 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Amami De Kaito
Expert Cheater
![]() Reputation: 5
Joined: 06 Feb 2013
Posts: 110
Location: 3/44
|
 Posted: Thu Dec 05, 2013 3:46 am Post subject: [HELP] Assassin's Creed 4:Black Flags active code is crash |
 |
|
| Code: | [ENABLE]
aobscan(Money,0F 57 C0 0F 29 00 5D C2 04 00 8B 41 0C C3 CC)
registersymbol(Money)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(pMoney)
registersymbol(pMoney)
newmem:
mov [pMoney],ecx
mov eax,(int)999999
mov [ecx+0C],eax
originalcode:
mov eax,[ecx+0C]
ret
int 3
exit:
jmp returnhere
pMoney:
dd 0
Money+A:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
unregistersymbol(Money)
unregistersymbol(pMoney)
Money+A:
db 8B 41 0C C3 CC |
I'm active code Inf.Money but enable code is crash. Please help.
|
|
| Back to top |
|
 |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Dec 05, 2013 6:40 am Post subject: Re: [HELP] Assassin's Creed 4:Black Flags active code is cra |
|
|
| Shinratensei_Darkness wrote: |
I'm active code Inf.Money but enable code is crash. Please help. |
The problem is the instruction you are using to write 999999 value to:
| Code: |
mov eax,(int)999999
mov [ecx+0C],eax // << -- this one
|
Is writing to more than just your money address! Depending on how the code was designed, a single instruction can access many addresses (as many as it wants to basically [as many objects / data types they have thats relating to the code thats manipulating them])
You could have easily checked this by doing:
Well see the originalcode, more specifically this instruction: 'mov eax,[ecx+0C]' if you right click on it in the disassembler view and click 'Find out what addresses these instructions access' it will show you whether or not it just accesses your one address and thats it, or accesses (reads/writes) many addresses all coming through the one instruction!
Basically if you aren't filtering your addresses down in these multiple address instruction situations, then you are writing to EVERY address a single value in your case 999999 not a very good value either to write to a various number of random addresses! (well any value is not really good to write to anynumber of addresses, because then your kind of like corrupting the memory and it may and usually always does have something vital in there that as you've seen makes it crash!)
To fix it, use a whats called a filter or a unique data identifier compare instruction. So that you can determine in real time in the code whether or not the address that's being accessed via the instruction in question (in this case 'mov eax,[eax+0c]' or even if it was the other way 'mov [eax+0c],eax' is actually the value you want to change! Although, you don't want to write to it unless your sure you've gotten it down to just your one address which you'll know it'll be 100% safe. In trickier games I have ended up even after filtering with a few other stagnant addresses sometimes, but usually its filtered down enough that even overwriting a few random addresses filtered down plus your 1 good address, is better than overwriting ALL of the addresses that 'pass through' which can be quite a bit! (At least more than you'd expect)
Though here's a tip besides the above mentioned method which cheat engine has as a feature you could have also do a script like this, have you thought of trying like this?:
| Code: |
[ENABLE]
aobscan(Money,0F 57 C0 0F 29 00 5D C2 04 00 8B 41 0C C3 CC)
registersymbol(Money)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(pMoney)
registersymbol(pMoney)
newmem:
mov [pMoney],ecx
//oh where did your write to '[ecx+0c]' code go, well...
originalcode:
mov eax,[ecx+0C]
ret
int 3
exit:
jmp returnhere
pMoney:
dd 0
Money+A:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
unregistersymbol(Money)
unregistersymbol(pMoney)
Money+A:
db 8B 41 0C C3 CC
|
Well the answer to that is, instead of writing a value to that [ecx+0c] where ever it may actually point to, you can instead just copy the pointer like as you've already had in your code! I mean 'mov [pMoney],eax'
If you had done this, you would have seen that your 'pMoney' pointer +0c wont actually be a pointer to your money 100% of the time. When other (non money) addresses are accessed via that data accessing instruction, pMoney will point to them instead. So freezing this pointer would likely result in complications as well 
And here's your script using your new aob I presume, and the old way from the old script to filter down to money (there are others, but perhaps its safter to just stick with money [as were trying to not only make it not crash but not have undesired effects either!])
This should most likely work!
| Code: |
[ENABLE]
aobscan(Money,0F 57 C0 0F 29 00 5D C2 04 00 8B 41 0C C3 CC)
registersymbol(Money)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(pMoney)
registersymbol(pMoney)
newmem:
cmp esi,1 //here is the filter in this case
jne originalcode //if esi == 1 address is money address
//this will never be reached unless its only the money address coming through
mov [pMoney],ecx
mov eax,#999999
mov [ecx+0C],eax
originalcode://most of the time it'll go through here directly from that conditional jump at the start!
mov eax,[ecx+0C] //this means all other addresses are written to normally besides our
ret //effected money address
int 3
exit:
jmp returnhere
pMoney:
dd 0
Money+A:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
unregistersymbol(Money)
unregistersymbol(pMoney)
Money+A:
db 8B 41 0C C3 CC |
[/code]
_________________
|
|
| Back to top |
|
|
Amami De Kaito
Expert Cheater
![]() Reputation: 5
Joined: 06 Feb 2013
Posts: 110
Location: 3/44
|
| Posted: Thu Dec 05, 2013 8:50 am Post subject: |
|
|
| Code: | AC4BFSP.exe+ED1500 - 55 - push ebp
AC4BFSP.exe+ED1501 - 8B EC - mov ebp,esp
AC4BFSP.exe+ED1503 - 8B 45 08 - mov eax,[ebp+08]
AC4BFSP.exe+ED1506 - 0F57 C0 - xorps xmm0,xmm0
AC4BFSP.exe+ED1509 - 0F29 00 - movaps [eax],xmm0
AC4BFSP.exe+ED150C - 5D - pop ebp
AC4BFSP.exe+ED150D - C2 0400 - ret 0004
AC4BFSP.exe+ED1510 - 8B 41 0C - mov eax,[ecx+0C] << Here
AC4BFSP.exe+ED1513 - C3 - ret
AC4BFSP.exe+ED1514 - CC - int 3 |
This is the source of the money and smoke bombs. The two codes are the same will it work?
then
cmp esi, 1 <<<< this value, you can do it, I do not understand if this value is money?
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Dec 05, 2013 8:29 pm Post subject: |
|
|
| Shinratensei_Darkness wrote: | | Code: | AC4BFSP.exe+ED1500 - 55 - push ebp
AC4BFSP.exe+ED1501 - 8B EC - mov ebp,esp
AC4BFSP.exe+ED1503 - 8B 45 08 - mov eax,[ebp+08]
AC4BFSP.exe+ED1506 - 0F57 C0 - xorps xmm0,xmm0
AC4BFSP.exe+ED1509 - 0F29 00 - movaps [eax],xmm0
AC4BFSP.exe+ED150C - 5D - pop ebp
AC4BFSP.exe+ED150D - C2 0400 - ret 0004
AC4BFSP.exe+ED1510 - 8B 41 0C - mov eax,[ecx+0C] << Here
AC4BFSP.exe+ED1513 - C3 - ret
AC4BFSP.exe+ED1514 - CC - int 3 |
This is the source of the money and smoke bombs. The two codes are the same will it work?
then
cmp esi, 1 <<<< this value, you can do it, I do not understand if this value is money? |
You can't hook the same address twice no, if that's what you mean... However you can deal with writing to multiple addresses with the same hook (basically the game is dealing with multiple addresses running through the same code in its own way too)
NO esi equaling 1 is not the value of money... It's a way that we can determine that [ecx+0c] is at the present moment and for sure 100% your money address!
The point is [ecx+0c] at this memory location isn't always your money address! However by using different determining variables we can get a feel for whether [ecx+0c] is currently the address we want to write to or not!
We use identifying variables of registers or in the stack, in order to determine if at this very present moment the code is executing, the right address we want to write to is here or not!
