Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Injection crash

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
mrjunior
Newbie cheater
Reputation: 1

Joined: 07 Jul 2018
Posts: 12

PostPosted: Tue Nov 14, 2023 5:29 pm    Post subject: AOB Injection crash Reply with quote

I've got a game that has a minigame in it, which I AOB injected at the point of reading health of a player+NPCs, so I could tinker with player's and enemies' structures. Luckily the code injection was within the main .exe, and it works all fine while inside minigame, but having the injection active while outside the minigame causes the whole game to crash pretty quickly, spitting out some memory access errors. I did put a breakpoint at the injection point and found out it never runs outside the minigame. I could enable AOB script only for minigame and turn it off as it ends but it's annoying and I can't wrap my head around what could be causing this
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Nov 14, 2023 9:01 pm    Post subject: Reply with quote

Something's wrong with your script. Hard to say what if you don't provide it.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Nov 15, 2023 5:21 am    Post subject: Re: AOB Injection crash Reply with quote

mrjunior wrote:
I could enable AOB script only for minigame and turn it off as it ends but it's annoying
-Assuming that nothing is wrong with your script, then you may have no choice. That being said, you could try to find some flag within the game that gets triggered only when the mini-game is active, then use that trigger to automatically enable/disable your script. It may not solve your problem, however, unless the trigger occurs early enough to avoid issues.
Back to top
View user's profile Send private message
mrjunior
Newbie cheater
Reputation: 1

Joined: 07 Jul 2018
Posts: 12

PostPosted: Wed Nov 15, 2023 6:12 am    Post subject: Reply with quote

ParkourPenguin wrote:
Something's wrong with your script. Hard to say what if you don't provide it.

Here's the script
Code:
[ENABLE]
aobscanmodule(hyper,game.exe,FF510C8B45FC83B8B0)
alloc(newmem,1000,hyper)
alloc(hyperSettings,4,hyper)
hyperSettings:
  db 01 01 01 00
alloc(temp,4,hyper)
label(code,return,handlePlayer,godmodeCheckEnd,end)

newmem:
  code:
    call dword ptr [ecx+0C]
    mov eax,[ebp-04] // original
    mov [temp],ebx
    cmp [eax+4],0
    je handlePlayer
    cmp byte ptr[hyperSettings+02],0
    je end
    mov [eax+110],0
    mov [eax+140],0
    mov [eax+170],0
    mov [eax+1A0],0
    mov [eax+1D0],0
    mov [eax+21C],#240
    jmp end

  handlePlayer:
    cmp byte ptr[hyperSettings],0
    je godmodeCheckEnd
    mov ebx,[eax+B4]
    mov [eax+B0],ebx
    jmp godmodeCheckEnd

  godmodeCheckEnd:
    cmp byte ptr[hyperSettings+01],0
    je end
    mov ebx,[eax+110+4]
    mov [eax+110],ebx
    mov [eax+110+10],0
    mov ebx,[eax+140+4]
    mov [eax+140],ebx
    mov [eax+140+10],0
    mov ebx,[eax+170+4]
    mov [eax+170],ebx
    mov [eax+170+10],0
    mov ebx,[eax+1A0+4]
    mov [eax+1A0],ebx
    mov [eax+1A0+10],0
    mov ebx,[eax+1D0+4]
    mov [eax+1D0],ebx
    mov [eax+1D0+10],0
    jmp end

  end:
    mov ebx,[temp]
    mov [temp],0
    jmp return

hyper:
  jmp newmem
  nop
  return:

registersymbol(hyper,hyperSettings)
[DISABLE]
hyper:
  db FF 51 0C 8B 45 FC
unregistersymbol(hyper,hyperSettings)
dealloc(newmem,hyperSettings,temp)


++METHOS wrote:
Assuming that nothing is wrong with your script, then you may have no choice. That being said, you could try to find some flag within the game that gets triggered only when the mini-game is active, then use that trigger to automatically enable/disable your script. It may not solve your problem, however, unless the trigger occurs early enough to avoid issues.

I'd like to at least know why it happens, as it shouldn't interfere with the main game at all, and the game doesn't seem to have any protection either, unless I'm wrong

UPDATE:
I tried simplifying the script, removed any allocation except for the code (made all conditional code run by default), got back the $1000 on the code alloc just incase, removed allocateNearby (yes I did restart the game so it allocates memory elsewhere). Crash happens at the ntdll and to be fair the code there is really weird
Code:
ntdll.RtlSizeHeap+8B - 66 85 D2              - test dx,dx
ntdll.RtlSizeHeap+8E - 74 7B                 - je ntdll.RtlSizeHeap+10B
ntdll.RtlSizeHeap+90 - 33 C0                 - xor eax,eax
ntdll.RtlSizeHeap+92 - 66 8B 40 14           - mov ax,[eax+14] -- crash is here
ntdll.RtlSizeHeap+96 - 8A 51 07              - mov dl,[ecx+07]

Knowing what xor eax,eax does, crash is quite reasonable, but still this never happens when the script isn't running. And this is already a second script I made that causes the crash as I tried to inject at different point in the game this time (thinking first time was a bad place). Just incase you doubt - script does enable/disable properly, opcodes don't get messed up and such, so I'm quite confused as I don't see anything wrong with the script itself, should I just avoid any injections for this game?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Nov 15, 2023 12:01 pm    Post subject: Reply with quote

TLDR: It's probably one of the `mov` instructions causing a crash indirectly. You're modifying something you shouldn't be.

Other stuff, mostly minor notes:

Don't remove the comment at the end of the AOB injection template. It shows the original code at and around the injection point- very important for everyone else and your future self should the script ever stop working.

Keep spaces between bytes in the AoB pattern.

There's no reason to use the third parameter to alloc in a 32-bit process as all addresses are within a signed 32-bit displacement of each other.

`alloc` takes a decimal integer number of bytes to allocate. It needs to allocate at least 4096 bytes (1 page of memory), so there's no reason to do anything less than that. Allocate 2048 bytes for newmem (more than enough for most code injections) and whatever other values you need (they should be aligned).

If anything jumps to the instruction `mov eax,[ebp-04]` in the original code when the script is active, it will execute garbage and probably crash the game. But it's very unlikely such garbage would lead to ntdll.

`mov [temp],ebx` / `mov ebx,[temp]` - that's what `push` / `pop` are for. `mov [temp],0` does nothing too.

Any of those mov instructions could crash the game- either immediately when they're executed or when they cause undefined behaviour to occur in the future (e.g. double free, null pointers, etc.)

`eax+110+4` - why not `eax+114`?

Code:
    jmp end

  end:
superfluous `jmp`
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Nov 15, 2023 12:07 pm    Post subject: Reply with quote

mrjunior wrote:
I'd like to at least know why it happens, as it shouldn't interfere with the main game at all, and the game doesn't seem to have any protection either, unless I'm wrong.../...script does enable/disable properly, opcodes don't get messed up and such, so I'm quite confused as I don't see anything wrong with the script itself, should I just avoid any injections for this game?
-Try injecting a CE-generated script without any alterations, and just let the code execute as-is. Do this and see if it crashes during the transitional phases.
Back to top
View user's profile Send private message
mrjunior
Newbie cheater
Reputation: 1

Joined: 07 Jul 2018
Posts: 12

PostPosted: Wed Nov 15, 2023 12:56 pm    Post subject: Reply with quote

ParkourPenguin, thanks for the notes, I'll keep those in mind.

ParkourPenguin wrote:
If anything jumps to the instruction `mov eax,[ebp-04]` in the original code when the script is active, it will execute garbage and probably crash the game. But it's very unlikely such garbage would lead to ntdll.

I did put a breakpoint on the injected by CE jmp, never triggered even though the game did crash, so I don't think that's the issue. I'm pretty sure that neither of the offsets are wrong there, as I know the structure well enough. 110+4 because it's easier to ctrl+c ctrl+v and change 110 to 140 as I do same thing to 5 offsets

++METHOS wrote:
-Try injecting a CE-generated script without any alterations, and just let the code execute as-is. Do this and see if it crashes during the transitional phases.

I first misunderstood and removed the injection itself (commented out hyper: stuff to check if the memory itself is the issue - it didn't crash). Then removed all my code to inject original 2 operations and jump back - it did crash. Then I read what you said again, generated a new AOB at the same spot and executed it as is - it did crash. So here's the automatically generated script that still crashes the game anyway, if the original code section gives any more context:
Code:
{ Game   : game.exe
  Version:
  Date   : 2023-11-15
  Author : user

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscanmodule(INJECT,game.exe,FF 51 0C 8B 45 FC 83 B8 B0) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  call dword ptr [ecx+0C]
  mov eax,[ebp-04]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
  db FF 51 0C 8B 45 FC

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: game.exe+FAA27

game.exe+FAA07: DD 45 D0              - fld qword ptr [ebp-30]
game.exe+FAA0A: 83 C4 FC              - add esp,-04
game.exe+FAA0D: D9 1C 24              - fstp dword ptr [esp]
game.exe+FAA10: 9B                    - wait
game.exe+FAA11: 8D 45 98              - lea eax,[ebp-68]
game.exe+FAA14: E8 3B B2 F5 FF        - call game.exe+55C54
game.exe+FAA19: 8D 55 98              - lea edx,[ebp-68]
game.exe+FAA1C: 8B 45 FC              - mov eax,[ebp-04]
game.exe+FAA1F: 8B 80 D0 00 00 00     - mov eax,[eax+000000D0]
game.exe+FAA25: 8B 08                 - mov ecx,[eax]
// ---------- INJECTING HERE ----------
game.exe+FAA27: FF 51 0C              - call dword ptr [ecx+0C]
// ---------- DONE INJECTING  ----------
game.exe+FAA2A: 8B 45 FC              - mov eax,[ebp-04]
game.exe+FAA2D: 83 B8 B0 00 00 00 00  - cmp dword ptr [eax+000000B0],00
game.exe+FAA34: 0F 8E BE 01 00 00     - jng game.exe+FABF8
game.exe+FAA3A: 8B 45 FC              - mov eax,[ebp-04]
game.exe+FAA3D: 83 B8 2C 02 00 00 00  - cmp dword ptr [eax+0000022C],00
game.exe+FAA44: 7E 2F                 - jle game.exe+FAA75
game.exe+FAA46: 8B 45 FC              - mov eax,[ebp-04]
game.exe+FAA49: 83 B8 30 02 00 00 00  - cmp dword ptr [eax+00000230],00
game.exe+FAA50: 7F 23                 - jg game.exe+FAA75
game.exe+FAA52: 8B 45 FC              - mov eax,[ebp-04]
}

Should I assume this is some kind of protection I've missed or did I pick a bad injection spot
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Nov 15, 2023 1:18 pm    Post subject: Reply with quote

mrjunior wrote:
I did put a breakpoint on the injected by CE jmp, never triggered even though the game did crash, so I don't think that's the issue.
That's not what I'm talking about.

Injection point (script not active):
Code:
game.exe+FAA27: FF 51 0C              - call dword ptr [ecx+0C]
game.exe+FAA2A: 8B 45 FC              - mov eax,[ebp-04]

Injection point (script active):
Code:
game.exe+FAA27: E9 ?? ?? ?? ??        - jmp newmem
game.exe+FAA2C: 90                    - nop

If something jumps to `game.exe+FAA2A` somewhere else while the script is active, it jumps to garbage. `game.exe+FAA2A` would be "?? ?? 90"
(a breakpoint at `game.exe+FAA27` won't trigger if something jumps to `game.exe+FAA2A`)

Maybe the call is dependent on the location it was called from, but that would be weird.

Try the instruction `game.exe+FAA2D - cmp dword ptr [eax+000000B0],00`. It takes up more than 5 bytes so there's no reason anything should jump into the middle of it, and it doesn't execute any other code that you don't know about like the `call` does.
If the simple generated AoB injection script still crashes the game at that injection point, the game is using some kind of protection.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
mrjunior
Newbie cheater
Reputation: 1

Joined: 07 Jul 2018
Posts: 12

PostPosted: Wed Nov 15, 2023 1:27 pm    Post subject: Reply with quote

Can't quite try it right now, but I did inject right there earlier, iirc I encountered the same crash and I thought since it's a cmp that's not a very good spot to inject into especially since I add couple of conditions as well, I'm not quite proficient with assembly and figured that could be an easy way to shoot yourself in the foot later. You're saying I can inject in it, so I just put the original cmp just before the jmp return then?

Basically I can try injecting anywhere in the .exe to test if there's some kind of protection, right? And if there is what do I do, is that something to discuss here?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Nov 15, 2023 1:37 pm    Post subject: Reply with quote

mrjunior wrote:
Basically I can try injecting anywhere in the .exe to test if there's some kind of protection, right?
-Not necessarily. Some targets may only protect certain areas in lieu of a blanket approach; it really depends.

You can try using the cloak feature to test. If you have stealthedit plugin, you could also try that, but the cloaking feature may be doing the same thing. DB would need to confirm.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Nov 15, 2023 1:44 pm    Post subject: Reply with quote

`cmp` just sets the EFLAGS register. Execute it immediately before you return and it's fine.
Code:
...
newmem:
  // your code here

code:
  // original code
  cmp dword ptr [eax+000000B0],00
  jmp return
...


Discussing that is technically against the rules:
https://forum.cheatengine.org/faq.php#1

You might have better luck elsewhere. If it's an offline single player game and this "protection" is something simple, you can request someone else try this on a third party site:
https://forum.cheatengine.org/thirdparty.php

Otherwise, there's probably some sites with relevant information, but you'll have to find those yourself.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
mrjunior
Newbie cheater
Reputation: 1

Joined: 07 Jul 2018
Posts: 12

PostPosted: Wed Nov 15, 2023 4:21 pm    Post subject: Reply with quote

Yep, injecting at cmp - still a crash. Now it makes a bit more sense why if a table related to this game has a script - it's just AOB to data.

Still kinda funny that the protection doesn't ever trigger inside the minigame itself, so technically script is perfectly fine at its job Very Happy

It's also crazy that a 20+yo fully singleplayer game with no online stuff at all has a cheat protection

Thank you both anyway
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites