 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
xentar
Grandmaster Cheater
 Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
 Posted: Sun Nov 12, 2006 7:34 am Post subject: injecting AA scripts usage |
 |
|
Hi,
Can anyone help me with injecting AA scripts in the plugin?
I am trying to write a plugin in C, the problem is after I inject the scripts using.
Exported.AutoAssemble(buffer);
I don't know what to do with this? How do I access the address of the registersymbol?
How can I free up the memory in the [DISABLE] section?
Thanks,
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
 |
momocha
Master Cheater
 Reputation: 0
Joined: 23 Jul 2006
Posts: 258
|
| Posted: Mon Nov 13, 2006 3:25 pm Post subject: Re: injecting AA scripts usage |
|
|
| xentar wrote: | Hi,
Can anyone help me with injecting AA scripts in the plugin?
I am trying to write a plugin in C, the problem is after I inject the scripts using.
Exported.AutoAssemble(buffer);
I don't know what to do with this? How do I access the address of the registersymbol?
How can I free up the memory in the [DISABLE] section?
Thanks, |
To access the address, add address manually by inputing the name you use in registersymbol as the address.
To free up memory, just use delloc(xxxx) xxxx = whatever name you use.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Nov 14, 2006 2:23 am Post subject: |
|
|
hmm, thats 2 things I'll have to fix for next version:
1: Allow the symbolhandler to be used. (so export getaddressfromstring )
2: Add a enable and disable parameter for the auto assembler (default goes to enable)
There is currently no linking between memory of the scripts so dealloc won't work, and since registersybbol can't be retrieved from the exported dll it's also impossible to free the memory yourself with virtualfree(address...)
What you could do is write the address of the allocated memory to a known location in memory in your script, and use that to free it with virtualfree
e.g:
| Code: |
alloc(mycode,4096)
mycode:
blaaa
blaaa
blaaa
00400500:
dd mycode
|
then when executed 00400500 will contain the address of mycode
edit:
oh yes, one way of using registersymbol is letting it all go through autoassembler scripts, since those do use the named address functions
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
xentar
Grandmaster Cheater
Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
| Posted: Tue Nov 14, 2006 7:07 am Post subject: |
|
|
Thanks DB,
It would be great if you can include those 2 features in the next realease. I have been looking at a few macro program to bot, but the amount of information the macro program can feed of the game itself is very limited. But if I make a plugin for CE, I have all the information I need directly from the game memory itself, so with this I can make CE into a very smart bot program.
As for now I will follow your suggestion and try this out, I guess I have to becareful with the know memory area to save the AA code address is not used?
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Nov 14, 2006 7:40 am Post subject: |
|
|
you can call virtualalloc yourself and manage that memory location yourself.
(e.g allocate a 4kb region, and then adjust your script to use that allocated memory region to store stuff in)
heh, one thing you could do after allocating some memory yourself:
| Code: |
registersymbol(myallocatedmemoryspot)
label(myallocatedmemoryspot)
20000000: //20000000 is the address you got from virtualallocex
myallocatedmemoryspot:
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
xentar
Grandmaster Cheater
Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
| Posted: Tue Nov 14, 2006 7:55 am Post subject: |
|
|
| Dark Byte wrote: | you can call virtualalloc yourself and manage that memory location yourself.
(e.g allocate a 4kb region, and then adjust your script to use that allocated memory region to store stuff in)
heh, one thing you could do after allocating some memory yourself:
| Code: |
registersymbol(myallocatedmemoryspot)
label(myallocatedmemoryspot)
20000000: //20000000 is the address you got from virtualallocex
myallocatedmemoryspot:
|
|
Just try to recap and see if I understand you correctly.
Your suggestion is in the plugin, use VirtualAllocEx() to allocate a chunk of memory at the requested location (20000000), then in the AA script directly write the AA code address into the memory location 20000000. This way it is guarantee that no one have setup camp there so it is safe for AA script to use this memory blindly.
Thanks,
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Nov 14, 2006 8:22 am Post subject: |
|
|
yes, if you allocate the memory yourself you're sure it's not used by anything else and you can mess with it as much as you like.
also, you don't even have to specific 20000000, giving 0 and getting a random address is good enough. (as long as you adjust the script to use the allocated address, but a sprintf with a %p to generate the script is easy enough)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
xentar
Grandmaster Cheater
Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
| Posted: Thu Nov 16, 2006 8:30 am Post subject: |
|
|
Hi DB,
Hope you can give me a hand here.
Follow your suggestions and allocate memory and sprintf() it address into AA scripts.
And at that location I put the address of my code + anything there.
I check this address location and it look like everything is there for me to use in the plugin.
The problem is I ran into access violation at the address I allocated.
Here is what I used in the code.
ptrCEInterface = VirtualAllocEx(*Exported.OpenedProcessHandle, NULL, 128,MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if I deference (*ptrCEInterface) I got access violation.
and yes, ptrCEInterface is not null, it point to the memory region where the address of code used in AA.
<edit>
I did a bit googling and it seems ptrCEInterface is the virtual memory of the target application so I can't use it in CE as is.
So I attempt to do ReadProcessMemory to read the data into CE process.
This get rid of the access violation exception, but some how my data are all zeroed.
ptrCEInterface = VirtualAllocEx(*Exported.OpenedProcessHandle, NULL, ptrCEInterface_size,MEM_COMMIT, PAGE_READWRITE);
ptrLocalCEInterface = malloc(ptrCEInterface_size);
ReadProcessMemory(*Exported.OpenedProcessHandle, ptrCEInterface, ptrLocalCEInterface, ptrCEInterface_size, NULL);
within CE I am using ptrLocalCEInterface instead. but still no real data as I am expecting.
<edit>
my bad, the ReadProcessMemory method works, it just that I read it before I injected the AA scripts so the memory is still zeroed.
Problem solve.
<edit>
Another cocern.
After I use the ChangeRegistersAtAddress() to set a break point, from CE I can see a break point is set, but CE UI somehow doesn't reflect the value or the flag this break point is about. I assume this is ok, maybe because ChangeRegistersAtAddress doesn't let the CE UI know anything about what it did, but I can't findout for sure if this still works until I can test it.
Thanks,
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Fri Nov 17, 2006 8:19 am Post subject: |
|
|
also, replace PAGE_READWRITE with PAGE_EXECUTE_READWRITE , else you'll get a access violation on SP2 when executing it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
xentar
Grandmaster Cheater
Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
| Posted: Fri Nov 17, 2006 8:57 am Post subject: |
|
|
Is my concern about ChangeAddressAtRegister valid? I try this last night and it seems the debug set doesn't have any affect.
Thanks,
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Sun Nov 19, 2006 4:20 am Post subject: |
|
|
It doesn't even change the register?
Did you fill in the changereg structure properly? (So setting BOTH the changereg boolean and the new state of the register of flag, AND the addres to change)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
xentar
Grandmaster Cheater
Reputation: 0
Joined: 08 Jul 2006
Posts: 708
Location: USA, Mass
|
| Posted: Sun Nov 19, 2006 5:25 am Post subject: |
|
|
| Dark Byte wrote: | It doesn't even change the register?
Did you fill in the changereg structure properly? (So setting BOTH the changereg boolean and the new state of the register of flag, AND the addres to change) |
I think I change everything properly, here is the code snipet.
| Code: |
struct REGISTERMODIFICATIONINFO regs;
memset(®s, 0, sizeof(regs));
regs.change_eip = TRUE;
regs.new_eip = godModeCodeAddress;
regs.address = godModeEIP;
getCEExportedFunctions().ChangeRegistersAtAddress(regs.address, (REGISTERMODIFICATIONINFO *)®s);
|
I saw the break point being set but viewing with CE change register doesn't show it has anything set, and it doesn't look like the code is being executed either.
thanks,
Hi DB,
hope you don't forget my problem  .
just kidding, I guess I have to debug into CE code.
_________________
People encountered at CEF.
* I don't care if he wrote the code, I say it is open source then it is open source.
* I don't care if it is his trainer, if I say he can't have that hack in there, then he can't.
* Appalsap, your trainer is L337 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