When ESI == 1 then [ecx+0c] is a pointer to your money address
When ESI == 5 then [ecx+0c] is a pointer to your smoke bombs address, etc...
Something like this: (note: for some reason I decided not to hard code the '0c' offset, so I pushed and popped ebx, and copied the '0c' offset or whatever it is into ebx.)
| Code: |
//Assassin's Creed 4: Black Flag
//Infinite Money, wood, metal, cloth, rum, sugar, etc...
//Steve Andrew
[enable]
alloc(InfiniteMoneyEtc,1024)
aobscan(MoneyEtcAddress,0f 57 c0 0f 29 00 5d c2 04 00 8b 41)
label(SetMoney)
label(SetBombs)
registersymbol(InfiniteMoneyEtc)
registersymbol(MoneyEtcAddress)
InfiniteMoneyEtc+200:
readmem(MoneyEtcAddress+0a,5)
InfiniteMoneyEtc:
push ebx
mov ebx,InfiniteMoneyEtc
movzx ebx,byte [ebx+202]
cmp esi,1 //money
je SetMoney
cmp esi,5 //smoke bombs
je SetBombs
mov eax,[ecx+ebx]
pop ebx
ret
SetMoney:
mov eax,#999999999
mov [ecx+ebx],eax
pop ebx
ret
SetBombs:
mov eax,5
mov [ecx+ebx],eax
pop ebx
ret
MoneyEtcAddress+0a:
jmp InfiniteMoneyEtc
[disable]
MoneyEtcAddress+0a:
readmem(InfiniteMoneyEtc+200,5)
//db 8b 41 0c c3 cc
//mov eax,[ecx+0c]
//ret
//int 3
dealloc(InfiniteMoneyEtc)
unregistersymbol(InfiniteMoneyEtc)
unregistersymbol(MoneyEtcAddress)
|
_________________
|
|
| Back to top |
|
|
Amami De Kaito
Expert Cheater
![]() Reputation: 5
Joined: 06 Feb 2013
Posts: 110
Location: 3/44
|
| Posted: Fri Dec 06, 2013 1:00 am Post subject: |
|
|
| SteveAndrew wrote: | | Shinratensei_Darkness wrote: | | Code: | AC4BFSP.exe+ED1500 - 55 - push ebp
AC4BFSP.exe+ED1501 - 8B EC - mov ebp,esp
AC4BFSP.exe+ED1503 - 8B 45 08 - mov eax,[ebp+08]
AC4BFSP.exe+ED1506 - 0F57 C0 - xorps xmm0,xmm0
AC4BFSP.exe+ED1509 - 0F29 00 - movaps [eax],xmm0
AC4BFSP.exe+ED150C - 5D - pop ebp
AC4BFSP.exe+ED150D - C2 0400 - ret 0004
AC4BFSP.exe+ED1510 - 8B 41 0C - mov eax,[ecx+0C] << Here
AC4BFSP.exe+ED1513 - C3 - ret
AC4BFSP.exe+ED1514 - CC - int 3 |
This is the source of the money and smoke bombs. The two codes are the same will it work?
then
cmp esi, 1 <<<< this value, you can do it, I do not understand if this value is money? |
You can't hook the same address twice no, if that's what you mean... However you can deal with writing to multiple addresses with the same hook (basically the game is dealing with multiple addresses running through the same code in its own way too)
NO esi equaling 1 is not the value of money... It's a way that we can determine that [ecx+0c] is at the present moment and for sure 100% your money address!
The point is [ecx+0c] at this memory location isn't always your money address! However by using different determining variables we can get a feel for whether [ecx+0c] is currently the address we want to write to or not!
We use identifying variables of registers or in the stack, in order to determine if at this very present moment the code is executing, the right address we want to write to is here or not!
When ESI == 1 then [ecx+0c] is a pointer to your money address
When ESI == 5 then [ecx+0c] is a pointer to your smoke bombs address, etc...
