View previous topic :: View next topic |
Author |
Message |
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Sun Jul 01, 2007 1:27 pm Post subject: .:[Beginner]:. Insight on CE Scripts |
|
|
There has been numerous questions of how can i write scripts using CE.
But people dont realize that you can write them several ways. And do not know where to start to get one written.
1. Allocated Toggleable Scripts = Toggleable scripts used within CE.
2. Allocated Code Injection = Normal perminite injection during game play.
3. Manual/Non Allocated Code cave injected toggleable script *used for trainer options.
4. Also another script used to write bytes. Just like you would with TMK or VB trainers.
5. All of the above can be rewritten just a bit to handle code shifting and i will show this also.
Im going to show each one and explain a few things about each so you can get a basic grasp on when and why i would use them.
Needed:
Cheat Engine 5.3
MineSweeper.exe
--------------------------------------------------------------------------------------
Allocated Toggleable Script:
Here we have a basic code injection from CE that uses allocated caves.
You assign it to the cheat list and just toggle it from CE.
This script will not work on a trainer generated by CE.
These are good for making a release of a CT to pass out for people to use.
What it does:
This is the flags for minesweeper,you start with 10. The script makes you have 99.
This script moves hexadecimal 63 into EAX. The value of EAX is 99 in decimal. Use your windows calculator to find out 63 is 99 in decimal.
The end of this script when untoggled will write the original instructions back to the game so it will be normal again.
Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,63
originalcode:
add [01005194],eax
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
0100346E:
add [01005194],eax |
Next we have a regular code injection:
This one is perminite while the game is up. It does the same thing as the above script but this one does not have a toggle to undo the changes.
Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,63
originalcode:
add [01005194],eax
exit:
jmp returnhere |
Next is a script you can use for trainers or a CT. It can be toggled just the same as the first script. But the difference is, this one has a manually found codecave and we are not using alloc/allocated memory for it. This script will work in trainers generated by CE.
*I will show how to look for caves later in this thread. It does the same as the above scripts.
Code: | [ENABLE]
label back
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
[DISABLE]
0100346E:
add [01005194],eax |
Now for DB script, This script will also work for trainers. But you need a good understanding of hexadecimal and decimal to use this one.
It is basically just like TMK's "Poke" or writing to an address in VB.
DB does the same. Eg:
TMK Code: | Poke 0100346E 01 05 94 51 00 01 63 90 90 90 90 |
VB Code: | Private Sub Command1_Click()
Call LAB(&H0100346E, &H01)
Call LAB(&H0100346F, &H05)
Call LAB(&H01003470, &H94)
Call LAB(&H01003471, &H51)
Call LAB(&H01003472, &H00)
Call LAB(&H01003473, &H01)
Call LAB(&H01003474, &H63)
Call LAB(&H01003475, &H90)
Call LAB(&H01003476, &H90)
Call LAB(&H01003477, &H90)
Call LAB(&H01003478, &H90)
End Sub |
These alter the bytes of memory representing the assembly instructions. OpCodes is another word for what they change.
Code: | *This script will crash Minesweeper, But it is just an example to show how it is used anyway. Also see the animated image. To see what it does.
[ENABLE]
0100346E:
db 01 05 94 51 00 01 63 90 90 90 90
[DISABLE]
0100346E:
db 01 05 94 51 00 01 E8 88 F3 FF FF |
Here is a couple images showing on and off for the above script.
ON:/ENABLED
Off/DISABLED
Now we have examples of all these scripts shown and basic usage kind of explained. Now i will do some brief explaining about looking for a cave. And doing a script for code shifting. Also for you TMK users you can use memory view to look at the OpCodes and address's so you can use it in TMK. Writing down the address and the OpCodes for Cave,Jumps,and Injected code.
--------------------------------------------------------------------------------------
How to look for a code cave and use it.:
In the script here we have a non allocated injection.
The reason for this is so we can use it to make a trainer with Cheat Engine. Simple work around because we cant use alloc in a trainer by CE.
