Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


.:[Beginner]:. Insight on CE Scripts
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Sun Jul 01, 2007 1:27 pm    Post subject: .:[Beginner]:. Insight on CE Scripts Reply with quote

There has been numerous questions of how can i write scripts using CE.
But people dont realize that you can write them several ways. And do not know where to start to get one written.
1. Allocated Toggleable Scripts = Toggleable scripts used within CE.
2. Allocated Code Injection = Normal perminite injection during game play.
3. Manual/Non Allocated Code cave injected toggleable script *used for trainer options.
4. Also another script used to write bytes. Just like you would with TMK or VB trainers.
5. All of the above can be rewritten just a bit to handle code shifting and i will show this also.

Im going to show each one and explain a few things about each so you can get a basic grasp on when and why i would use them.
Needed:
Cheat Engine 5.3
MineSweeper.exe
--------------------------------------------------------------------------------------
Allocated Toggleable Script:
Here we have a basic code injection from CE that uses allocated caves.
You assign it to the cheat list and just toggle it from CE.
This script will not work on a trainer generated by CE.
These are good for making a release of a CT to pass out for people to use.
What it does:
This is the flags for minesweeper,you start with 10. The script makes you have 99.
This script moves hexadecimal 63 into EAX. The value of EAX is 99 in decimal. Use your windows calculator to find out 63 is 99 in decimal.
The end of this script when untoggled will write the original instructions back to the game so it will be normal again.
Code:
[ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

0100346E:
jmp newmem
nop
returnhere:

newmem:
mov eax,63

originalcode:
add [01005194],eax

exit:
jmp returnhere

[DISABLE]
dealloc(newmem)
0100346E:
add [01005194],eax


Next we have a regular code injection:
This one is perminite while the game is up. It does the same thing as the above script but this one does not have a toggle to undo the changes.
Code:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

0100346E:
jmp newmem
nop
returnhere:

newmem:
mov eax,63

originalcode:
add [01005194],eax

exit:
jmp returnhere


Next is a script you can use for trainers or a CT. It can be toggled just the same as the first script. But the difference is, this one has a manually found codecave and we are not using alloc/allocated memory for it. This script will work in trainers generated by CE.
*I will show how to look for caves later in this thread. It does the same as the above scripts.
Code:
[ENABLE]
label back

010002EC:
mov eax,63
add [01005194],eax
jmp back

0100346E:
jmp 010002EC
nop
back:

[DISABLE]
0100346E:
add [01005194],eax


Now for DB script, This script will also work for trainers. But you need a good understanding of hexadecimal and decimal to use this one.
It is basically just like TMK's "Poke" or writing to an address in VB.
DB does the same. Eg:
TMK
Code:
Poke 0100346E 01 05 94 51 00 01 63 90 90 90 90

VB
Code:
Private Sub Command1_Click()
Call LAB(&H0100346E, &H01)
Call LAB(&H0100346F, &H05)
Call LAB(&H01003470, &H94)
Call LAB(&H01003471, &H51)
Call LAB(&H01003472, &H00)
Call LAB(&H01003473, &H01)
Call LAB(&H01003474, &H63)
Call LAB(&H01003475, &H90)
Call LAB(&H01003476, &H90)
Call LAB(&H01003477, &H90)
Call LAB(&H01003478, &H90)
End Sub

These alter the bytes of memory representing the assembly instructions. OpCodes is another word for what they change.
Code:
*This script will crash Minesweeper, But it is just an example to show how it is used anyway. Also see the animated image. To see what it does.

[ENABLE]
0100346E:
db 01 05 94 51 00 01 63 90 90 90 90

[DISABLE]
0100346E:
db 01 05 94 51 00 01 E8 88 F3 FF FF


Here is a couple images showing on and off for the above script.
ON:/ENABLED


Off/DISABLED


Now we have examples of all these scripts shown and basic usage kind of explained. Now i will do some brief explaining about looking for a cave. And doing a script for code shifting. Also for you TMK users you can use memory view to look at the OpCodes and address's so you can use it in TMK. Writing down the address and the OpCodes for Cave,Jumps,and Injected code.
--------------------------------------------------------------------------------------
How to look for a code cave and use it.:
In the script here we have a non allocated injection.
The reason for this is so we can use it to make a trainer with Cheat Engine. Simple work around because we cant use alloc in a trainer by CE.
Code:
[ENABLE]
label back

010002EC:    <---- This is the code cave
mov eax,63    <--- This is our code we wrote to the cave
add [01005194],eax <--- Written to the cave as well
jmp back      <---- Jump back to the original game code from the cave

0100346E:   <------ original address found from "Find what writes to it"
jmp 010002EC    <--- jump to the cave when address V hits in the game code.
nop          <-- Cleaning up left over bytes
back:        <--- putting a return location. so we have somewhere to jump back to. After the cave has done it's work.

[DISABLE]
0100346E:          <--- original address
add [01005194],eax    <---- replaces removed code to original.


So we need the address we found in both views of memory.
This way we can see the base address and the module we are in.


To look for a cave you can use any code caver, But CE has one built in so we will use that.


Now we know what the base address by looking in memory view.
So we start our scan at that address, 256 in size should be plenty large enough.


Once it is finished we can choose one it found.
As you can see the cave is nothing but 0's This is empty space within the module we are scanning in. We can use this to inject any code we want.


Now, we want the flags to be 99.
1. So we write our first part of the script.
Code:
[ENABLE]

2. We need a label for the jumps.
Code:
 
[ENABLE]
label(back)


3. Now we put the cave address we found.
Code:
 
[ENABLE]
label(back)

010002EC:


4. Next we put the code we want/ this is written to our cave.
* If you use your windows calculator you can see that 63 is hexadecimal for 99 in decimal. This will give us 99 flags in minesweeper.
also we include the original instruction we had and we use the label to jump back to the game code "jmp back".
Code:
 
[ENABLE]
label(back)

010002EC:
mov eax,63
add [01005194],eax
jmp back


5. Next we add our original address. This will make the script jump to our code cave when it hits jmp 010002EC. Then it will execute mov eax,63 and then add [01005194],eax then, jmp back to the game code so the game doesnt crash. The trailing nop needs to be there to clean up any left over bytes that will cause problems. And back: is how it knows where to jump back to so the game code can continue.
Code:
 
[ENABLE]
label(back)

010002EC:
mov eax,63
add [01005194],eax
jmp back

0100346E:
jmp 010002EC
nop
back:


6. Last we will and [DISABLE] and the original instruction so it can undo the changes we made and turn off the cheat.
Code:
 
[ENABLE]
label(back)

010002EC:
mov eax,63
add [01005194],eax
jmp back

0100346E:
jmp 010002EC
nop
back:

[DISABLE]
0100346E:
add [01005194],eax


Thats all there is to it, to manually use a code cave and to complete a script to use in the Cheat Engine Trainer Builder.
--------------------------------------------------------------------------------------

_________________

Back to top
View user's profile Send private message
BRONiUS
Expert Cheater
Reputation: 0

Joined: 26 Jun 2006
Posts: 154
Location: Vilnius, Lithuania

PostPosted: Mon Jul 02, 2007 12:48 am    Post subject: Reply with quote

And noone has replied... Nice.
_________________


Rhapsody in Blue is Epic.
Back to top
View user's profile Send private message
samuri25404
Grandmaster Cheater
Reputation: 7

Joined: 04 May 2007
Posts: 955
Location: Why do you care?

PostPosted: Mon Jul 02, 2007 7:07 pm    Post subject: Reply with quote

Awsome job, I wish you would have put this out when I was learning how to write scripts.

+Rep for you.
Back to top
View user's profile Send private message
raban
Newbie cheater
Reputation: 0

Joined: 25 Jun 2007
Posts: 12

PostPosted: Tue Jul 10, 2007 2:12 pm    Post subject: Reply with quote

I tried to make one and it said : "Not all the instructions could be injected"
How to get risk of that or we can't do none? (I tried to inject my code into a game)
Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Tue Jul 10, 2007 5:39 pm    Post subject: Reply with quote

raban wrote:
I tried to make one and it said : "Not all the instructions could be injected"
How to get risk of that or we can't do none? (I tried to inject my code into a game)


You dont hit the button to inject it...

You click "file" and then select "assign to current cheat table" after you write it.

_________________

Back to top
View user's profile Send private message
spedchyyz
Master Cheater
Reputation: 0

Joined: 16 Jun 2007
Posts: 268
Location: what ?

PostPosted: Wed Jul 11, 2007 1:29 am    Post subject: tyvm Reply with quote

tyvm very helpful +Rep Smile
aww srry... i have to wait 963387850 seconds to give a + rep but when i can...
Back to top
View user's profile Send private message
FreeFry
Cheater
Reputation: 0

Joined: 12 Jan 2005
Posts: 44

PostPosted: Mon Jul 16, 2007 4:44 pm    Post subject: Re: .:[Beginner]:. Insight on CE Scripts Reply with quote

Labyrnth wrote:

Code:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

0100346E:
jmp newmem
nop
returnhere:

newmem:
mov eax,63

originalcode:
add [01005194],eax

exit:
jmp returnhere


Next is a script you can use for trainers or a CT. It can be toggled just the same as the first script. But the difference is, this one has a manually found codecave and we are not using alloc/allocated memory for it. This script will work in trainers generated by CE.


So will the ones above that example, as automatic allocation of memory is supported also by the trainers created by CE.

Just wanted to clarify that. Razz

Otherwise, superb tutorial! Very Happy

spedchyyz wrote:
tyvm very helpful +Rep Smile
aww srry... i have to wait 963387850 seconds to give a + rep but when i can...


omfg, in 30 years? Shocked
Back to top
View user's profile Send private message
Shikakapoop
Expert Cheater
Reputation: 2

Joined: 29 Nov 2006
Posts: 128

PostPosted: Mon Jul 16, 2007 7:00 pm    Post subject: Reply with quote

Awesome tutorial.


EDIT: WOW, this helped a shitload after playing around with db and codecaves!! <333333333 +REP.... in 11 hours anyway.

_________________
Back to top
View user's profile Send private message
slsl0
Newbie cheater
Reputation: 0

Joined: 12 Jul 2007
Posts: 18

PostPosted: Tue Jul 17, 2007 9:08 pm    Post subject: Reply with quote

Thanks im pretty good at finding and changing adresses but never really got into the scripts in CE
Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Thu Jul 19, 2007 12:56 pm    Post subject: Reply with quote

FreeFry wrote:

as automatic allocation of memory is supported also by the trainers created by CE.
Just wanted to clarify that. Razz
Otherwise, superb tutorial! Very Happy


Clerify, when you know what you speak of.
NO CE 5.3 Does not let you use ALLOC in trainers.
You have to find your own cave.

_________________



Last edited by Labyrnth on Fri Nov 02, 2007 1:40 am; edited 1 time in total
Back to top
View user's profile Send private message
bach12345
Cheater
Reputation: 0

Joined: 25 Aug 2007
Posts: 33
Location: right behind you!

PostPosted: Sun Nov 04, 2007 9:43 pm    Post subject: Reply with quote

is the adress different for each person?
_________________
advanced cheater(i really am......really.)
Back to top
View user's profile Send private message
NINTENDO
Grandmaster Cheater Supreme
Reputation: 0

Joined: 02 Nov 2007
Posts: 1371

PostPosted: Mon Nov 05, 2007 6:51 am    Post subject: YEAH! go for it man :) Reply with quote

Man this is awesome?
I didn't even know u could code usin' CE Wink

Gonna Try this one at my place usin' my comp. I better not do this usin' a school comp Very Happy

But where is the limits? I mean can i code a trainer using this?
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Norice4u
Expert Cheater
Reputation: 0

Joined: 03 May 2007
Posts: 172

PostPosted: Mon Nov 05, 2007 6:54 am    Post subject: Reply with quote

thanks this is very helpful Very Happy now i can try to write some
Back to top
View user's profile Send private message
52mxd2006
How do I cheat?
Reputation: 0

Joined: 02 Nov 2007
Posts: 2

PostPosted: Wed Nov 07, 2007 1:54 am    Post subject: Reply with quote

god job,really helpful for me, thanks a lot.
Back to top
View user's profile Send private message
Mechaaa
Cheater
Reputation: 0

Joined: 24 Oct 2007
Posts: 37

PostPosted: Mon Dec 03, 2007 11:33 am    Post subject: Reply with quote

+Rep (Y)
Great Tut
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites