|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
mrjunior Newbie cheater Reputation: 1
Joined: 07 Jul 2018 Posts: 12
|
Posted: Tue Nov 14, 2023 5:29 pm Post subject: AOB Injection crash |
|
|
I've got a game that has a minigame in it, which I AOB injected at the point of reading health of a player+NPCs, so I could tinker with player's and enemies' structures. Luckily the code injection was within the main .exe, and it works all fine while inside minigame, but having the injection active while outside the minigame causes the whole game to crash pretty quickly, spitting out some memory access errors. I did put a breakpoint at the injection point and found out it never runs outside the minigame. I could enable AOB script only for minigame and turn it off as it ends but it's annoying and I can't wrap my head around what could be causing this
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Tue Nov 14, 2023 9:01 pm Post subject: |
|
|
Something's wrong with your script. Hard to say what if you don't provide it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Nov 15, 2023 5:21 am Post subject: Re: AOB Injection crash |
|
|
mrjunior wrote: | I could enable AOB script only for minigame and turn it off as it ends but it's annoying | -Assuming that nothing is wrong with your script, then you may have no choice. That being said, you could try to find some flag within the game that gets triggered only when the mini-game is active, then use that trigger to automatically enable/disable your script. It may not solve your problem, however, unless the trigger occurs early enough to avoid issues.
|
|
Back to top |
|
|
mrjunior Newbie cheater Reputation: 1
Joined: 07 Jul 2018 Posts: 12
|
Posted: Wed Nov 15, 2023 6:12 am Post subject: |
|
|
ParkourPenguin wrote: | Something's wrong with your script. Hard to say what if you don't provide it. |
Here's the script
Code: | [ENABLE]
aobscanmodule(hyper,game.exe,FF510C8B45FC83B8B0)
alloc(newmem,1000,hyper)
alloc(hyperSettings,4,hyper)
hyperSettings:
db 01 01 01 00
alloc(temp,4,hyper)
label(code,return,handlePlayer,godmodeCheckEnd,end)
newmem:
code:
call dword ptr [ecx+0C]
mov eax,[ebp-04] // original
mov [temp],ebx
cmp [eax+4],0
je handlePlayer
cmp byte ptr[hyperSettings+02],0
je end
mov [eax+110],0
mov [eax+140],0
mov [eax+170],0
mov [eax+1A0],0
mov [eax+1D0],0
mov [eax+21C],#240
jmp end
handlePlayer:
cmp byte ptr[hyperSettings],0
je godmodeCheckEnd
mov ebx,[eax+B4]
mov [eax+B0],ebx
jmp godmodeCheckEnd
godmodeCheckEnd:
cmp byte ptr[hyperSettings+01],0
je end
mov ebx,[eax+110+4]
mov [eax+110],ebx
mov [eax+110+10],0
mov ebx,[eax+140+4]
mov [eax+140],ebx
mov [eax+140+10],0
mov ebx,[eax+170+4]
mov [eax+170],ebx
mov [eax+170+10],0
mov ebx,[eax+1A0+4]
mov [eax+1A0],ebx
mov [eax+1A0+10],0
mov ebx,[eax+1D0+4]
mov [eax+1D0],ebx
mov [eax+1D0+10],0
jmp end
end:
mov ebx,[temp]
mov [temp],0
jmp return
hyper:
jmp newmem
nop
return:
registersymbol(hyper,hyperSettings)
[DISABLE]
hyper:
db FF 51 0C 8B 45 FC
unregistersymbol(hyper,hyperSettings)
dealloc(newmem,hyperSettings,temp)
|
++METHOS wrote: | Assuming that nothing is wrong with your script, then you may have no choice. That being said, you could try to find some flag within the game that gets triggered only when the mini-game is active, then use that trigger to automatically enable/disable your script. It may not solve your problem, however, unless the trigger occurs early enough to avoid issues. |
I'd like to at least know why it happens, as it shouldn't interfere with the main game at all, and the game doesn't seem to have any protection either, unless I'm wrong
UPDATE:
I tried simplifying the script, removed any allocation except for the code (made all conditional code run by default), got back the $1000 on the code alloc just incase, removed allocateNearby (yes I did restart the game so it allocates memory elsewhere). Crash happens at the ntdll and to be fair the code there is really weird
Code: | ntdll.RtlSizeHeap+8B - 66 85 D2 - test dx,dx
ntdll.RtlSizeHeap+8E - 74 7B - je ntdll.RtlSizeHeap+10B
ntdll.RtlSizeHeap+90 - 33 C0 - xor eax,eax
ntdll.RtlSizeHeap+92 - 66 8B 40 14 - mov ax,[eax+14] -- crash is here
ntdll.RtlSizeHeap+96 - 8A 51 07 - mov dl,[ecx+07]
|
Knowing what xor eax,eax does, crash is quite reasonable, but still this never happens when the script isn't running. And this is already a second script I made that causes the crash as I tried to inject at different point in the game this time (thinking first time was a bad place). Just incase you doubt - script does enable/disable properly, opcodes don't get messed up and such, so I'm quite confused as I don't see anything wrong with the script itself, should I just avoid any injections for this game?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Wed Nov 15, 2023 12:01 pm Post subject: |
|
|
TLDR: It's probably one of the `mov` instructions causing a crash indirectly. You're modifying something you shouldn't be.
