| View previous topic :: View next topic |
| Author |
Message |
floppa
How do I cheat?
![]() Reputation: 0
Joined: 27 Oct 2020
Posts: 4
|
 Posted: Tue Oct 27, 2020 4:28 pm Post subject: AOB injection script crashing game |
 |
|
I'm trying to make a simple AOB injection script for the game Yet Another Zombie Defense that gives the player infinite health. However, everytime I take damage while the script is running the game crashes shortly after. Here is my code for the script: | Code: | { Game : YetAnotherZombieDefense.exe
Version:
Date : 2020-10-27
Author : num3rical
This script does blah blah blah
}
[ENABLE]
aobscan(infinitehealth,D9 9E A4 00 00 00 8B 15) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp byte [esi+0000014C],01
je return
fstp dword ptr [esi+000000A4]
mov [esi+000000A4],(float)1
jmp return
infinitehealth:
jmp newmem
nop
return:
registersymbol(infinitehealth)
[DISABLE]
infinitehealth:
db D9 9E A4 00 00 00
unregistersymbol(infinitehealth)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 215381AB
21538183: 81 3A EC 0E AB 03 - cmp [edx],03AB0EEC
21538189: 75 02 - jne 2153818D
2153818B: EB 0C - jmp 21538199
2153818D: B9 EC 0E AB 03 - mov ecx,03AB0EEC
21538192: E8 09 17 D3 4F - call clr.dll+198A0
21538197: 8B D0 - mov edx,eax
21538199: 83 BA 3C 01 00 00 02 - cmp dword ptr [edx+0000013C],02
215381A0: 74 0F - je 215381B1
215381A2: D9 45 20 - fld dword ptr [ebp+20]
215381A5: D8 AE A4 00 00 00 - fsubr dword ptr [esi+000000A4]
// ---------- INJECTING HERE ----------
215381AB: D9 9E A4 00 00 00 - fstp dword ptr [esi+000000A4]
// ---------- DONE INJECTING ----------
215381B1: 8B 15 D4 38 BD 04 - mov edx,[04BD38D4]
215381B7: 85 D2 - test edx,edx
215381B9: 74 16 - je 215381D1
215381BB: 81 3A EC 0E AB 03 - cmp [edx],03AB0EEC
215381C1: 75 02 - jne 215381C5
215381C3: EB 0C - jmp 215381D1
215381C5: B9 EC 0E AB 03 - mov ecx,03AB0EEC
215381CA: E8 D1 16 D3 4F - call clr.dll+198A0
215381CF: 8B D0 - mov edx,eax
215381D1: 38 82 08 01 00 00 - cmp [edx+00000108],al
} |
Since the code is accessed by multiple addresses depending on who is taking damage, I compare the 14C offset to 1 which is "isLocalPlayer" in order to distinguish between the player and the zombies. What seemed strange to me was that this part is what is making the game crash, as when I remove it I become invincible without crashing (the zombies do too though, which is why I need the compare). Anyone know what I'm doing wrong here?
|
|
| Back to top |
|
 |
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3326
|
| Posted: Tue Oct 27, 2020 4:41 pm Post subject: |
|
|
Not spotting anything particularly wrong here.
Is [esi+0000014C] always valid?
I'd add 'ptr' in this: cmp byte [esi+0000014C],01
And I'd move this below the labels: registersymbol(infinitehealth)
|
|
| Back to top |
|
|
floppa
How do I cheat?
![]() Reputation: 0
Joined: 27 Oct 2020
Posts: 4
|
| Posted: Tue Oct 27, 2020 5:07 pm Post subject: |
|
|
| Csimbi wrote: | Not spotting anything particularly wrong here.
Is [esi+0000014C] always valid?
I'd add 'ptr' in this: cmp byte [esi+0000014C],01
And I'd move this below the labels: registersymbol(infinitehealth) |
Yes, [esi+0000014C] is always valid. I tried using cmp byte ptr like you suggested but the game still crashes when the compare statement is used.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4709
|
| Posted: Tue Oct 27, 2020 8:07 pm Post subject: |
|
|
Does freezing the value at 1 crash the game?
Try:
- Pause the game (advanced options window)
- Select the instruction at the injection point (fstp ...)
- Right click and "Find out what addresses this instruction accesses"
- Open the breakpoint window (memory viewer -> View -> Breakpointlist)
- Right click on the newly created breakpoint and "Set/change condition"
- Use the easy condition "readBytes(ESI+0x14C,1,false) == 1" (no quotes)
- Set the condition, unpause the game, and see if your comparison is actually good
esi+14c might be accessing unreadable memory. Use "try":
https://forum.cheatengine.org/viewtopic.php?p=5761822#5761822
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
floppa
How do I cheat?
![]() Reputation: 0
Joined: 27 Oct 2020
Posts: 4
|
| Posted: Wed Oct 28, 2020 2:17 pm Post subject: |
|
|
| ParkourPenguin wrote: | Does freezing the value at 1 crash the game?
Try:
- Pause the game (advanced options window)
- Select the instruction at the injection point (fstp ...)
- Right click and "Find out what addresses this instruction accesses"
- Open the breakpoint window (memory viewer -> View -> Breakpointlist)
- Right click on the newly created breakpoint and "Set/change condition"
- Use the easy condition "readBytes(ESI+0x14C,1,false) == 1" (no quotes)
- Set the condition, unpause the game, and see if your comparison is actually good
esi+14c might be accessing unreadable memory. Use "try":
|
I followed your instructions, and freezing the value at one did not crash the game. I attempted to use the try/except labels as well but the game still crashed, but that could just be because I might have the wrong syntax since I'm still a little new to all this.
| Code: |
code:
{$try}
cmp byte [esi+0000014C],01
je return
{$except}
jmp return
fstp dword ptr [esi+000000A4]
mov [esi+000000A4],(float)1
jmp return
|
|
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 97
Joined: 14 Jul 2007
Posts: 3326
|
| Posted: Wed Oct 28, 2020 5:02 pm Post subject: |
|
|
Does it crash immediately (when this code runs) or only later?
You used the words "shortly after".
That suggest it does not crash immediately - which means the problem may not be your code.
It's either the value (you are changing something you are not supposed to) or there is some sort of integrity check/cheat protection maybe?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4709
|
| Posted: Wed Oct 28, 2020 6:37 pm Post subject: |
|
|
Looking at the script again, are you sure that's the logic you want? If that byte is 1, do nothing (not even the original code); else, write 1.0f to that address. I'd imagine if that instruction accesses other addresses you'd want to maintain the original behaviour for them:
| Code: | code:
fstp dword ptr [esi+000000A4]
cmp byte [esi+0000014C],01
je return
mov [esi+000000A4],(float)1
jmp return |
If it still doesn't work, try executing only the original code in the code injection:
| Code: | code:
fstp dword ptr [esi+000000A4]
jmp return |
This should work unless there's some sort of integrity protection.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
floppa
How do I cheat?
![]() Reputation: 0
Joined: 27 Oct 2020
Posts: 4
|
| Posted: Wed Oct 28, 2020 7:20 pm Post subject: |
|
|
| ParkourPenguin wrote: | Looking at the script again, are you sure that's the logic you want? If that byte is 1, do nothing (not even the original code); else, write 1.0f to that address. I'd imagine if that instruction accesses other addresses you'd want to maintain the original behaviour for them:
| Code: | code:
fstp dword ptr [esi+000000A4]
cmp byte [esi+0000014C],01
je return
mov [esi+000000A4],(float)1
jmp return |
|
I used this code and changed "je return" to "jne return" and the script worked how I wanted it to. Honestly, all my logic was kind of screwed up before as I was mostly trying to follow the guides rather than actually thinking about what the code was doing. Thanks for the help!
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