Something like this: (note: for some reason I decided not to hard code the '0c' offset, so I pushed and popped ebx, and copied the '0c' offset or whatever it is into ebx.)
| Code: |
//Assassin's Creed 4: Black Flag
//Infinite Money, wood, metal, cloth, rum, sugar, etc...
//Steve Andrew
[enable]
alloc(InfiniteMoneyEtc,1024)
aobscan(MoneyEtcAddress,0f 57 c0 0f 29 00 5d c2 04 00 8b 41)
label(SetMoney)
label(SetBombs)
registersymbol(InfiniteMoneyEtc)
registersymbol(MoneyEtcAddress)
InfiniteMoneyEtc+200:
readmem(MoneyEtcAddress+0a,5)
InfiniteMoneyEtc:
push ebx
mov ebx,InfiniteMoneyEtc
movzx ebx,byte [ebx+202]
cmp esi,1 //money
je SetMoney
cmp esi,5 //smoke bombs
je SetBombs
mov eax,[ecx+ebx]
pop ebx
ret
SetMoney:
mov eax,#999999999
mov [ecx+ebx],eax
pop ebx
ret
SetBombs:
mov eax,5
mov [ecx+ebx],eax
pop ebx
ret
MoneyEtcAddress+0a:
jmp InfiniteMoneyEtc
[disable]
MoneyEtcAddress+0a:
readmem(InfiniteMoneyEtc+200,5)
//db 8b 41 0c c3 cc
//mov eax,[ecx+0c]
//ret
//int 3
dealloc(InfiniteMoneyEtc)
unregistersymbol(InfiniteMoneyEtc)
unregistersymbol(MoneyEtcAddress)
|
|
InfiniteMoneyEtc +200: This is the 200 Byte Size or Offset.
readmem (MoneyEtcAddress +0 a, 5) readmem is.
movzx ebx, byte [ebx +202] movzx is? and [ebx +202] is Offset InfiniteMoneyEtc or not.
PS. Say that I have no knowledge of the Assembly, what I wrote was watching Youtube and see Script Cheat table of Geri, Recifense, Cielos and your writing has all along.
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Dec 07, 2013 9:37 am Post subject: |
|
|
It's an offset. +200 is an offset... I allocated 1024 bytes for 'InfiniteMoneyEtc'; 1024 == 0x400 I suppose it could be considered a size too. Half the size of our memory allocation is 0x200 bytes == 512 decimal bytes...
I only did it to separate things a little bit, and to not require another label + registered symbol...
Also very perceptive that [ebx+202] is an offset into 'InfiniteMoneyEtc' seeing as I just moved the address of 'InfiniteMoneyEtc' into ebx in the previous instruction! The reason for the movzx instead of just doing a mov is for the same reason I just moved the address of InfiniteMoneyEtc into ebx. So if I just did mov, yes 'bl' (lower half of 'bx' which is the lower half of 'ebx') will contain that byte probably '0c' but the rest of ebx will also contain those other now unneeded bytes stuck in ebx! So to easily remedy that I used 'movzx ebx,byte [ebx+202]' (Zero eXtend)
InfiniteMoneyEtc+200:
8b 41 0c c3 cc
+0 +1 +2
200 201 202
ebx contains: 0x0000000c after the movzx instruction
I could of also perhaps done (in its place):
mov ebx,byte [ebx+202]
and ebx,000000FF
ebx contains: 0x0000000c after those two instructions...
Or I could've just used another register completely that had been zero'd first! (Didn't see the point at pushing and popping two registers though since it wasn't necessary)
If you look later when money or smoke bombs cheat is actually applied:
if the offset of interest is still 0x0C (which we moved into ebx from InfiniteMoneyEtc+202)
that's equivalent to:
readmem is something new in CE 6.3! It enables you to do something that you were always able to do when coding your own trainer for example, but couldn't quite do in AutoAssembler, until now! 
