Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Variyng offsets
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Mon Mar 02, 2020 4:28 pm    Post subject: Variyng offsets Reply with quote

I found a base address but I don't know how to find the offset that's on EDI, when scanning for it I get a couple of unreliable addresses only... I want to know how the game gets to this offset. I have "xor ebx,[ebp+edi*4+00]", it seems it's a variable offset. How to determine EDI? Changes without restarting the game. Any attempts to inject code crashes the game as well. Thank you
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Tue Mar 03, 2020 7:24 am    Post subject: Reply with quote

I think you are confusing some terms, but if you want to know what the value is in the EDI register you can use the VEH debugger, if instead you want to create an anti-anti-code injection you can use a stealth edit (It consists of setting a breakpoint that changes the value of the EIP register so as to redirect the thread without changing the code) or you could see which code acts on reading the code you are inspecting but on the code you will find there will probably be another code that will verify the integrity of the latter and so on.

The following link shows a very useful tutorial on how to use stealth edit: https://www.youtube.com/watch?v=ajIIlNQ5nSU
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Tue Mar 03, 2020 9:53 am    Post subject: Reply with quote

I need to predict the next offset it's going to use because it changes offsets when I change rooms in the game. I would like to find a pointer if possible, since the game must know where the value always is. The idea of changing the code was only to log the current offset, I'm still going to try stealth edit. Send me a PM if you would like to play with me. Thanks for the help
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Tue Mar 03, 2020 11:50 am    Post subject: Reply with quote

I don't understand what you want to do, are you giving me a single line of assembly code and would you like to predict the value of EDI? it's certainly not something I can help you with if you don't give more information, and then, you want to get a pointer on what? What value do you want to get?
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Tue Mar 03, 2020 12:10 pm    Post subject: Reply with quote

Okay, sorry, the player's angle is encrypted but that's not the issue. It's stored at 0255E2D0. Nothing writes to it. I want to read it from a C# program. If I scan for that in hex I get a couple of results, none of which gets updated later.
When I change rooms it gets stored in a different location, so when the room's created by my second account, it's stored at 0255E4F4. If I create the room myself again, it comes back to 0255E2D0. If I go to someone else's room, that address changes. When creating the room again, this is what has accessed 0255E2D0:
It gets updated as soon as the game starts. What's the next information you need? Thanks


Last edited by aaax10 on Mon Mar 09, 2020 7:10 am; edited 1 time in total
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Tue Mar 03, 2020 12:39 pm    Post subject: Reply with quote

So if I understand correctly, do you want to get the address indicating an "angle" value but you can't use a code injection because the game is protected?
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Tue Mar 03, 2020 12:43 pm    Post subject: Reply with quote

Yes.
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Wed Mar 04, 2020 8:19 am    Post subject: Reply with quote

If through your C# program you don't know how to set breakpoints and read the registers and consequently you want to do it through a code injection you must first disable the integrity check of the code, as I said before just take any byte of the code on which you want to make the injection, and connect a debugger (on read mode) to it because there will be a code that will verify that that code has not been changed.
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Wed Mar 04, 2020 12:02 pm    Post subject: Reply with quote

I think it might be a shared instruction, the registered EDI keeps changing, although sometimes it appears to have the desired value. How can I overcome this? I'm manually bypassing the integrity checks. The biggest problem is it's still crashing the game when attaching the debugger to write in the EIP registry (setting a breakpoint), even after disabling "override existing breakpoints when setting breakpoints". Is it not possible to find a pointer to the address? Also is stealth edit not being supported anymore? Thank you
i.ibb.co/nkVnSMP/Screenshot-81.png
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Wed Mar 04, 2020 4:21 pm    Post subject: Reply with quote

aaax10 wrote:
How can I overcome this?

If you are referring to the fact that being a shared instruction you can find solution to your problem in step number 9 of Cheat Engine (I refer to the tutorial).

aaax10 wrote:
still crashing the game when attaching the debugger

The program may have anti-debugging protections, make sure you have selected "VEH debugger" in the settings and that you are using hardware breakpoints (If that doesn't work then it will have more complex anti debugging techniques to bypass).

aaax10 wrote:
Is it not possible to find a pointer to the address?

You're referring to the value of a register not to a memory location, so no.

aaax10 wrote:
Also is stealth edit not being supported anymore?

I have never used plugins to perform a stealth edit, I have always done it manually, the video I linked to above explains how to do it
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Thu Mar 05, 2020 1:55 am    Post subject: Reply with quote

But even with only "myoffset=EDI" myoffset stays at 0. Tried "myoffset=readBytes(EDI,4)" as well.

Last edited by aaax10 on Mon Mar 09, 2020 7:10 am; edited 1 time in total
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Thu Mar 05, 2020 6:37 am    Post subject: Reply with quote

Oh I'm sorry, but I don't know Lua, I don't know how to help you
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Thu Mar 05, 2020 6:45 am    Post subject: Reply with quote

Isn't there a way to reproduce this with assembly? I want to mov [myoffset],edi only if ebp == 0x26b0048

Last edited by aaax10 on Mon Mar 09, 2020 7:11 am; edited 1 time in total
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334

PostPosted: Thu Mar 05, 2020 6:58 am    Post subject: Reply with quote

Code:
alloc(code,1024)
label(Assign_Off)
label(exit)

alloc(myoffset, 4) // Alloc the variable

code:
cmp EBP, 26B0048 // Check the value in EBP
je Assign_Off // If it is equal to 26B0048 run the code you find in "Assign_Off"
jmp exit // In any other case run the code in "exit"

Assign_Off:
mov [myoffset], EDI

exit:
{jmp original_code}


Last edited by DanyDollaro on Thu Mar 05, 2020 10:14 am; edited 2 times in total
Back to top
View user's profile Send private message
aaax10
Newbie cheater
Reputation: 0

Joined: 25 Feb 2020
Posts: 13

PostPosted: Thu Mar 05, 2020 8:38 am    Post subject: Reply with quote

It's always giving me a wrong value that however gets updated properly... I believe what we've done is the same

Last edited by aaax10 on Mon Mar 09, 2020 7:11 am; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites