Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Help understanding AOB Injection

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
TDWL
Newbie cheater
Reputation: 0

Joined: 28 Jan 2020
Posts: 10
PostPosted: Tue Jan 28, 2020 11:26 pm    Post subject: Help understanding AOB Injection Reply with quote
Hi I'm new to this and I've been watching some CE tutorials. However, a problem came up while trying to do an AOB Injection and I can't seem to find the solution.

So I have this code:
Code:

[ENABLE]

aobscan(INJECT,03 45 0C 89 45 F8 89 42 34 8B 0D 3C 8F D8 07) // should be unique
alloc(newmem,$1000)

//label(code)
label(return)

newmem:
  mov [edx+34],(int)999999
  mov ecx,[07D88F3C]
  jmp return
{code:
  mov [edx+34],eax
  mov ecx,[07D88F3C]
  jmp return}

INJECT+06:
  jmp newmem
  nop 4
return:
registersymbol(INJECT)

[DISABLE]

INJECT+06:
  db 89 42 34 8B 0D 3C 8F D8 07

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 0D544121

0D544103: 89 55 EC           -  mov [ebp-14],edx
0D544106: 85 D2              -  test edx,edx
0D544108: 75 0B              -  jne 0D544115
0D54410A: B8 E0 30 E0 0C     -  mov eax,0CE030E0
0D54410F: FF D0              -  call eax
0D544111: 89 6C 24 FC        -  mov [esp-04],ebp
0D544115: 8B 42 34           -  mov eax,[edx+34]
0D544118: 89 45 F8           -  mov [ebp-08],eax
0D54411B: 03 45 0C           -  add eax,[ebp+0C]
0D54411E: 89 45 F8           -  mov [ebp-08],eax
// ---------- INJECTING HERE ----------
0D544121: 89 42 34           -  mov [edx+34],eax
0D544124: 8B 0D 3C 8F D8 07  -  mov ecx,[07D88F3C]
// ---------- DONE INJECTING  ----------
0D54412A: 89 4D D8           -  mov [ebp-28],ecx
0D54412D: 8B 51 18           -  mov edx,[ecx+18]
0D544130: 89 55 DC           -  mov [ebp-24],edx
0D544133: 85 D2              -  test edx,edx
0D544135: 75 0B              -  jne 0D544142
0D544137: B8 E0 30 E0 0C     -  mov eax,0CE030E0
0D54413C: FF D0              -  call eax
0D54413E: 89 6C 24 FC        -  mov [esp-04],ebp
0D544142: 8B 82 D0 00 00 00  -  mov eax,[edx+000000D0]
0D544148: 89 45 E0           -  mov [ebp-20],eax
}


The AOB that was added by default is unique and works fine for the current sesion. But the last four bytes change when I restart the game so I thought that replacing them with ?? would solve the issue (it was still unique that way). So I restarted the game and tried my script, and the game crashed.
I then realised those bytes corresponded to the memory address that was being accessed in this instruction mov ecx,[07D88F3C] which was left unchanged after I restarted the game.
So my question is, is there a way to tell the script that instead of 07D88F3C it should put whatever the last four bytes of my AOB are? Or how is something like this dealt with normally?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4697
PostPosted: Wed Jan 29, 2020 12:29 am    Post subject: Reply with quote
You can use reassemble() to do that:
Code:
newmem:
  mov [edx+34],(int)999999
  reassemble(INJECT+9)
  jmp return
It basically disassembles the instruction at the specified address and reassembles it at the call to reassemble.

Are you sure that AoB pattern is still unique?
Maybe injecting one or two instructions earlier could solve your issues as well.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
TDWL
Newbie cheater
Reputation: 0

Joined: 28 Jan 2020
Posts: 10
PostPosted: Wed Jan 29, 2020 1:59 pm    Post subject: Reply with quote
Quote:

Are you sure that AoB pattern is still unique?

Yeah it was still unique
Quote:

Maybe injecting one or two instructions earlier could solve your issues as well.

That's right, I actually ended up figuring this out right after posting and it worked. But I still thought it would be useful to know what I asked here as there may be times where I can't inject it earlier (or can you always solve it that way?)
Quote:

You can use reassemble() to do that:
Code:
newmem:
mov [edx+34],(int)999999
reassemble(INJECT+9)
jmp return
It basically disassembles the instruction at the specified address and reassembles it at the call to reassemble.

And this seems like what I was looking for, thanks.
Does reassemble only affect one instruction tho? Or everything after the specified address until the end of the AOB?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4697
PostPosted: Wed Jan 29, 2020 3:44 pm    Post subject: Reply with quote
TDWL wrote:
But I still thought it would be useful to know what I asked here as there may be times where I can't inject it earlier (or can you always solve it that way?)
Injecting nearby or elsewhere is usually a practical solution that may or may not be as easy as reassemble. Lua can also be used as a more general solution.

TDWL wrote:
Does reassemble only affect one instruction tho? Or everything after the specified address until the end of the AOB?
It's just one instruction.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites