 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
neofsn
Newbie cheater
![]() Reputation: 0
Joined: 19 Mar 2022
Posts: 10
|
 Posted: Sat Mar 19, 2022 2:17 pm Post subject: Find out what addresses this code accesses |
 |
|
Hello there,
I've been trying to get the values that I can get from using the debugger to display the values being accessed by the instruction code of an address.
So far with no luck, this code I based on ParkourPenguin's post.
| ParkourPenguin wrote: |
| Code: |
alloc(newmem,1024)
alloc(enemyAddresses,1024)
label(addEnemyAddress)
label(exitAdd)
label(exit)
newmem:
//game's code, example:
mov esi,[rax]
//rax is a pointer, [rax] is the enemy's address
//then:
push rcx
push edi
mov rcx,enemyAddresses
call addEnemyAddress
pop edi
pop rcx
//continue game's code here
addEnemyAddress:
mov edi,[rcx]
cmp esi,edi
je exit
test edi,edi
jz exitAdd
add rcx,4
jmp addEnemyAddress
exitAdd:
mov [rcx],esi
exit:
ret
|
Of course, if it's possible for an enemy to be destroyed, then you'd need a way of removing that enemy's address from this list. That would be a bit more challenging to do, but it's still easily possible. Just loop through the list, and once you find it, move every address after it back one until you reach a null address (a value of 0). |
And this is what I came up, it crashes the game. I can't figure out what I did wrong, seeking your advice on this.
Updated the code as of ParkourPenguin's corrections. Thanks man!
Not crashing, tho I am not getting any values.
| Code: | define(address,polexe.exe+3004BD)
define(bytes,89 81 EE 00 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(enemyAddresses,$1024)
label(return)
label(addEnemyAddress)
label(exitAdd)
label(exit)
registersymbol(newmem)
registersymbol(enemyAddresses)
newmem:
//original game code
mov [rcx+000000EE],rax
//add to address
push ebx
push edi
mov ebx,enemyAddresses
call addEnemyAddress
pop edi
pop ebx
jmp return
addEnemyAddress:
mov edi,[ebx]
cmp rcx,edi
je exit
test edi,edi
jz exitAdd
add ebx,4
jmp addEnemyAddress
exitAdd:
mov [ebx],rcx
exit:
ret
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
// mov [rcx+000000EE],rax
dealloc(newmem)
dealloc(enemyAddresses)
unregistersymbol(newmem)
unregistersymbol(enemyAddresses) |
Last edited by neofsn on Sat Mar 19, 2022 8:46 pm; edited 6 times in total |
|
| Back to top |
|
 |
TheyCallMeTim13
Wiki Contributor
 Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Mar 19, 2022 2:33 pm Post subject: |
|
|
It looks like you're injecting into instruction padding (i.e. 0xCC), you likely need to shift it down one so the game doesn't jump in the middle of your injection point.
| Code: |
0: cc int3
1: 45 inc ebp
2: ec in al,dx
3: 00 00 add BYTE PTR [eax],al |
_________________
|
|
| Back to top |
|
|
neofsn
Newbie cheater
![]() Reputation: 0
Joined: 19 Mar 2022
Posts: 10
|
| Posted: Sat Mar 19, 2022 2:39 pm Post subject: |
|
|
| TheyCallMeTim13 wrote: | It looks like you're injecting into instruction padding (i.e. 0xCC), you likely need to shift it down one so the game doesn't jump in the middle of your injection point.
| Code: |
0: cc int3
1: 45 inc ebp
2: ec in al,dx
3: 00 00 add BYTE PTR [eax],al |
|
Hello Tim, thanks for the reply, I have accidentally copied my template's instruction padding and changed it to the proper one which is:
| Code: | | db 89 81 AC 00 00 00 |
still crashes tho, any idea?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Mar 19, 2022 3:32 pm Post subject: |
|
|
I see pairs of square brackets in my code that aren't in your code.
| Code: | mov edi,ebx -- should be [ebx]
...
mov ebx,ecx -- ^ |
Anyway, that code I wrote is vulnerable to a buffer overflow. You might want to do something different.
{$luacode} is a thing that exists now.
https://forum.cheatengine.org/viewtopic.php?t=618134
`mov [ecx+00000115],eax` assembles to `89 81 15 01 00 00`, not `89 81 AC 00 00 00`. Maybe you did something wrong there?
INJECT isn't defined in the disable section. `define(INJECT,game.exe+3024D8)` should be above enable, there should be an assert in the enable section, and you should leave the comment at the end showing code around the injection point. See the full injection template.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
neofsn
Newbie cheater
![]() Reputation: 0
Joined: 19 Mar 2022
Posts: 10
|
| Posted: Sat Mar 19, 2022 4:09 pm Post subject: |
|
|
Hello ParkourPenguin,
I have updated the code above, thanks for correcting me.
Ir runs now, tho I think its not working? Cause I don't see much pointers as the "find out what addresses code.." is finding. Any idea or possible reasons why?
Edit all good now.
Thanks! I made a mistake on my side.
I think now what I need to do is to check if addresses are still valid.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Mar 19, 2022 4:56 pm Post subject: |
|
|
In my previous post, the caret ^ in a comment means "see the comment in this position above this one".
i.e.:
| neofsn wrote: | | Code: | ...
exitAdd:
mov ebx,ecx -- should be [ebx]
... |
|
Also, it won't write the exact address being accessed (ecx+AC)- it will only write the value of the base register (ecx).
And again, this will eventually crash due to a buffer overflow. I'd guess after 3072 times.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
neofsn
Newbie cheater
![]() Reputation: 0
Joined: 19 Mar 2022
Posts: 10
|
| Posted: Sat Mar 19, 2022 5:07 pm Post subject: |
|
|
Can I incorporate something like this to prevent buffer overflow?
| ParkourPenguin wrote: | You can also compare against something in the stack and/or another memory location accessed through a value in a register.
If you need all the addresses an instruction accesses, this code logs up to 128 addresses to a buffer with no repeats:
| Code: | alloc(my_code, 2048)
alloc(addresses, 512)
alloc(end, 4)
label(loop)
label(loopEnter)
label(quickExit)
label(append)
registersymbol(addresses)
my_code:
// edx - end of buffer
mov edx, [end]
// check to avoid buffer overflow
cmp edx, addresses+200
je short quickExit
// if it's empty, no check necessary- append it
cmp edx, addresses
je short append
// [eax] - value presently stored in buffer
mov eax, addresses
jmp short loopEnter
loop:
add eax, 4
// if it reaches the end, append it
cmp edx,eax
je short append
loopEnter:
// edi - address to log
cmp [eax], edi
jne short loop
// if it's already in the buffer, return
quickExit:
ret
append:
// push back end & write new value
lea eax, [edx+4]
mov [end], eax
mov [edx], edi
ret
addresses:
end:
dq addresses
|
I haven't tested this, and you'll need to adapt it (e.g. rename edi -> eax, eax -> something else; backup registers as necessary; maybe change ret instructions depending on how you inject this; etc.). |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Mar 19, 2022 5:20 pm Post subject: |
|
|
Sure. That explicitly stores the end of the buffer and checks to make sure it doesn't overflow.
If you're going to use Lua to process the buffer's contents anyway, why not just use Lua to get the addresses to begin with? i.e. {$luacode} or breakpoints
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
neofsn
Newbie cheater
![]() Reputation: 0
Joined: 19 Mar 2022
Posts: 10
|
| Posted: Sat Mar 19, 2022 5:25 pm Post subject: |
|
|
| Honestly, I don't know where to start. This is the first time I coded in Lua, let alone asm86. I usually code cheats in C++ just plain memory references like entities, I'm actually stoked how powerful this kind of scripting is.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
