 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Xenocritus
Cheater
 Reputation: 0
Joined: 27 Dec 2020
Posts: 25
|
 Posted: Sat Jan 30, 2021 11:58 am Post subject: How to auto-find instruction on dynamic address? |
 |
|
So, most instructions are for example:
| Code: | | game.exe + 1111 mov [edx], 0 |
However, I need to inject code on an instruction like this:
| Code: | | 543333 mov [edx], 0 |
So I cannot inject there, as instruction position changes everytime I restart the game.
Also, is quite common instruction.
Any tip? Thanks!
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Jan 30, 2021 12:31 pm Post subject: |
|
|
Use the "aob injection" template.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Xenocritus
Cheater
Reputation: 0
Joined: 27 Dec 2020
Posts: 25
|
| Posted: Sat Jan 30, 2021 3:06 pm Post subject: |
|
|
It didn't work. I couln't activate the Script after re-entering the game. So worked just for the first time without closing the game.
Next time I entered the game, direction changed:
| Code: | | 743252 mov [edx], 0 |
Also, this specific intruction, exists in more places over the code. But I need a specific one which I can easy identify, but cannot point correctly.
I mean mov [edx], 0[/code] with same edx exists in other game locations.
BTW, real instruction also contains a dynamic value inside, like this:
| Code: | | 743252 mov [6F3234], 0 |
So both values changes. And also mov [6F3234], 0 happens in other game places.
Here the real example:
056737C5 - 04 89 - add al,-77 { 137 }
056737C7 - 05 084E8E00 - add eax,pcsxr-pgxp.exe+174E08 { (17) }
056737CC - FF 0D 084E8E00 - dec [pcsxr-pgxp.exe+174E08] { (1) }
056737D2 - 8B 05 084E8E00 - mov eax,[pcsxr-pgxp.exe+174E08] { (26841) }
//This one, with value 129 is the one. All I know is it is executed while walking. As it is "steps to battle".
056737D8 - 89 05 9422EC04 - mov [04EC2294],eax { (129) }
056737DE - 68 01000000 - push 00000001 { 1 }
056737E3 - 68 94220B80 - push 800B2294 { -2146753900 }
056737E8 - E8 432813FB - call pcsxr-pgxp.exe+36030
Any other idea? Thanks!![/img]
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Jan 30, 2021 4:57 pm Post subject: |
|
|
Replace the bytes that change in the instruction with wildcards and find a unique AoB pattern manually.
| Code: | mov [0x6F3234],0
c7 05 34 32 6f 00 00 00 00 00
c7 05 ?? ?? ?? ?? 00 00 00 00 |
Edit: typo - second line had 0f in place of 05
Scan through all memory (not just writable) and keep adding bytes of further instructions until you get something unique.
You'll also need to use reassemble in your code injection if you want to execute the original code and readmem to restore the original injection point.
| Code: | aobscan(INJECT,c7 0f ?? ?? ?? ?? 00 00 00 00...)
alloc(newmem,2048)
alloc(originalbytes,256)
registersymbol(INJECT)
registersymbol(originalbytes)
...
newmem:
// your code injection
originalcode:
reassemble(INJECT)
jmp return
originalbytes:
readmem(INJECT, 10)
INJECT:
jmp newmem
nop
nop
nop
nop
nop
return:
[DISABLE]
INJECT:
readmem(originalbytes,10)
... |
Use more unique names for registered symbols than this example.
If you need the address in the instruction in your code, use Lua to get it.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Last edited by ParkourPenguin on Sun Jan 31, 2021 11:31 am; edited 2 times in total |
|
| Back to top |
|
|
Xenocritus
Cheater
Reputation: 0
Joined: 27 Dec 2020
Posts: 25
|
| Posted: Sun Jan 31, 2021 4:31 am Post subject: |
|
|
So, is there any tutorial for that?
I mean, I already learned how to make AOB long searches, and point to an specific Address.
But, as I understood, in order to inject or change the code, I need to reassemble the original code plus my injection, isnt it?
So, the problem again is that I cannot re-enter the code, as the instructions addresses are constants calculated when game starts, so you talked doing with Lua.... I tryed to find some tutorial but wasn't able.
Any clue or tutorial? 
Thanks again
|
|
| Back to top |
|
|
sbryzl
Master Cheater
![]() Reputation: 6
Joined: 25 Jul 2016
Posts: 252
|
|
| Back to top |
|
|
Xenocritus
Cheater
Reputation: 0
Joined: 27 Dec 2020
Posts: 25
|
| Posted: Sun Jan 31, 2021 10:59 am Post subject: |
|
|
| Thanks! So I will go deeper with this and come back when the solution or with more questions lol
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
