 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Pixelated Abyss
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2024
Posts: 3
|
 Posted: Sun Jun 16, 2024 6:45 am Post subject: Getting a fatal error when trying to change value |
 |
|
I'm trying to change a value using a script for the game Vertical Kingdom. I can change the value manually, but when I follow the tutorial to change the value with a script, the game gives me a fatal error as soon as the value changes.
I'm not quite sure what I'm doing, so I could use some help.
| Code: | {
Game : Vertical KIngdom
Version:
Date : 2024-06-16
Author : Pixelated Abyss
This script does blah blah blah
}
define(address,"VerticalKingdom-Win64-Shipping.exe"+DE66CD)
define(bytes,01 B9 EC 02 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"VerticalKingdom-Win64-Shipping.exe"+DE66CD)
label(code)
label(return)
label(Brick)
registerSymbol(Brick)
newmem:
code:
push rax // push/save the registory.
mov eax,[Brick] // EAX is 32 bits of RAX
add [r11+14],eax // the size is determinded by the size of the registory.
pop rax // pop/restore the registory.
jmp return
align 10 CC // align the memory to be assebled.
Brick:
dd (int)200
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: VerticalKingdom-Win64-Shipping.exe+DE66CD
VerticalKingdom-Win64-Shipping.exe+DE66A2: 01 83 D4 02 00 00 - add [rbx+000002D4],eax
VerticalKingdom-Win64-Shipping.exe+DE66A8: 33 F6 - xor esi,esi
VerticalKingdom-Win64-Shipping.exe+DE66AA: 48 8B CB - mov rcx,rbx
VerticalKingdom-Win64-Shipping.exe+DE66AD: C6 83 3C 05 00 00 01 - mov byte ptr [rbx+0000053C],01
VerticalKingdom-Win64-Shipping.exe+DE66B4: 89 B3 E4 02 00 00 - mov [rbx+000002E4],esi
VerticalKingdom-Win64-Shipping.exe+DE66BA: 8D 56 01 - lea edx,[rsi+01]
VerticalKingdom-Win64-Shipping.exe+DE66BD: E8 1E 8D 00 00 - call VerticalKingdom-Win64-Shipping.exe+DEF3E0
VerticalKingdom-Win64-Shipping.exe+DE66C2: E9 B6 03 00 00 - jmp VerticalKingdom-Win64-Shipping.exe+DE6A7D
VerticalKingdom-Win64-Shipping.exe+DE66C7: 41 83 F8 04 - cmp r8d,04
VerticalKingdom-Win64-Shipping.exe+DE66CB: 75 56 - jne VerticalKingdom-Win64-Shipping.exe+DE6723
// ---------- INJECTING HERE ----------
VerticalKingdom-Win64-Shipping.exe+DE66CD: 01 B9 EC 02 00 00 - add [rcx+000002EC],edi
// ---------- DONE INJECTING ----------
VerticalKingdom-Win64-Shipping.exe+DE66D3: 8B 81 EC 02 00 00 - mov eax,[rcx+000002EC]
VerticalKingdom-Win64-Shipping.exe+DE66D9: 8B 89 B4 06 00 00 - mov ecx,[rcx+000006B4]
VerticalKingdom-Win64-Shipping.exe+DE66DF: 3B C1 - cmp eax,ecx
VerticalKingdom-Win64-Shipping.exe+DE66E1: 7E 08 - jle VerticalKingdom-Win64-Shipping.exe+DE66EB
VerticalKingdom-Win64-Shipping.exe+DE66E3: 89 8B EC 02 00 00 - mov [rbx+000002EC],ecx
VerticalKingdom-Win64-Shipping.exe+DE66E9: 8B C1 - mov eax,ecx
VerticalKingdom-Win64-Shipping.exe+DE66EB: 80 7C 24 50 00 - cmp byte ptr [rsp+50],00
VerticalKingdom-Win64-Shipping.exe+DE66F0: 0F 84 87 03 00 00 - je VerticalKingdom-Win64-Shipping.exe+DE6A7D
VerticalKingdom-Win64-Shipping.exe+DE66F6: 85 C0 - test eax,eax
VerticalKingdom-Win64-Shipping.exe+DE66F8: 0F 89 7F 03 00 00 - jns VerticalKingdom-Win64-Shipping.exe+DE6A7D
}
|
Last edited by Pixelated Abyss on Mon Jun 17, 2024 5:10 am; edited 2 times in total |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4709
|
| Posted: Sun Jun 16, 2024 11:04 am Post subject: |
|
|
The `return` label isn't aligned. The original code is 6 bytes, and the jump is 5 bytes. You need a single `nop` to align it properly. Don't delete stuff randomly from the code the "Full Injection" template generates. If you didn't use the template, start doing so. There's several small details like this you'll miss.
You didn't execute the original code. I'm not sure if that's intentional or not, but it's usually important.
Are you sure r11 is a valid pointer at this injection point? If r11+0x14 isn't a valid address, that's going to crash.
Maybe the original code and/or your new code is writing to more addresses than you think. Right click the instructions in the disassembler -> "Find out what addresses this instruction accesses"
You shouldn't delete the comment at the bottom that gets generated with the "Full injection" and "AOB injection" templates. The code around the injection point is useful for others to help you and for anyone to update the script in the future should it ever break.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Pixelated Abyss
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2024
Posts: 3
|
| Posted: Mon Jun 17, 2024 5:00 am Post subject: |
|
|
Hmm, okay. Where can I find information about return label alignment? I deleted the 'nop' because it wasn't present in the screenshot examples.
I'm unsure what you mean by this, how do I execute the original code?
I have no clue whether r11 is a valid pointer at this injection point, I just used what the template generated. Some more information on this would be appreciated.
No, I know that for sure, I checked and there's only 1 address this code is writing to.
I only deleted that while I was trying to work out how the auto assembler works, but I'll keep that in mind in future, thank you.
Edit:
I just added the 'nop' now, and now instead of an error message popping up saying 'Fatal Error!' it just freezes then crashes.
I'm trying to change a resource value here, and when I use the code I've written it doesn't change, but when I do an action that uses that resource, that's when it crashes.
Maybe I should be doing something differently?
I've also added back the generated injection code information back into the original post. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4709
|
| Posted: Mon Jun 17, 2024 12:51 pm Post subject: |
|
|
| Pixelated Abyss wrote: | | Where can I find information about return label alignment? I deleted the 'nop' because it wasn't present in the screenshot examples. |
The original code is a single 6-byte instruction. The `jmp newmem` instruction takes up 5 bytes. In order for `jmp return` to jump to the instruction after the original code, i.e. `game.exe+DE66D3 - mov eax,[rcx+000002EC]`, the `return` label can't be placed immediately after the `jmp newmem` instruction. There has to be a single byte of padding so that the `return` label is located at the correct address- i.e. the address of the instruction after the code at the injection point.
If you don't know what something does, it's usually not a good idea to delete it.
| Pixelated Abyss wrote: | | I'm unsure what you mean by this, how do I execute the original code? |
Take the original code at the injection point and put it in your injected code. This code is the instruction(s) that `jmp newmem` overwrites- i.e. `add [rcx+000002EC],edi`. The template automatically puts it there.
| Pixelated Abyss wrote: | | I have no clue whether r11 is a valid pointer at this injection point, I just used what the template generated. |
The template could not have generated that.
The original instruction, `01 B9 EC 02 00 00 - add [rcx+000002EC],edi`, would've been put there. I don't know where `add [r11+14],eax` comes from. Maybe it was whatever guide you were copying from?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Pixelated Abyss
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2024
Posts: 3
|
| Posted: Mon Jun 17, 2024 5:42 pm Post subject: |
|
|
| Quote: | The original code is a single 6-byte instruction. The `jmp newmem` instruction takes up 5 bytes. In order for `jmp return` to jump to the instruction after the original code, i.e. `game.exe+DE66D3 - mov eax,[rcx+000002EC]`, the `return` label can't be placed immediately after the `jmp newmem` instruction. There has to be a single byte of padding so that the `return` label is located at the correct address- i.e. the address of the instruction after the code at the injection point.
If you don't know what something does, it's usually not a good idea to delete it. |
Thanks so much! That clears it up a lot.
| Quote: | | Take the original code at the injection point and put it in your injected code. This code is the instruction(s) that `jmp newmem` overwrites- i.e. `add [rcx+000002EC],edi`. The template automatically puts it there. |
Ahhh, I see now, the guide doesn't explain some bits well.
| Quote: | The template could not have generated that.
The original instruction, `01 B9 EC 02 00 00 - add [rcx+000002EC],edi`, would've been put there. I don't know where `add [r11+14],eax` comes from. Maybe it was whatever guide you were copying from? |
Ah yes, I mistakenly copied it over from the guide. It's actually working perfectly now, thanks so much! I appreciate the patience and help.[/quote] |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