Other stuff, mostly minor notes:
Don't remove the comment at the end of the AOB injection template. It shows the original code at and around the injection point- very important for everyone else and your future self should the script ever stop working.
Keep spaces between bytes in the AoB pattern.
There's no reason to use the third parameter to alloc in a 32-bit process as all addresses are within a signed 32-bit displacement of each other.
`alloc` takes a decimal integer number of bytes to allocate. It needs to allocate at least 4096 bytes (1 page of memory), so there's no reason to do anything less than that. Allocate 2048 bytes for newmem (more than enough for most code injections) and whatever other values you need (they should be aligned).
If anything jumps to the instruction `mov eax,[ebp-04]` in the original code when the script is active, it will execute garbage and probably crash the game. But it's very unlikely such garbage would lead to ntdll.
`mov [temp],ebx` / `mov ebx,[temp]` - that's what `push` / `pop` are for. `mov [temp],0` does nothing too.
Any of those mov instructions could crash the game- either immediately when they're executed or when they cause undefined behaviour to occur in the future (e.g. double free, null pointers, etc.)
`eax+110+4` - why not `eax+114`?
superfluous `jmp`
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Nov 15, 2023 12:07 pm Post subject: |
|
|
mrjunior wrote: | I'd like to at least know why it happens, as it shouldn't interfere with the main game at all, and the game doesn't seem to have any protection either, unless I'm wrong.../...script does enable/disable properly, opcodes don't get messed up and such, so I'm quite confused as I don't see anything wrong with the script itself, should I just avoid any injections for this game? | -Try injecting a CE-generated script without any alterations, and just let the code execute as-is. Do this and see if it crashes during the transitional phases.
|
|
Back to top |
|
|
mrjunior Newbie cheater Reputation: 1
Joined: 07 Jul 2018 Posts: 12
|
Posted: Wed Nov 15, 2023 12:56 pm Post subject: |
|
|
ParkourPenguin, thanks for the notes, I'll keep those in mind.
ParkourPenguin wrote: | If anything jumps to the instruction `mov eax,[ebp-04]` in the original code when the script is active, it will execute garbage and probably crash the game. But it's very unlikely such garbage would lead to ntdll. |
I did put a breakpoint on the injected by CE jmp, never triggered even though the game did crash, so I don't think that's the issue. I'm pretty sure that neither of the offsets are wrong there, as I know the structure well enough. 110+4 because it's easier to ctrl+c ctrl+v and change 110 to 140 as I do same thing to 5 offsets
++METHOS wrote: | -Try injecting a CE-generated script without any alterations, and just let the code execute as-is. Do this and see if it crashes during the transitional phases. |
I first misunderstood and removed the injection itself (commented out hyper: stuff to check if the memory itself is the issue - it didn't crash). Then removed all my code to inject original 2 operations and jump back - it did crash. Then I read what you said again, generated a new AOB at the same spot and executed it as is - it did crash. So here's the automatically generated script that still crashes the game anyway, if the original code section gives any more context:
Code: | { Game : game.exe
Version:
Date : 2023-11-15
Author : user
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,game.exe,FF 51 0C 8B 45 FC 83 B8 B0) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
call dword ptr [ecx+0C]
mov eax,[ebp-04]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db FF 51 0C 8B 45 FC
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: game.exe+FAA27
game.exe+FAA07: DD 45 D0 - fld qword ptr [ebp-30]
game.exe+FAA0A: 83 C4 FC - add esp,-04
game.exe+FAA0D: D9 1C 24 - fstp dword ptr [esp]
game.exe+FAA10: 9B - wait
game.exe+FAA11: 8D 45 98 - lea eax,[ebp-68]
game.exe+FAA14: E8 3B B2 F5 FF - call game.exe+55C54
game.exe+FAA19: 8D 55 98 - lea edx,[ebp-68]
game.exe+FAA1C: 8B 45 FC - mov eax,[ebp-04]
game.exe+FAA1F: 8B 80 D0 00 00 00 - mov eax,[eax+000000D0]
game.exe+FAA25: 8B 08 - mov ecx,[eax]
// ---------- INJECTING HERE ----------
game.exe+FAA27: FF 51 0C - call dword ptr [ecx+0C]
// ---------- DONE INJECTING ----------
game.exe+FAA2A: 8B 45 FC - mov eax,[ebp-04]
