Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Codeinjection and the Autoassembler tutorial
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
Leonidas
Advanced Cheater
Reputation: 0

Joined: 07 Mar 2005
Posts: 98

PostPosted: Thu Sep 01, 2005 3:51 am    Post subject: Codeinjection and the Autoassembler tutorial Reply with quote

Lets say you've found the code that decreases your health
Problem is that it seems to also affect the health of your opponents, and somehow you can't seem to find the basepointer.
In those cases doing some code injection using CE's auto assembler is the easiest solution

There are several ways code injection can help solve this problem.
One method is finding another code that accesses your health, but does it only for your own health. (e.g the code that is used to display your current health)
There inject some code that stores the address of your health to a address you can find back again (more on that later)
Then in the code that decreases your health inject some code that checks if the address changes is the address stored by the other routine, if it is, skip the code, otherwhise, just decrease the health, or even create a instant kill cheat by decreasing the health of opponents by a really big value.

Now for the auto assemble script part:
lets say that at 00405000 is the code that reads your health: mov eax,[esi+ecx*4]
and at 00421000 is the code that decreases the health of enemies: mov [esi+ecx*4],edx

First allocate some memory to place your code in, and to allocate space for variables, use alloc(name,size) for that.
Alloc allocates a region of memory with read,write and execute access. (be aware, this wont work in windows me, 98 or 95 so please upgrade if you are using those ancient os's)
So:
Code:

alloc(injectHealthReader,1024) //creates a identifier called injecthealthreader that points to a block of 1024 bytes
alloc(injectHealthWriter,1024) //2nd code cave to handle the code of the decrease health code, for easy management
alloc(playerhealthaddress,4) //this will hold the address of health, a 4 byte value (pointer, in 64 bit this'll have to be 8 bytes)



Now, write your injecthealthreader routine to store the address, and place a jump to your original code as well. dont forget that when placing a jump to your code cave keep in mind that if the instruction was larger than a jump to nop the remaining bytes, and in case of the jump being bigger than the instruction also save the other instruction, AND nop incomplete bytes. Jumps are 5 bytes.
So in the case of "mov eax,[esi+ecx*4]" the bytecode is 8b 04 8e (3 bytes) so you'll also need to save the instruction after it. Let's say it's followed by a "mov ecx,[esi+edx*4+4]" , bytecode=8b 4c 8e 04 (4 bytes), so now we have 7 bytes to place our jump, thats more than enough. So we'll have to place 2 nops after the jump (7-5=2)


Code:

00405000:
jmp InjectHealthAddress  //jump to the codecave
nop  //nops for the lost space
nop
returnHealthReader:  //this is the label that is used to return to the address (so you dont have to write down 00405007 when jumping back, just to make it easy....)


injectHealthReader:
push eax //save eax, not really needed here since eax gets changed anyhow, but it's a good habbit to save and restore registers
lea eax,[esi+ecx*4] //this instruction places the result of esi+ecx*4 into eax
mov [playerhealthaddress],eax
pop eax //restore the register, again, not needed here, but good habbit to do

originalhealthreadercode: //label defining the original code, can be used to jump into or just skip, not needed here
mov eax,[esi+ecx*4]  //read health
mov ecx,[esi+edx*4+4] //read something else, my gues, armor

jmp returnHealthReader //jump back to the original game code, when done successfull, it wont crash...


As you see to specify a exact address just type it in ended with a ':' . Everything you type in after that will get assembled on and after that address (the jump and nops in this case, and the definition of the returnHealthReader:, which is in it's own turn also a address specifier, but doesn't change the current address)

This code introduces labels, they are basicly identifiers specifying a address where thay have been placed.
you can't just use a label though, you'll first have to declare it using the label(labelname) function. I usually declare labels right after the part where I alloc memory.

so, right after the alloc I have this code to get the code above working:
Code:

label(returnHealthReader) //tell the assembler than returnHealthReader is a valid identifier, so dont bug out
label(originalhealthreadercode) //same as above


now when you run the game the address of your health will get stored into the location of playerhealthaddress.
You can already use this with cheat engine, because the auto assembler will tell you the address, but the allocation will change each time, so making a table for other people won't work, they'd have to fill in the address each time themselves. (I dont find that a problem but somehow some people do....)



