Cheat Engine

[sylvanus]

[enable]
alloc(FindCharacterAddress, 1024) -|
alloc(ListOffset, 4) |
alloc(ESIList, 1024) |
alloc(DupeXVac, 1024) |----> 1) are CODECAVES in c++?
alloc(EDIValue, 4) |
alloc(dupex,64) |but, edivalue , ListOffset = 4 bytes = DWORD variable?
alloc(address,4) -|
registersymbol(address)
registersymbol(FindCharacterAddress) ---> 2) are variables DWORD = address memory??
registersymbol(ListOffset)
label(disablez) ---|
label(on) |
label(vac) |
label(EndSearch) |----> labels in c++ sure?
label(CompareOffset) |
label(StoreESI) |
label(DoNormal) ---| OR UNIQUE CODE CAVE IS "all script complete" ??

FindCharacterAddress: //codecave
mov [esi+114],edi

push eax
push ebx
push ecx
push edx

mov eax,0
mov ebx,ListOffset
mov ecx,ESIList
mov edx,EDIValue

CompareOffset: ------------> (label)
cmp eax,[ebx]
je StoreESI
cmp esi,[ecx+eax*4]
je EndSearch
inc eax
jmp CompareOffset

StoreESI: (label)
mov [ecx+eax*4],esi
inc eax
mov [ebx],eax
mov [edx],edi

EndSearch: -----------------> (label)
pop edx
pop ecx
pop ebx
pop eax
jmp 00741E72


DupeXVac: // CODECAVE
push eax
push ebx
push ecx

mov ebx,[ListOffset]
dec ebx
mov ecx,ESIList
mov eax,[ecx+ebx*4]

cmp esi,eax
je DoNormal
mov edi,[EDIValue]

DoNormal: -----------------> (label)
mov [esi+114],edi
pop eax
pop ebx
pop ecx
jmp 00741E72 //DupeX Addy +6

address:
db 00 00 00 00

00741E6C://Dupex Addy : 89 BE 14 01 00 00 EB ?? 83 7D ?? ?? 74 ?? 8B
jmp dupex --------------> OR START HERE SURE??
nop

dupex:
cmp [address],0
je disablez
cmp [address],1
je on
cmp [address],2
je vac

disablez: -----------------> (label)
mov [esi+00000114],edi
jmp 00741E72 //1 addy under dupex

on: (label)
jmp FindCharacterAddress

vac: ----------------------> (label)
jmp DupeXVac


[disable]
00741E6C:
mov [esi+00000114],edi
dealloc(FindCharacterAddress, 1024)
dealloc(ListOffset)
dealloc(ESIList)
dealloc(DupeXVac)
dealloc(EDIValue)

unregistersymbol(FindCharacterAddress)
unregistersymbol(ListOffset)

Example : is this correct?


DWORD ReturnMe = 0; // ADDRESS OF RETURN

//this are registersymbol ?

DWORD EdiValue = 0
DWORD ListOffset = 0

#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);

static const FARPROC Vprotect = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtectEx")+5);
_declspec(naked) BOOL WINAPI FixMem(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
jmp Vprotect
}
}

__declspec(naked) void FindCharacterAddress()
{
__asm
{
pop [ReturnMe]
FindCharacterAddress:
mov [esi+114],edi

push eax
push ebx
push ecx
push edx

mov eax,0
mov ebx,ListOffset
mov ecx,ESIList
mov edx,EDIValue

CompareOffset:
cmp eax,[ebx]
je StoreESI
cmp esi,[ecx+eax*4]
je EndSearch
inc eax
jmp CompareOffset

StoreESI: (label)
mov [ecx+eax*4],esi
inc eax
mov [ebx],eax
mov [edx],edi

EndSearch:
pop edx
pop ecx
pop ebx
pop eax
jmp 00741E72
}
}

__declspec(naked) void DupeXVac()
{
__asm
{
DupeXVac:
push eax
push ebx
push ecx

mov ebx,[ListOffset]
dec ebx
mov ecx,ESIList
mov eax,[ecx+ebx*4]

cmp esi,eax
je DoNormal
mov edi,[EDIValue] // edivalue = dword variable?, or other codecave?

DoNormal:
mov [esi+114],edi
pop eax
pop ebx
pop ecx
jmp 00741E72 //DupeX Addy +6

}
}

__declspec(naked) void address()
{
__asm
{
address:
db 00 00 00 00
}
}


// this is call dupex in c++
//00741E6C://Dupex Addy : 89 BE 14 01 00 00 EB ?? 83 7D ?? ?? 74 ?? 8B
//jmp dupex
//nop



__declspec(naked) void dupex()
{
__asm
{

dupex:
cmp [address],0
je disablez
cmp [address],1
je on
cmp [address],2
je vac

disablez:
mov [esi+00000114],edi
jmp 00741E72 //1 addy under dupex

on: (label)
jmp FindCharacterAddress

vac: (label)
jmp DupeXVac

}
}
//call dupex ?
FixMem(GetCurrentProcess(), (void*)DUPEXADDY, 5, PAGE_EXECUTE_READWRITE, (DWORD*)oldprot);
*(BYTE*)DUPEXADDY = 0xE8; // call
*(DWORD*)(DUPEXADDY + 1) = JMP(DUPEXADDY, dupex); // address of my dupexvac

[GMZorita]

Just the codecave didn't tryed but it is supose to work if what you posted is right.

[sylvanus]

thanks zorita, but don't work

original code autoassembler is

[Stylo]

i'm not that pro with inline asm but for the codecave dont u need to allocate memory with VirtualAllocEx ? (just wondering) o_o

[dnsi0]

Lol you cant use asm to do that u need to use rpm or the (*Byte)* thingy where u write to bytes.

So... You need to:
Convert eh entire script into bytes
(How I do it is put the crap into ce and copy the bytes from there)

Step 2 move all the bytes into memory
In delphi u use:
$pbytearray1=pointer($startaddr);
$pbytearray1[0]=:$firstbyye;
... etc

C++ idk cause I suck horribly at C++.

Step 3 create a jump into your cc by using a long jump calculation.

[GMZorita]