game.exe+FAA2D: 83 B8 B0 00 00 00 00 - cmp dword ptr [eax+000000B0],00
game.exe+FAA34: 0F 8E BE 01 00 00 - jng game.exe+FABF8
game.exe+FAA3A: 8B 45 FC - mov eax,[ebp-04]
game.exe+FAA3D: 83 B8 2C 02 00 00 00 - cmp dword ptr [eax+0000022C],00
game.exe+FAA44: 7E 2F - jle game.exe+FAA75
game.exe+FAA46: 8B 45 FC - mov eax,[ebp-04]
game.exe+FAA49: 83 B8 30 02 00 00 00 - cmp dword ptr [eax+00000230],00
game.exe+FAA50: 7F 23 - jg game.exe+FAA75
game.exe+FAA52: 8B 45 FC - mov eax,[ebp-04]
} |
Should I assume this is some kind of protection I've missed or did I pick a bad injection spot
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Wed Nov 15, 2023 1:18 pm Post subject: |
|
|
mrjunior wrote: | I did put a breakpoint on the injected by CE jmp, never triggered even though the game did crash, so I don't think that's the issue. | That's not what I'm talking about.
Injection point (script not active):
Code: | game.exe+FAA27: FF 51 0C - call dword ptr [ecx+0C]
game.exe+FAA2A: 8B 45 FC - mov eax,[ebp-04] |
Injection point (script active):
Code: | game.exe+FAA27: E9 ?? ?? ?? ?? - jmp newmem
game.exe+FAA2C: 90 - nop |
If something jumps to `game.exe+FAA2A` somewhere else while the script is active, it jumps to garbage. `game.exe+FAA2A` would be "?? ?? 90"
(a breakpoint at `game.exe+FAA27` won't trigger if something jumps to `game.exe+FAA2A`)
Maybe the call is dependent on the location it was called from, but that would be weird.
Try the instruction `game.exe+FAA2D - cmp dword ptr [eax+000000B0],00`. It takes up more than 5 bytes so there's no reason anything should jump into the middle of it, and it doesn't execute any other code that you don't know about like the `call` does.
If the simple generated AoB injection script still crashes the game at that injection point, the game is using some kind of protection.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
mrjunior Newbie cheater Reputation: 1
Joined: 07 Jul 2018 Posts: 12
|
Posted: Wed Nov 15, 2023 1:27 pm Post subject: |
|
|
Can't quite try it right now, but I did inject right there earlier, iirc I encountered the same crash and I thought since it's a cmp that's not a very good spot to inject into especially since I add couple of conditions as well, I'm not quite proficient with assembly and figured that could be an easy way to shoot yourself in the foot later. You're saying I can inject in it, so I just put the original cmp just before the jmp return then?
Basically I can try injecting anywhere in the .exe to test if there's some kind of protection, right? And if there is what do I do, is that something to discuss here?
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Nov 15, 2023 1:37 pm Post subject: |
|
|
mrjunior wrote: | Basically I can try injecting anywhere in the .exe to test if there's some kind of protection, right? | -Not necessarily. Some targets may only protect certain areas in lieu of a blanket approach; it really depends.
You can try using the cloak feature to test. If you have stealthedit plugin, you could also try that, but the cloaking feature may be doing the same thing. DB would need to confirm.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Wed Nov 15, 2023 1:44 pm Post subject: |
|
|
`cmp` just sets the EFLAGS register. Execute it immediately before you return and it's fine.
Code: | ...
newmem:
// your code here
code:
// original code
cmp dword ptr [eax+000000B0],00
jmp return
... |
Discussing that is technically against the rules:
https://forum.cheatengine.org/faq.php#1
You might have better luck elsewhere. If it's an offline single player game and this "protection" is something simple, you can request someone else try this on a third party site:
https://forum.cheatengine.org/thirdparty.php
Otherwise, there's probably some sites with relevant information, but you'll have to find those yourself.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
mrjunior Newbie cheater Reputation: 1
Joined: 07 Jul 2018 Posts: 12
|
Posted: Wed Nov 15, 2023 4:21 pm Post subject: |
|
|
Yep, injecting at cmp - still a crash. Now it makes a bit more sense why if a table related to this game has a script - it's just AOB to data.
Still kinda funny that the protection doesn't ever trigger inside the minigame itself, so technically script is perfectly fine at its job
It's also crazy that a 20+yo fully singleplayer game with no online stuff at all has a cheat protection
Thank you both anyway
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|