Code: | [ENABLE]
label back
010002EC: <---- This is the code cave
mov eax,63 <--- This is our code we wrote to the cave
add [01005194],eax <--- Written to the cave as well
jmp back <---- Jump back to the original game code from the cave
0100346E: <------ original address found from "Find what writes to it"
jmp 010002EC <--- jump to the cave when address V hits in the game code.
nop <-- Cleaning up left over bytes
back: <--- putting a return location. so we have somewhere to jump back to. After the cave has done it's work.
[DISABLE]
0100346E: <--- original address
add [01005194],eax <---- replaces removed code to original. |
So we need the address we found in both views of memory.
This way we can see the base address and the module we are in.
To look for a cave you can use any code caver, But CE has one built in so we will use that.
Now we know what the base address by looking in memory view.
So we start our scan at that address, 256 in size should be plenty large enough.
Once it is finished we can choose one it found.
As you can see the cave is nothing but 0's This is empty space within the module we are scanning in. We can use this to inject any code we want.
Now, we want the flags to be 99.
1. So we write our first part of the script.
2. We need a label for the jumps.
Code: |
[ENABLE]
label(back)
|
3. Now we put the cave address we found.
Code: |
[ENABLE]
label(back)
010002EC:
|
4. Next we put the code we want/ this is written to our cave.
* If you use your windows calculator you can see that 63 is hexadecimal for 99 in decimal. This will give us 99 flags in minesweeper.
also we include the original instruction we had and we use the label to jump back to the game code "jmp back".
Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
|
5. Next we add our original address. This will make the script jump to our code cave when it hits jmp 010002EC. Then it will execute mov eax,63 and then add [01005194],eax then, jmp back to the game code so the game doesnt crash. The trailing nop needs to be there to clean up any left over bytes that will cause problems. And back: is how it knows where to jump back to so the game code can continue.
Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
|
6. Last we will and [DISABLE] and the original instruction so it can undo the changes we made and turn off the cheat.
Code: |
[ENABLE]
label(back)
010002EC:
mov eax,63
add [01005194],eax
jmp back
0100346E:
jmp 010002EC
nop
back:
[DISABLE]
0100346E:
add [01005194],eax
|
Thats all there is to it, to manually use a code cave and to complete a script to use in the Cheat Engine Trainer Builder.
--------------------------------------------------------------------------------------
_________________
|
|
Back to top |
|
|
BRONiUS Expert Cheater Reputation: 0
Joined: 26 Jun 2006 Posts: 154 Location: Vilnius, Lithuania
|
Posted: Mon Jul 02, 2007 12:48 am Post subject: |
|
|
And noone has replied... Nice.
_________________
Rhapsody in Blue is Epic. |
|
Back to top |
|
|
samuri25404 Grandmaster Cheater Reputation: 7
Joined: 04 May 2007 Posts: 955 Location: Why do you care?
|
Posted: Mon Jul 02, 2007 7:07 pm Post subject: |
|
|
Awsome job, I wish you would have put this out when I was learning how to write scripts.
+Rep for you.
|
|
Back to top |
|
|
raban Newbie cheater Reputation: 0
Joined: 25 Jun 2007 Posts: 12
|
Posted: Tue Jul 10, 2007 2:12 pm Post subject: |
|
|
I tried to make one and it said : "Not all the instructions could be injected"
How to get risk of that or we can't do none? (I tried to inject my code into a game)
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Tue Jul 10, 2007 5:39 pm Post subject: |
|
|
raban wrote: | I tried to make one and it said : "Not all the instructions could be injected"
How to get risk of that or we can't do none? (I tried to inject my code into a game) |
You dont hit the button to inject it...
You click "file" and then select "assign to current cheat table" after you write it.
