 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Menoetius
Cheater
![]() Reputation: 0
Joined: 01 Jul 2018
Posts: 29
|
 Posted: Tue Aug 18, 2020 3:51 pm Post subject: Breaking Bytes - Game Crash on Jump (Unity Engine - ROR2) |
 |
|
Preface: I've coded a small amount of hacks/trainers in the past for sp and even mp games, so I'm not too much of a rookie.
I am attempting to create the classic invulnerability cheat in the unity/mono game Risk of Rain 2. I have found the ususal bytes but modification is causing crashes upon run.
I complete an AOBscan and replace the initial bytes/opcode found with a jmp InjectionPoint, but of course the game is continually crashing despite me making sure the opcode addresses stay aligned with 3 nop after the jmp.
Original Code: | Code: |
15487ADE3D2 - F3 0F11 2F - movss [rdi],xmm5 //replaced, jmp is 5 byte extends into next address
15487ADE3D6 - 48 8B 75 E0 - mov rsi,[rbp-20] //replaced with 3 nops
15487ADE3DA - 48 8B 7D E8 - mov rdi,[rbp-18] //untouched
|
My Code Injection: | Code: |
I__HEALTH - E9 291C1E00 - jmp M__HEALTH
15487ADE3D7- 90 - nop
15487ADE3D8- 90 - nop
15487ADE3D9- 90 - nop
15487ADE3DA- 48 8B 7D E8 - mov rdi,[rbp-18] //untouched
|
My Code Replacement: (Note: as of now I have not replaced the functionality, I have only attempted to relocate where this statement in memory is evaluated. I do not know enough in depth to understand if this modifies the stack in anyway or pointer base addresses) | Code: |
M__HEALTH - F3 0F11 2F - movss [rdi],xmm5 //same as original
15487CC0004- 48 8B 75 E0 - mov rsi,[rbp-20] //same as original
15487CC0008- C3 - ret //I've tried with and without ret, I am actually unsure if this is necessary because by default CE does not include it - either way its crashed |
And here is my full file: | Code: |
{ Game : Risk of Rain 2.exe
Version:
Date : 2020-08-18
Author : U53R
This script attempts to evalaute the given expression elsewhere in memory
}
[ENABLE]
//scan for byte address (0)
// _0 _1 _2 _3|_4 _5 _6 _7|_0 _1 _2 _3
aobscan(I__HEALTH,F3 0F 11 2F 48 8B 75 E0 48 8B 7D E8 4C 8B 75 F0 4C 8B 7D F8 48 8D 65 00 5D C3 00 00 00 00 01 04 02 05 04 03 01 50 00 00 00 00 E8 ** ** ** ** 08 ** ** ** ** ** ** 00 00 00 00 00 00 00 00 48 83 EC 28 48 89 34 24 48 89 7C 24 08) // should be unique
//register address for outside use
registersymbol(I__HEALTH)
//alloc space to write new code
alloc(M__HEALTH,$1000)
//register memory for outside use
registersymbol(M__HEALTH)
//injection point
I__HEALTH:
jmp M__HEALTH
nop
nop
nop
//memory to work with
M__HEALTH:
movss [rdi],xmm5
mov rsi,[rbp-20]
ret
[DISABLE]
I__HEALTH:
//replace overwritten bytes
db F3 0F 11 2F 48 8B 75 E0
//unregisters injection point
unregistersymbol(I__HEALTH)
{
// ORIGINAL CODE - INJECTION POINT: 15D373BE258
15D373BE244: B1 49 - mov cl,49
15D373BE246: 5D - pop rbp
15D373BE247: 01 00 - add [rax],eax
15D373BE249: 00 00 - add [rax],al
15D373BE24B: 00 00 - add [rax],al
15D373BE24D: 00 00 - add [rax],al
15D373BE24F: 00 48 83 - add [rax-7D],cl
15D373BE252: EC - in al,dx
15D373BE253: 28 48 89 - sub [rax-77],cl
15D373BE256: 34 24 - xor al,24
// ---------- INJECTING HERE ----------
15D373BE258: 48 89 7C 24 08 - mov [rsp+08],rdi
// ---------- DONE INJECTING ----------
15D373BE25D: 4C 89 7C 24 10 - mov [rsp+10],r15
15D373BE262: 48 8B F9 - mov rdi,rcx
15D373BE265: 48 8B F2 - mov rsi,rdx
15D373BE268: 4C 8B FE - mov r15,rsi
15D373BE26B: 48 85 F6 - test rsi,rsi
15D373BE26E: 74 18 - je 15D373BE288
15D373BE270: 48 8B 06 - mov rax,[rsi]
15D373BE273: 48 8B 00 - mov rax,[rax]
15D373BE276: 48 B9 B0 1C E5 3E 5D 01 00 00 - mov rcx,0000015D3EE51CB0
15D373BE280: 48 3B C1 - cmp rax,rcx
} |
So again, game crashes upon memory reallocation despite same evaluation statements. Likely there are some concepts I misunderstand or something I'm missing you folks could enlighten me with.
If you can, am I using the correct method to attempt this cheat, are there any others I should try with games like these - non-static addresses with a opcode that handles everyone's health and even timers.
Thank you preemtively for your time and help.
P.S. That electric blue code is hard to look at, can I change the color of it?
_________________
Big Gun
#1
Shoot the Hell Outta You |
|
| Back to top |
|
 |
Menoetius
Cheater
![]() Reputation: 0
Joined: 01 Jul 2018
Posts: 29
|
| Posted: Thu Aug 20, 2020 12:17 am Post subject: |
|
|
So doin a bit a research, I can perhaps say with my uneducated opinion that it is unlikely to be crashing to do security measures or preexisting uses of debug hooks.
My best guess is that pehaps with to the 64x basis? I'm occassionally getting jumps greater than 12? bytes worth. Still cant tell for sure and I've spent about the last week on it. Search results dont turn up much for unity either or reasons why.
Any suggestions would be appreciated, and if anyone suggets DLL modification and/or how to, please link me or point me in the right direction to continue.
_________________
Big Gun
#1
Shoot the Hell Outta You |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25840
Location: The netherlands
|
| Posted: Thu Aug 20, 2020 1:11 am Post subject: |
|
|
| Code: |
alloc(M__HEALTH,$1000)
|
is wrong
it should be
| Code: |
alloc(M__HEALTH,$1000,I__HEALTH)
|
and your injection point in the comments does not match the code or bytes in your script
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 959
|
| Posted: Thu Aug 20, 2020 1:24 am Post subject: |
|
|
See the 'ret'
| Code: |
...
M__HEALTH:
movss [rdi],xmm5
mov rsi,[rbp-20]
ret ///////////// THIS is a assembler instruction, without a corresponding call, the stack will be corrupted, and may cause crash.
|
this is a part of 'AOB Injection template'
| Code: |
code:
lea rsp,[rsp-28] //// original code
jmp return //// this is a jump instruction with target address 'return', which restore execution to where it jump into the cave here
INJECT:
jmp newmem
return: ///// this 'return' is not a instruction, but an address label, telling where the code should restore after above code cave.
...
|
You probably has changed 'jmp return' to 'ret' for some unknown reason.
Try replace 'ret' with 'jmp I__HEALTH+8' to see if it can be fixed.
btw, to prevent the jump from inject point to code cave using the long from jump, the allocation of the code cave have to make NEAR (+/- 2G) the inject point.
Using 3rd parameter for 'alloc' may help, the 3rd parameter should be the injection point,ie.
| Code: |
alloc(M__HEALTH,$1000,I__HEALTH)
|
_________________
- Retarded. |
|
| Back to top |
|
|
Menoetius
Cheater
![]() Reputation: 0
Joined: 01 Jul 2018
Posts: 29
|
| Posted: Thu Aug 20, 2020 7:27 am Post subject: |
|
|
Hey you guys are great for replying.
I actually used the autogenerated script first and it was continually crashing presumably for the same reason, because it lacks a return. Good catch on the alloc near, I was able to notice that could have been a possible cause of crash after posting.
Alright, so after the application of your insight, we got this beauty right here:
| Code: | //memory to work with
M__HEALTH:
movss [rdi],xmm5
mov rsi,[rbp-20]
jmp F__HEALTH+8
//injection point
//F__HEALTH is I__HEALTH, I moved the aobscan to another script because that never fails, and there's no reason to rescan once found as long as the bytes are in proper order...
F__HEALTH:
jmp M__HEALTH
nop
nop
nop |
This actually got us to stop crashing! Nice, HOWEVER while this simple jump is active, the entire game begins to slow down increasingly, and I believe NEW entities freeze in place with effectively infinite hp.
EDIT: Now that I think of it, perhaps a section of code is jumping to where the nop statements are because it was essential to the initialization of a creature's health, and now it does nothing. CE usually shows jumps in its dissasembler, but if the length is too long perhaps it may not render it. How would I go about rectifying this problem?
What could be the root of that? Unknown looping? The stack being modified without consent?
Also, CE defaults to putting the memory address BEFORE the injection address. Does this matter? Can I have F__HEALTH above M__HEALTH? Did I jump to the correct addresses?
Again, thanks for your killer info, this is basically the only place I can consitently find answers to my questions. Tutorials and walkthroughs are great, but I'm quite ALWAYS encountering problems I never can find elsewhere, or duckduckgo/bing/google dont search this site well enough to find answers to previous questions.
_________________
Big Gun
#1
Shoot the Hell Outta You |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
