     +BE7268

This means the start of your AOB would need to be 0x656DC7 bytes before the module even begins.

_________________
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Fri May 24, 2019 1:49 am    Post subject: Reply with quote

Hi there TheyCallmeTim13,
Thank you for answering.

No let me clarify my problem, I didn't use any offset or anything what so ever, I just assembled the address I highlighted in the screenshot and it did that by itself (Cheat Engine).

That's why I'm asking what do I do with this code to add the bytes I want to be searched and the start address of my Opcode i want to inject (just like shown in the pictures in the main post)

Thanks in advance.

Also for more info, how did you figure out what the address should be before my module even begins? What kind of calculation method did you use, or format? Thanks in advance (learning purposes so I don't encounter same problem) - EDIT: Nvm I figured that question out, AOB - Address in hex, got'cha, but yeah what do I do then?
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Fri May 24, 2019 5:03 am    Post subject: Reply with quote

This might help.
https://youtu.be/IAo6pcMVUeA?list=PLMomQxQh6AdWw6L84t35Ms6-ylZmceC5U&t=430

But, basically you want to get rid of the offset for the injection symbol (i.e. "INJECT+BE7268"). And just select the line in the memory view form and hold shift and select another line a ways down and hit Ctrl+Alt+C to copy just the bytes and then do an AOB scan in the main CE form until you get a unique string of bytes.

But looking at that code, are you sure this isn't shared instruction? It looks like a large amount of memory is being copied in the game's code. If you can, you might even want to find a different injection spot.

_________________
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Fri May 24, 2019 5:17 am    Post subject: Reply with quote

Thanks I've done some digging myself and figured out why the offset was messing up, so this is what I've done for now:

Code:


[ENABLE]

aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)

label(code)
label(return)

newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1

code:
  mov [rcx+000000B8],(float)2
  jmp return

INJECT+1E:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+1E:
  db 89 81 B8 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)


However what I am having a problem with is my Dissect Data Structure, you are correct this is a shared OPCode with many addresses accessing it hence why I am using CMP, however all the addresses in the DDE (Dissect Data Structure for future reference) are either Green (Equal) or Red(Different) from the other groups that I've randomly selected.



The thing is, enemy resistances goes within this code, my resistances, weapon etc, etc, so it's a huge code, and the resistances change places all the time so there is no other place where I can inject really, this is like, the last resort.



Code:
http://prntscr dot com/nss8rp



Above in DDE I managed to find
Code:
012C
which is 4 BYTES(However for some reason its Green color? but none of the groups are equal to it?), and to fail-test my code I've added float 1 if the code works and float 2 if it doesn't. The value keeps changing to float 2 ingame, so the
Code:
CMP
is definitely not kicking in and jumping to not equal as code says, am I using
Code:
CMP
wrong? If not, what do I do in this case when the DDE is filled with Red (Different) and Green addresses, along with purple and blue of course which I do not touch since they keep changing.


There is also one problem with the dissect data structure is that, the resistance I change has 4 different codes that accesses this OPAddress, however only one changes the result (The one I'm comparing out) so it's hard to find non equal since they're almost all identical except a few, (the one I showed you above)

The code works correctly in essence of changing the resistances, but right now its affecting my enemies and me The
Code:
CMP
I added is supposed to rule me out from the others.
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Fri May 24, 2019 7:35 am    Post subject: Reply with quote

You're setting the float to 1 then immediately setting back to 2. You need a jump to return after the float is set to 1.

Code:
[ENABLE]

aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)

label(code)
label(return)

newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1
jmp return

code:
  mov [rcx+000000B8],(float)2
  jmp return

INJECT+1E:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+1E:
  db 89 81 B8 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)

_________________
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Fri May 24, 2019 8:41 am    Post subject: Reply with quote

TheyCallMeTim13 wrote:
You're setting the float to 1 then immediately setting back to 2. You need a jump to return after the float is set to 1.

Code:
[ENABLE]

aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)

label(code)
label(return)

newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1
jmp return

code:
  mov [rcx+000000B8],(float)2
  jmp return

INJECT+1E:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+1E:
  db 89 81 B8 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)



Yeah thanks I know I realized that, I already put that ahead before you replied, thanks for your reply however, but it still didn't do anything, it still goes to value float 2
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Fri May 24, 2019 1:34 pm    Post subject: Reply with quote

You'll just have to set a breakpoint and debug your code to see what's actually going on. It might be that the value you're comparing gets changed before your code. Or that the float value is reset right after. You're not saving and restoring the flags registry so that might be an issue.
_________________
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Fri May 24, 2019 3:47 pm    Post subject: Reply with quote

TheyCallMeTim13 wrote:
You'll just have to set a breakpoint and debug your code to see what's actually going on. It might be that the value you're comparing gets changed before your code. Or that the float value is reset right after. You're not saving and restoring the flags registry so that might be an issue.



Yeah with some more digging with the code and trying many different offsets, this is currently working 100%:


Code:
[ENABLE]

aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 AC 00 00 00 89 81 AC 00 00 00 8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905C4)

label(code)
label(return)

newmem:
cmp [rcx+194],00000013
jne code
mov eax,(float)1
mov [rcx+000000B4],eax
jmp return

code:
  mov [rcx+000000B4],eax
  jmp return

INJECT+1E:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+1E:
  db 89 81 B4 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)


However what is annoying me is that, it's capping at 0.75 float and not changing its value to 1.0 when added, if I do this:

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"Flagon-Win64-Shipping.exe"+5905C4)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [rcx+194],00000013
jne originalcode
mov eax,(float)1
mov [rcx+000000B4],eax
jmp returnhere

originalcode:
mov [rcx+000000B4],eax

exit:
jmp returnhere

"Flagon-Win64-Shipping.exe"+5905C4:
jmp newmem
nop
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Flagon-Win64-Shipping.exe"+5905C4:
mov [rcx+000000B4],eax


It works perfectly fine and goes up to 100% which is 25% overcapped resistance ingame, (75% is the max), which I think is somewhat a reason why the first one is not working as I want it however my question is.. Why would Code Injection work okay and AOB not?

Also there is something that Code injection does make a mistake with however..

Those extra 25%, they get added to me, and the enemy, looks like overcapped resistances are handled by another code?
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Fri May 24, 2019 5:13 pm    Post subject: Reply with quote

Did you try the changes with the AOB. It really shouldn't matter witch you use so long as the AOB string actually gets only one result.

But what you can also do is enable your script and see what writes to the address to see where it's being checked and overwritten, then just NOP that code.

And you'll have to find a better way to filter is out.

_________________
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Fri May 24, 2019 6:31 pm    Post subject: Reply with quote

TheyCallMeTim13 wrote:
Did you try the changes with the AOB. It really shouldn't matter witch you use so long as the AOB string actually gets only one result.

But what you can also do is enable your script and see what writes to the address to see where it's being checked and overwritten, then just NOP that code.

And you'll have to find a better way to filter is out.



The problem is the AOB always gets two results, no matter how long I make the AOB, one is identical to the other, however, one does not change anything in the game what so ever, and the other one does. The other one that does change stuff ingame, I can manually change it to.. whatever I want and it works (By changing the AOB manually) However, when I inject it, it does not change to the value I want, unless I use CODE INJECTION as explained above, however that for some reason bugs out and gives different results than intended, even though they're running the same code, one caps at 75% (ingame resistance) and the other one can go above 100+++ but anything above 75% starts giving enemies resistances to. The AOB I inject I rule it out from the other by using
Code:
CMP
so it only changes one of the AOB's (the correct one)

Hmm, okay so I enable my script, and then check the AOB that I changed to see what writes to the address on top of my script, correct?
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sat May 25, 2019 10:07 am    Post subject: Reply with quote

limit the scan region to specific boundary by using aobscanregion.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
xUnknownHostX
Newbie cheater
Reputation: 0

Joined: 22 May 2019
Posts: 10

PostPosted: Sat May 25, 2019 6:31 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
limit the scan region to specific boundary by using aobscanregion.


Thank you for answering and chipping in OldCheatEngineUser, would you please show an example with the information I've given? So I can take that and learn from there? Thank you
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun May 26, 2019 9:46 pm    Post subject: Reply with quote

if you cant find a unique pattern, then code injection is an option.

Code:
aobscanregion (symbol, start address, end address, bytes to search)

aobscanregion(inject,module.exe+1234,module.exe+5678, 9a bc de f0)


in you case:

Code:
[ENABLE]
// injection address "Flagon-Win64-Shipping.exe"+5905C4

aobscanmodule(INJECT,"Flagon-Win64-Shipping.exe"+590000,"Flagon-Win64-Shipping.exe"+590FFF,8B 82 B4 00 00 00 89 81 B4 00 00 00) // should be unique
alloc(newmem,$100,INJECT)

label(code)
label(return)

newmem:
cmp [rcx+194],00000013
jne code
mov eax,(float)1
mov [rcx+000000B4],eax
jmp return

code:
  mov [rcx+000000B4],eax
  jmp return

INJECT+06:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+06:
  db 89 81 B4 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites