 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
gir489
Grandmaster Cheater
![]() Reputation: 14
Joined: 03 Jan 2012
Posts: 841
Location: Maryland, United States
|
 Posted: Wed Apr 26, 2023 10:08 am Post subject: Resolve CALL address from AoBScan |
 |
|
Some functions in games are simply not resolvable directly with an AoBScan, or the AoBScan includes static data like the CALL mask itself. This can result in basically just making a static offset by using an unnecessary AoBScan, or the function simply is just too tiny/enormous to resolve directly.
However, I have found that by using IDASigmaker 7.0, it tends to like generating signatures that are inside another function that calls the function you're looking for if it can't find a signature that is within a reasonable size. It also marks the call mask as a wildcard, because call masks always change between recompilations.
It would be easy to do the math to resolve the callmask's true address in C, but since we're limited to the functions exposed to us by Cheat Engine, the most we can do is read the mask into a variable and then do nothing with it, unless we create a thread and conduct the arithmetic inside of it. Even then, we can't tell Cheat Engine to mark the value inside of a variable we just calculated as where we want to inject code.
Here is how I used to grab MD5PsuedoRandom from TF2.
| Code: | gOffsets.dwMD5PseudoRandom = gMiscFuncs.dwGetCallFunctionLocation(gBaseAPI.GetClientSignature("E8 ? ? ? ? 83 C4 04 25"));
DWORD CBaseAPI::GetClientSignature(const char* chPattern )
{
static HMODULE hmModule = GetModuleHandleSafe("client.dll");
static PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)hmModule;
static PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS)(((DWORD)hmModule) + pDOSHeader->e_lfanew);
return dwFindPattern(((DWORD)hmModule) + pNTHeaders->OptionalHeader.BaseOfCode, ((DWORD)hmModule) + pNTHeaders->OptionalHeader.SizeOfCode, chPattern);
}
DWORD CMiscFuncs::dwGetCallFunctionLocation(DWORD instructionPointer )
{
DWORD jumpMask = instructionPointer + 1;
return ((*(PDWORD)(jumpMask)) + jumpMask+4);
} |
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Wed Apr 26, 2023 12:33 pm Post subject: |
|
|
use the disassembler and read out the ldd data
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
gir489
Grandmaster Cheater
![]() Reputation: 14
Joined: 03 Jan 2012
Posts: 841
Location: Maryland, United States
|
| Posted: Wed Apr 26, 2023 5:19 pm Post subject: |
|
|
| Dark Byte wrote: | | use the disassembler and read out the ldd data |
I'm confused. How would that be used in a script?
The only option I can see for that is this: https://wiki.cheatengine.org/index.php?title=Help_File:Disassembler
This looks to be used as some type of Cheat Engine plugin? If I were to write a plugin, I'd just extract the address manually with C.
I want to do this while within a Cheat Engine script.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Thu Apr 27, 2023 2:08 am Post subject: |
|
|
Hopefully it is relevant:
| Code: |
-- test in a 64bit process
local code = [[
globalalloc(__X,$1000)
__X:
call @f
mov rax,__X
@@:
ret
aobscanRegion(pRIP,__X,__X+100,e8 ? ? ? ?)
/// cf. aobscanModule(pRIP, client.dll, E8 ? ? ? ? 83 C4 04 25)
unregisterSymbol(pCallee)
label(pCallee)
pRIP+5+(LONG)[pRIP+1]: /// pointer type cast, (LONG)[*addr*] means read the 4 byte SIGNED at *addr*
pCallee:
registerSymbol(pCallee)
]]
print('check:',autoAssembleCheck(code)) -- syntaxcheck will fail as no actuall scan run on check, so symbol not right
print('exec: ',tostring(autoAssemble(code))) -- in actuall run, symbol is right and so the pointer type cast
print('addrs:',getAddressSafe'pCallee', getAddressSafe'pCallee' - getAddressSafe'__X' )
|
_________________
- Retarded. |
|
| Back to top |
|
|
gir489
Grandmaster Cheater
![]() Reputation: 14
Joined: 03 Jan 2012
Posts: 841
Location: Maryland, United States
|
| Posted: Thu Apr 27, 2023 8:16 am Post subject: |
|
|
| panraven wrote: | Hopefully it is relevant:
| Code: |
-- test in a 64bit process
local code = [[
globalalloc(__X,$1000)
__X:
call @f
mov rax,__X
@@:
ret
aobscanRegion(pRIP,__X,__X+100,e8 ? ? ? ?)
/// cf. aobscanModule(pRIP, client.dll, E8 ? ? ? ? 83 C4 04 25)
unregisterSymbol(pCallee)
label(pCallee)
pRIP+5+(LONG)[pRIP+1]: /// pointer type cast, (LONG)[*addr*] means read the 4 byte SIGNED at *addr*
pCallee:
registerSymbol(pCallee)
]]
print('check:',autoAssembleCheck(code)) -- syntaxcheck will fail as no actuall scan run on check, so symbol not right
print('exec: ',tostring(autoAssemble(code))) -- in actuall run, symbol is right and so the pointer type cast
print('addrs:',getAddressSafe'pCallee', getAddressSafe'pCallee' - getAddressSafe'__X' )
|
|
I get an error "Failure to determine what __X means."
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Thu Apr 27, 2023 8:46 am Post subject: |
|
|
use lua and createDisassembler and then disassemble the result of aobscan and then register the parameter as a symbol
anyhow, I think your code can be written in full AA as well:
| Code: |
label(functionaddress)
registersymbol(functionaddress)
aobscanmodule(bla,client.exe,E8 ? ? ? ? 83 C4 04 25)
bla+5+(LONG)[bla+1]:
functionaddress:
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Apr 27, 2023 9:48 am; edited 3 times in total |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Thu Apr 27, 2023 9:14 am Post subject: |
|
|
| gir489 wrote: | | panraven wrote: | Hopefully it is relevant:
| Code: |
-- test in a 64bit process
...
print('check:',autoAssembleCheck(code)) -- syntaxcheck will fail as no actuall scan run on check, so symbol not right
print('exec: ',tostring(autoAssemble(code))) -- in actuall run, symbol is right and so the pointer type cast
...
|
|
I get an error "Failure to determine what __X means." |
Read the comment, it explain why error in syntaxcheck phase, but work in actuall execute.
A ${RunScanOnCheck} option that allow AA Aobscan* do actual scan while syntaxcheck to get 'right' symbol may avoid this annoyance.
Allow scan on syntaxcheck may be best for AOBScanRegion and AOBScanModule as their scan range is limited.
@Pointer type cast
May follow this link https://forum.cheatengine.org/viewtopic.php?t=617995#5772328
_________________
- Retarded. |
|
| Back to top |
|
|
gir489
Grandmaster Cheater
![]() Reputation: 14
Joined: 03 Jan 2012
Posts: 841
Location: Maryland, United States
|
| Posted: Thu Apr 27, 2023 2:21 pm Post subject: |
|
|
| Dark Byte wrote: | use lua and createDisassembler and then disassemble the result of aobscan and then register the parameter as a symbol
anyhow, I think your code can be written in full AA as well:
| Code: |
label(functionaddress)
registersymbol(functionaddress)
aobscanmodule(bla,client.exe,E8 ? ? ? ? 83 C4 04 25)
bla+5+(LONG)[bla+1]:
functionaddress:
|
|
Thanks, that works. It whines and complains about the bla+5+(LONG)[bla+1] using invalid addresses, but the script is able to assemble at runtime.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