_________________
|
|
Back to top |
|
|
spedchyyz Master Cheater Reputation: 0
Joined: 16 Jun 2007 Posts: 268 Location: what ?
|
Posted: Wed Jul 11, 2007 1:29 am Post subject: tyvm |
|
|
tyvm very helpful +Rep
aww srry... i have to wait 963387850 seconds to give a + rep but when i can...
|
|
Back to top |
|
|
FreeFry Cheater Reputation: 0
Joined: 12 Jan 2005 Posts: 44
|
Posted: Mon Jul 16, 2007 4:44 pm Post subject: Re: .:[Beginner]:. Insight on CE Scripts |
|
|
Labyrnth wrote: |
Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,63
originalcode:
add [01005194],eax
exit:
jmp returnhere |
Next is a script you can use for trainers or a CT. It can be toggled just the same as the first script. But the difference is, this one has a manually found codecave and we are not using alloc/allocated memory for it. This script will work in trainers generated by CE. |
So will the ones above that example, as automatic allocation of memory is supported also by the trainers created by CE.
Just wanted to clarify that.
Otherwise, superb tutorial!
spedchyyz wrote: | tyvm very helpful +Rep
aww srry... i have to wait 963387850 seconds to give a + rep but when i can... |
omfg, in 30 years?
|
|
Back to top |
|
|
Shikakapoop Expert Cheater Reputation: 2
Joined: 29 Nov 2006 Posts: 128
|
Posted: Mon Jul 16, 2007 7:00 pm Post subject: |
|
|
Awesome tutorial.
EDIT: WOW, this helped a shitload after playing around with db and codecaves!! <333333333 +REP.... in 11 hours anyway.
_________________
|
|
Back to top |
|
|
slsl0 Newbie cheater Reputation: 0
Joined: 12 Jul 2007 Posts: 18
|
Posted: Tue Jul 17, 2007 9:08 pm Post subject: |
|
|
Thanks im pretty good at finding and changing adresses but never really got into the scripts in CE
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Thu Jul 19, 2007 12:56 pm Post subject: |
|
|
FreeFry wrote: |
as automatic allocation of memory is supported also by the trainers created by CE.
Just wanted to clarify that.
Otherwise, superb tutorial!
|
Clerify, when you know what you speak of.
NO CE 5.3 Does not let you use ALLOC in trainers.
You have to find your own cave.
_________________
Last edited by Labyrnth on Fri Nov 02, 2007 1:40 am; edited 1 time in total |
|
Back to top |
|
|
bach12345 Cheater Reputation: 0
Joined: 25 Aug 2007 Posts: 33 Location: right behind you!
|
Posted: Sun Nov 04, 2007 9:43 pm Post subject: |
|
|
is the adress different for each person?
_________________
advanced cheater(i really am......really.) |
|
Back to top |
|
|
NINTENDO Grandmaster Cheater Supreme Reputation: 0
Joined: 02 Nov 2007 Posts: 1371
|
Posted: Mon Nov 05, 2007 6:51 am Post subject: YEAH! go for it man :) |
|
|
Man this is awesome?
I didn't even know u could code usin' CE
Gonna Try this one at my place usin' my comp. I better not do this usin' a school comp
But where is the limits? I mean can i code a trainer using this?
|
|
Back to top |
|
|
Norice4u Expert Cheater Reputation: 0
Joined: 03 May 2007 Posts: 172
|
Posted: Mon Nov 05, 2007 6:54 am Post subject: |
|
|
thanks this is very helpful now i can try to write some
|
|
Back to top |
|
|
52mxd2006 How do I cheat? Reputation: 0
Joined: 02 Nov 2007 Posts: 2
|
Posted: Wed Nov 07, 2007 1:54 am Post subject: |
|
|
god job,really helpful for me, thanks a lot.
|
|
Back to top |
|
|
Mechaaa Cheater Reputation: 0
Joined: 24 Oct 2007 Posts: 37
|
Posted: Mon Dec 03, 2007 11:33 am Post subject: |
|
|
+Rep (Y)
Great Tut
|
|
Back to top |
|
|
|