So, let's automate it a little further and use the knowledge of your healthaddress to make yourself invulnerable, but not your oponents.
Just like the injection for the code that reads your health you can do the same for that that decreases health.
And you can put it in the same script as the injection for the reader, as you saw in the alloc part where I already allocated space for the injection for the health decreaser (so you dont have to edit the address the other script allocated)

so, write scriptcode that places a jump over the code that decreases your health, in this case "mov [esi+ecx*4],edx" which has bytecode 89 14 8e (3 bytes), too small, so find a instruction before or after thats also suitable, in this case there's a sub edx,eax just before this instruction, its bytecode is 29 c2 (2 bytes) so a perfect fit (5 bytes, so no need to nop), and even easier to make a code injection for (else I'd have to use a label between the 2 instructions to just skip the original line, but this sub edx,eax line is used to decrease as well, and doesn't change any of the locator addresses, and useless for the rest, so it doesn't hurt to skip it as well)

so to inject your routine that checks if this is your health or not and if so, dont decrease do:
Code:

00421000:
jmp injectHealthWriter
returnHealthWriter: //just declare it here, it'll get address 00421005, so a jmp returnHealthWriter will get converted to jmp 00421005


injectHealthWriter:
//do a check if esi+ecx*4 matches the address stored in playerhealthaddress
//if it matches, skip the original code, if it doesn't just execute it

//save the registers we use, and before I forget, do not touch esp between saving and restoring the registers unless
//it's to read something(like parameters), in which case you'll have to adjust the offset
//also, dont change the registers that you use to find the address
push eax
push ebx
mov eax,[playerhealthaddress]
lea ebx,[esi+ecx*4]
cmp eax,ebx

je itstheplayer

//not the player
pop ebx //I think I could have doen this before the je, but better safe than sorry
pop eax
jmp originaldecreasehealthcode


itstheplayer:
pop ebx //restore the registers, keep in mind to restore the registers in reverse order
pop eax
jmp returnHealthWriter //dont execute the original code, return imeadiatly

originaldecreasehealthcode:
sub edx,eax
mov [esi+ecx*4],edx
jmp returnHealthWriter


again, I used a few labels to make it easier for me
but, that also means I'd have to declare them, else the assembler will complain it doesn't recognize them
so:
Code:

label(returnHealthWriter)
label(itstheplayer)
label(originaldecreasehealthcode)


and I prefer adding declarations at the top.
















So, the complete auto assembler script would look like:
Code:

alloc(injectHealthReader,1024) //creates a identifier called injecthealthreader that points to a block of 1024 bytes
alloc(injectHealthWriter,1024) //2nd code cave to handle the code of the decrease health code, for easy management
alloc(playerhealthaddress,4) //this will hold the address of health, a 4 byte value (pointer, in 64 bit this'll have to be 8 bytes)
label(returnHealthReader) //tell the assembler than returnHealthReader is a valid identifier, so dont bug out
label(originalhealthreadercode) //same as above
label(returnHealthWriter)
label(itstheplayer)
label(originaldecreasehealthcode)


//----------------------------------------
//              Healthreader
//----------------------------------------
00405000:
jmp InjectHealthAddress  //jump to the codecave
nop  //nops for the lost space
nop
returnHealthReader:  //this is the label that is used to return to the address (so you dont have to write down 00405007 when jumping back, just to make it easy....)


injectHealthReader:
push eax //save eax, not really needed here since eax gets changed anyhow, but it's a good habbit to save and restore registers
lea eax,[esi+ecx*4] //this instruction places the result of esi+ecx*4 into eax
mov [playerhealthaddress],eax
pop eax //restore the register, again, not needed here, but good habbit to do

originalhealthreadercode: //label defining the original code, can be used to jump into or just skip, not needed here
mov eax,[esi+ecx*4]  //read health
mov ecx,[esi+edx*4+4] //read something else, my gues, armor

jmp returnHealthReader //jump back to the original game code, when done successfull, it wont crash...



//----------------------------------------
//           Health decreaser
//----------------------------------------



00421000:
jmp injectHealthWriter  //overwrite the original code with a jump.
returnHealthWriter: //just declare it here, it'll get address 00421005, so a jmp returnHealthWriter will get converted to jmp 00421005


injectHealthWriter:
//do a check if esi+ecx*4 matches the address stored in playerhealthaddress
//if it matches, skip the original code, if it doesn't just execute it

//save the registers we use, and before I forget, do not touch esp between saving and restoring the registers unless
//it's to read something(like parameters), in which case you'll have to adjust the offset
//also, dont change the registers that you use to find the address
push eax
push ebx
mov eax,[playerhealthaddress]
lea ebx,[esi+ecx*4]
cmp eax,ebx

je itstheplayer

//not the player
pop ebx //I think I could have doen this before the je, but better safe than sorry
pop eax
jmp originaldecreasehealthcode


itstheplayer:
pop ebx //restore the registers, keep in mind to restore the registers in reverse order
pop eax
jmp returnHealthWriter //dont execute the original code, return imeadiatly

originaldecreasehealthcode:
sub edx,eax
mov [esi+ecx*4],edx
jmp returnHealthWriter




Please be aware that I havn't tested this in ce yet, I've been writing this in notepad on a pc that doesnt have ce installed, so there may be a few syntax errors, and some of the code I've written can surely be optimised, but I hope you get the general idea.

Also, there's a bug in ce 5.0 where you can't use small identiers that can apear in the name of another identifier. (e.g weirdmemlocxxx and memloc can't be used at the same time, because memloc fits in weirdmemlocxxx)
But if you use normal names for identifiers this wont couse a problem, and I recommend identifiers of more than 4 characters, else it may happen you get the name of a assembler instruction and accidentally overwrite that when used.

This will be fixed in ce 5.1
Back to top
View user's profile Send private message
Leonidas
Advanced Cheater
Reputation: 0

Joined: 07 Mar 2005
Posts: 98

PostPosted: Thu Sep 01, 2005 4:13 am    Post subject: Reply with quote

The other method of using code injection is finding if there are differences between the player data and opponent data.
Lets say that if it's the player [esi+ecx*4+14] contains a 1 otherwhise a 0. you can then do a check if that is set or not, if so, skip, otherwhise, decrease health

Code:

alloc(injectHealthWriter,1024) //2nd code cave to handle the code of the decrease health code, for easy management
label(returnHealthWriter)
label(itstheplayer)
label(originaldecreasehealthcode)


//----------------------------------------
//           Health decreaser
//----------------------------------------



00421000:
jmp injectHealthWriter  //overwrite the original code with a jump.
returnHealthWriter: //just declare it here, it'll get address 00421005, so a jmp returnHealthWriter will get converted to jmp 00421005


injectHealthWriter:
push eax
mov eax,[esi+ecx*4+14]
cmp eax,1
je itstheplayer

//not the player
pop eax
jmp originaldecreasehealthcode


itstheplayer:
pop eax //restore the register
jmp returnHealthWriter //dont execute the original code, return imeadiatly

originaldecreasehealthcode:
sub edx,eax
mov [esi+ecx*4],edx
jmp returnHealthWriter

Back to top
View user's profile Send private message
U
Cheater
Reputation: 0

Joined: 04 Jul 2005
Posts: 48
Location: Comet Temple 1

PostPosted: Thu Sep 01, 2005 2:57 pm    Post subject: Reply with quote

this tutorial will make a nice template to use with auto assemble ,

thanks for that **** **** er I mean scribly ,,very nice work, a tool to use and a lesson at the same time.... Cool

_________________
hey ho a mincing we will go
Back to top
View user's profile Send private message
Davethewave
Expert Cheater
Reputation: 0

Joined: 06 Mar 2005
Posts: 210

PostPosted: Thu Sep 01, 2005 5:23 pm    Post subject: Reply with quote

Thanks for that Scribly! I was hoping someone would write an auto assemble tut.
Back to top
View user's profile Send private message
Leonidas
Advanced Cheater
Reputation: 0

Joined: 07 Mar 2005
Posts: 98

PostPosted: Mon Sep 05, 2005 1:10 am    Post subject: Reply with quote

As an addtion to the first method:
Check if the address that gets filled with your health is filled before using it in the writer.
Usually it is, but if you enable it just at the moment you get hit, even before your health is displayed on the screen, it may be that the address of health is still NULL and it'll crash.

So, add something like:
Code:

cmp [playerhealthaddress],0 //check if it's 0
je originalcode //if it is, immeadiatly go to the originalcode and exit

//otherwhise the normal code/checks
Back to top
View user's profile Send private message
BillyTheKid
How do I cheat?
Reputation: 0

Joined: 05 Aug 2005
Posts: 6

PostPosted: Tue Sep 20, 2005 2:47 pm    Post subject: Reply with quote

I've tried following that, but I can't make heads nore tails out of it
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Fri Nov 25, 2005 1:19 am    Post subject: Reply with quote

BillyTheKid wrote:
I've tried following that, but I can't make heads nore tails out of it


In most games, there is a far simpler solution to issues like this... (however, the above is indeed an excellent example of code injection).

First, you *MUST* read my first post in the thread-link below, or else the rest of this reply probably won't make any sense.

http://forum.cheatengine.org/viewtopic.php?t=4606

Ok, you read it right?

No.. really... read it Wink

Ok, now that you've read it...

In the case that only 1 code writes to a lot of values, usually, there is 1 or more codes that ONLY read from your own health/whatever.

- Find the value that determines *your* health/whatever
- Right-click it and choose "Find out what accesses this address" (you can do 'reads from this address' but that usually gives me issues)
- What you're looking for is any code that reads from the address, so anything with brackets around the 2nd value of the code is good.
i.e.
mov esi, [edx+0000001c]
and not...
mov [esi+0000001c], edx

- Add every single code that reads from the value to your list.
- Go to your code list , right click the first one you added and "Find out what addresses this code reads from".
- Hopefully, at least one of the codes you added will only read from 1 address, which should be your address.

At this point, you can either try to find a pointer path, or simply use the ghetto-method to write your own pointer, as described in the thread I linked at the top.

- Zhoul
Back to top
View user's profile Send private message AIM Address
lukechin
Grandmaster Cheater
Reputation: 0

Joined: 24 Jun 2006
Posts: 536
Location: in willy wonkas factory

PostPosted: Wed Sep 20, 2006 3:15 pm    Post subject: Reply with quote

rofl iv been looking for this
_________________
hmm back once again....
Back to top
View user's profile Send private message Visit poster's website
Kenji2007
Cheater
Reputation: 0

Joined: 26 Sep 2006
Posts: 33

PostPosted: Sun Oct 08, 2006 8:44 pm    Post subject: Reply with quote

Real nice and a great lesson. Thanks ( anymore such work ?) Embarassed
Back to top
View user's profile Send private message
yodaman
Master Cheater
Reputation: 0

Joined: 15 Oct 2006
Posts: 454
Location: United States

PostPosted: Tue Oct 24, 2006 7:35 am    Post subject: Reply with quote

Freakin awesome! Man once I moved out from the Maple Story forum I'm finding all this stuff to absorb. I'm actually starting to feel like I can do this stuf someday lol. Thanks so much for your contribution to the gaming community Dark and for your continued help. Youre the bomb diggity man - donation coming soon your way.
_________________



hacker4maple wrote:
...hold on is GM ppl or program?
Back to top
View user's profile Send private message
DemonHorn
Newbie cheater
Reputation: 0

Joined: 17 Aug 2006
Posts: 10

PostPosted: Wed Nov 08, 2006 1:43 am    Post subject: Reply with quote

umm i can't think of a game which u need to use code injections. Can anyone give me an example?
Back to top
View user's profile Send private message
Matthias
Newbie cheater
Reputation: 0

Joined: 13 Nov 2006
Posts: 12

PostPosted: Mon Nov 13, 2006 11:53 pm    Post subject: Reply with quote

Though there are there are easier solutions, I think this guide is great. My knowledge of the AA is pretty weak, so I'm reading up tutorials to learn more. Thanks for the great tutorial.
Back to top
View user's profile Send private message
Glest
Master Cheater
Reputation: 0

Joined: 12 Jul 2006
Posts: 334
Location: The Netherlands

PostPosted: Tue Nov 14, 2006 1:09 am    Post subject: Reply with quote

Yeah, great tut, but somehow I get the feeling you copy pasted it from the help file. Especialy since it says there's a bug in CE 5.0 wich will be fixed in 5.1
_________________
Keyboard Piano
www.keyboard-piano.com

Reprograming in C++
Computer Piano
*Not done yet*
Back to top
View user's profile Send private message Visit poster's website
onvoloper
Master Cheater
Reputation: 0

Joined: 05 Jul 2006
Posts: 294

PostPosted: Fri Jul 20, 2007 8:53 pm    Post subject: Reply with quote

Nice tut, I wanna leanr how to this stuff but its going right over my head...
Back to top
View user's profile Send private message
Drezer
Grandmaster Cheater Supreme
Reputation: 0

Joined: 23 Jan 2008
Posts: 1111
Location: Bonechewer(WoW)

PostPosted: Wed Feb 06, 2008 9:49 pm    Post subject: Reply with quote

onvoloper wrote:
Nice tut, I wanna leanr how to this stuff but its going right over my head...


same here i dont know where to start

im 13, 4 months til 14, i have no basic scripting background other than scar Scripting which i didnt get too far because it got boring, i wanted to learn hacks no making a bot.

would it be too hard for me to learn this?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites