| View previous topic :: View next topic |
| Author |
Message |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
 Posted: Mon May 05, 2008 3:31 pm Post subject: AutoAssemble and Pointers ? |
 |
|
So with AA and static address you can do this to change the bytes at a static address:
| Code: | [enable]
12345:
db 00
[disable]
12345:
db 90 |
Or whatever. I was wondering whether it's possible to do the same with a pointer. I know I can make it codecave my own procedure to change the value of a pointer.
eg. Base address = 8f1234, offset = 8c, codecave at 8ec1234, constantly executed address at 123456:
| Code: | [enable]
123456:
jmp 8ec1234
8ec1234:
push eax
push ebx
mov eax,8f1234
mov ebx,[eax]
mov [ebx+8c],9999
pop ebx
pop eax
[disable]
123456:
original_memory |
I know that's pretty simple already (I've probably done it wrong) but was wondering whether there's a simpler method where I can write directly without codecaving anything. Reason I don't want to codecave is that I'm unable to find an address that's constantly accessed in this game I'm trying to hack. If AA has no simple solution, I can code something for it but just wanted to check for future reference anyway.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25870
Location: The netherlands
|
| Posted: Mon May 05, 2008 6:36 pm Post subject: |
|
|
| Code: |
[8f1234]+8c:
dd 9999
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue May 06, 2008 9:32 am Post subject: |
|
|
Very cool, thank you !
//edit : Is it possible to freeze an address with AA also ?
//edit : I just tried it but I get an error saying it's not a valid address specifier. Never mind, it must be because the function was only added in CE 5.4 and the UCE I'm using is based off of CE 5.3 source.
Still, is it possible to freeze an address with AA ?
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Tue May 06, 2008 12:25 pm Post subject: |
|
|
Personally, I would do a code-injection on an opcode that always accesses that address frequently. And get it to pump in the value you want all the time. You'll know what I mean. Other methods such as the syntax above...unsure....DB? 
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue May 06, 2008 1:03 pm Post subject: |
|
|
I want to avoid code injection for 2 reasons:
1) It is possible in the near future a GGCRC or game CRC will be implemented for the game I'm talking about
2) The game catches any debugger attaching and crashes itself. Therefore I am unable to find any address that's constantly accessed.
This is really more out of my own curiosity than to do anything useful. I can easily code a tool to do exactly what I am describing here (and have done) but I like to use AA since it's a convenient and fast option and if I know more about it, more options are open for the future 
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Tue May 06, 2008 1:06 pm Post subject: |
|
|
| Slugsnack wrote: | Very cool, thank you !
//edit : Is it possible to freeze an address with AA also ?
//edit : I just tried it but I get an error saying it's not a valid address specifier. Never mind, it must be because the function was only added in CE 5.4 and the UCE I'm using is based off of CE 5.3 source.
Still, is it possible to freeze an address with AA ? |
Find out what writes to that address and replace with nop, then you will get the same effect as freezing. (even better)
About the pointer, don't do it this way, the pointer might change during runtime and cheat engine only writes the bytes when you enable/disable the script.
Find out what writes to this pointer (for examle, mov [50+3],eax) and make a code cave, then call memcpy, here's an example:
lets say, 123456 writes to 50+3.
| Code: | Alloc(Bytes, 128)
Alloc(CodeCave, 128)
123456:
call CodeCave
//nop if needed
Bytes:
db 90 90 90 90 90 90 //6 NOPs, just an example
CodeCave:
push 6 //Size
push Bytes //Source
mov eax,50
lea eax,[eax+3]
push eax //Destination
call memcpy
ret |
Edit: just saw your other post.
What about the message loop?
I'm sure APIs like PeekMessage/GetMessage, TranslateMessage, DispatchMessage, Sleep... are constantly accessed.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue May 06, 2008 1:44 pm Post subject: |
|
|
That's actually a very good idea ! I could redirect at the jump thunk table, so redirect every single API call to my procedure haha otherwise search for import address table when the game unpacks itself in memory. Then after I'm done, pass control back to JMP thunk table or whatever.
However, am still interested to know whether AA scripts can freeze (dynamic address or not) without codecaving :p Maybe not for any particular purpose but I'm just curious since I'll probably find a use for it in the future where it will save me a lot of time
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Wed May 07, 2008 7:41 pm Post subject: |
|
|
You can freeze a dynamic address Slug, but next restart the address will have changed, so really you need to find a pointer or use and injection.
or symbol/module name + offset kinda like what DarkByte showed on using a pointer in AA script. But more like the example below. Basically uses base address of module + offset to calculate the address.
game.exe+027f:
db 90 90 90
-------------------------------
mov [game.exe+027F],eax
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu May 08, 2008 9:27 am Post subject: |
|
|
| Code: | game.exe+027f:
db 90 90 90 |
That just writes to it once if I'm correct ? I actually already found the pointer btw.
How would I go about finding the module name ? I think the base address is a pointer to something called a gamebase. The gamebase sounded an awful lot like the first object on a heap which is one of the reasons I was thinking of hooking HeapAlloc to find gamebase dynamically.
Last edited by Slugsnack on Thu May 08, 2008 9:30 am; edited 1 time in total |
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Thu May 08, 2008 9:29 am Post subject: |
|
|
Yeah it will write once when you inject it.
Then the code will have been NOP in memory perm., till you undo it.
That what you meant? 
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu May 08, 2008 9:33 am Post subject: |
|
|
Well I'm freezing a memory value rather than the bytes at a virtual address. So the value will constantly be changing. For example, if a game has bullet number and the instruction:
| Code: | mov ax,word ptr ds:[31f832]
dec ax
mov word ptr ds:[31f832],ax |
What you guys are telling me to do would work find if say I wanted to do NOP out the instruction "dec ax" but what I want to do is in fact freeze the value at 31f832 because changing the instruction is not an option.
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Thu May 08, 2008 5:44 pm Post subject: |
|
|
I know it was a nop slug i was just showing you how to use module name as and address.
Once you find what writes,reads or access's the address you scanned.
You can view it in memory and go to the same address in lower memory window.
You will see module name, base address across the top of the lower memory view for CE.
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Fri May 09, 2008 8:21 am Post subject: |
|
|
| Slugsnack wrote: | Well I'm freezing a memory value rather than the bytes at a virtual address. So the value will constantly be changing. For example, if a game has bullet number and the instruction:
| Code: | mov ax,word ptr ds:[31f832]
dec ax
mov word ptr ds:[31f832],ax |
What you guys are telling me to do would work find if say I wanted to do NOP out the instruction "dec ax" but what I want to do is in fact freeze the value at 31f832 because changing the instruction is not an option. |
Darkbyte posted somewhere around here about how his 'freeze' works.
When you click to freeze an address thats in a cheat table.
If I can find the method i'll post it...
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Fri May 09, 2008 8:26 am Post subject: |
|
|
Yeah i remember seeing that somewheres.... It may be buried deep now 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25870
Location: The netherlands
|
| Posted: Fri May 09, 2008 8:30 am Post subject: |
|
|
Freezing works by constantly writing the oldvalue on the selected address
an auto assembler equivalent that doesn't edit the code would be:
| Code: |
createthread(myfreezer)
alloc(myfreezer,100)
myfreezer:
mov word ptr [31f832], #100
push #100
call Sleep
jmp myfreezer //or a cmp to see if it's still needed and if not then a ret
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Fri May 09, 2008 1:07 pm; edited 1 time in total |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