If upon enabling and the aobscan successfully finds the 'MoneyEtcAddress' (+0a from the found address is where we actually are hooking keep in mind) the readmem will copy 5 bytes from MoneyEtcAddress+0a to 'InfiniteMoneyEtc+200'
The reason for doing that is to 1. Easily disable the cheat without having to know exactly what the bytes were beforehand (since you copied those bytes somewhere before overwriting them) and 2. In order to 'grab' offsets or pointers in the code that can be / probably will be different between versions and updates of the game! In this case the only offset we could grab is the '0c' offset which since its kinda low doesn't seem like it will change anyway, so this is not the best example to use. Regardless though the '0c' isn't hard coded so if it did happen to be different but the aob was still found, it would still work!
So say for example InfiniteMoneyEtc is at address 0x1000 (not a real address but just pretend) it'll look something like this after enabling...
0x1000:
[script code here]
0x1200:
8b 41 0c c3 cc
MoneyEtcAddress+0a:
jmp 1000
Now when you disable, it does the reverse, copying those bytes from 0x1200 (or InfiniteMoneyEtc+0x200) back to the 'MoneyEtcAddress+0a' which will restore those original 5 bytes we overwrote, reversing the cheat.
[0x1000: deallocated]
MoneyEtcAddress+0a:
8b 41 0c c3 cc
One last thing, this hook is a little different than usual. Since we overwrite a 'ret' we don't jump back after our code, we instead just 'ret' as well. (so any instruction after ret you can safely omit from your code [in this case 'int 3'])
_________________
|
|
| Back to top |
|
|
strideram
Newbie cheater
![]() Reputation: 0
Joined: 03 Dec 2013
Posts: 13
|
| Posted: Sat Dec 07, 2013 10:10 pm Post subject: |
|
|
Nice. At first the "better" version was real complicated. Your latest reply though greatly helped in understanding the script. I really appreciate you showing the advanced way to write an AA script.
I have an open thread in this forum (/viewtopic.php?p=5510239#5510239). And I realized I had the same issue as the OP. The hack I had enabled was working for all addresses, not just the one I wanted. You mentioned applying some filtering to reduce/limit the number of addresses to only the ones we care about.
In this thread's specific scenario, the filters you applied were,
| Code: | cmp esi,1 //money
je SetMoney
cmp esi,5 //smoke bombs
je SetBombs |
Why these? Articles online describe the ESI as
| Quote: | | Source index register - Used for string and memory array copying |
Ok. That must mean something. Anyway, I thought those EDI/ESI registers were supposed to contain addresses. .... What is the significance of the numbers 1 and 5. How did you realize they represent money and smoke bombs?
|
|
| Back to top |
|
|
Amami De Kaito
Expert Cheater
![]() Reputation: 5
Joined: 06 Feb 2013
Posts: 110
Location: 3/44
|
| Posted: Sun Dec 08, 2013 1:33 am Post subject: |
|
|
| I can not understand that it is all a game or not. But thank you very much SteveAndrew.
|
|
| Back to top |
|
|
strideram
Newbie cheater
![]() Reputation: 0
Joined: 03 Dec 2013
Posts: 13
|
| Posted: Mon Dec 09, 2013 10:15 am Post subject: |
|
|
@SteveAndrew, I found your AC4 cheat table thread. I think its wonderful that you and the others who post there, are not just posting the final tables but also explaining how they went about finding some of the things they did. To a beginner like me, they demonstrate there is no easy magical way to find out the right addresses/opcodes/filters. Its a lot of hard work and a process of eliminating false positives.
Reading the posts in your AC4 and the Borderlands 2 (can't remember the author's name) threads (and from my own limited experience), I get the feeling that a lot of time its trial and error. In the sense, even if the hack works now, at later point in the game (even if the game hasn't been updated) you might encounter a seemingly non connected scenario where activating the hack will crash the game. This lack of surety (the chance that I won't get it right the first few times), is kind of disappointing. Or maybe thats how things are at a very early stage. As more people use the table, bugs will be found and things will get resolved.
Will keep reading the posts in those two threads. Quite informative
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
