 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
 Posted: Thu May 01, 2014 5:53 pm Post subject: What is happening when doing code injection/pointer scanning |
 |
|
The title pretty much says it all.
I've read some tutorials, such as: Apparently, I cannot post URL's yet, so you'll have to trust that I've read at least a little. The problem is that most of the tutorials I find explain the how to find something, but not how it works, which leads me to some of these questions.
What are the different types of pointers (I thought a pointer was something like in C++, where it points to the adress of a value)?
What are the pointers found during pointer scan and how do they work?
How does code injection work (why does the program run the injected assembler code, and how does it get injected)?
Where can I go to learn more about all of these concepts that are involved in making cheat engine work? (Not coding tutorials.)
Any answers are greatly appreciated, and sorry if this is the wrong section, but I can't find the "Cheat Engine Help" section, since the tutorial section doesn't seem to allow questions.
|
|
| Back to top |
|
 |
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Thu May 01, 2014 9:12 pm Post subject: |
|
|
1 - All pointers follow the same basic layout, which is base+offset(+offset+offset etc). A description of pointers on a technical level can be found in most places, but traditional pointer-finding methods aren't used as often for varying reasons nowadays, but basically they take a base address, then an offset from the value of that, then optionally another offset from there, etc.
2 - They follow the same basic format. From what I know CE's pointer scanner almost brute-forces things, just checking all the possible paths it can, which is why the pointer scanner can take a while if the game uses a lot of RAM and the depth is high. Pointer scans for me last anywhere from a minute to an hour depending on things.
3 - Code injection sets up your custom code somewhere new in RAM, and then overwrites some existing code with the instruction to jump to your custom code, and your custom code jumps back to where the normal code left off at the end.
4 - I wrote a tutorial on how to quickly do code injection things with CE here.
http://forum.cheatengine.org/viewtopic.php?p=5510987
As far as pointers somebody else is likely to give better stuff.
_________________
|
|
| Back to top |
|
|
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
| Posted: Fri May 02, 2014 5:46 am Post subject: |
|
|
| Rydian wrote: | | 2 - They follow the same basic format. From what I know CE's pointer scanner almost brute-forces things, just checking all the possible paths it can, which is why the pointer scanner can take a while if the game uses a lot of RAM and the depth is high. Pointer scans for me last anywhere from a minute to an hour depending on things. |
What are these paths you're talking about? Why does this type of pointer last between shutdown and startup, while finding the address of the pointer by the way of Tutorial 6 seem to not always find the same value?
| Rydian wrote: | | 3 - Code injection sets up your custom code somewhere new in RAM, and then overwrites some existing code with the instruction to jump to your custom code, and your custom code jumps back to where the normal code left off at the end. |
How does it do that exactly? I know how to do some assembly programming, but what I'm wondering is how does cheat engine overwrite the code so that it jumps to this code cave?
|
|
| Back to top |
|
|
zm0d
Master Cheater
 Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Fri May 02, 2014 6:57 am Post subject: |
|
|
| Kolkina wrote: | | How does it do that exactly? I know how to do some assembly programming, but what I'm wondering is how does cheat engine overwrite the code so that it jumps to this code cave? |
http://www.codeproject.com/KB/cpp/codecave/codecave2.PNG
You JMP from a start address to your code cave. In your code cave you've some few lines of unmodified original code and also place your own code there =) It's a very powerful way to hack a game.
When you're done with your code cave, you JMP back to your start address + 5 bytes (5 bytes are usually taken when you use a simple JMP (0xE9 + 4 bytes address)) and the application/game will run as nothing was happend.
| Kolkina wrote: | | What are these paths you're talking about? Why does this type of pointer last between shutdown and startup, while finding the address of the pointer by the way of Tutorial 6 seem to not always find the same value? |
Pointers can hold pointers can hold pointers [...]
You often have something called a pointer-chain. So a pointer holds a pointer and so on. This can be a very long chain (pointer-level) and the longer the chain, the longer you'll need to search for a valid base pointer. CE pointer-scanner checks all variables within a process if they store the address of the just found pointer. It's a "simple" recursively process.
|
|
| Back to top |
|
|
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
| Posted: Fri May 02, 2014 7:19 am Post subject: |
|
|
| zm0d wrote: |
You JMP from a start address to your code cave. In your code cave you've some few lines of unmodified original code and also place your own code there =) It's a very powerful way to hack a game.
When you're done with your code cave, you JMP back to your start address + 5 bytes (5 bytes are usually taken when you use a simple JMP (0xE9 + 4 bytes address)) and the application/game will run as nothing was happend. |
I figured something like this was happening, but my question was, how exactly do you change the course of program execution like that? How do you make it do the jump to the code cave, instead of the next line originally to be executed? Doesn't this require modifying the program somehow during runtime? If so, how does the program become modified during runtime?
| zm0d wrote: |
Pointers can hold pointers can hold pointers [...]
You often have something called a pointer-chain. So a pointer holds a pointer and so on. This can be a very long chain (pointer-level) and the longer the chain, the longer you'll need to search for a valid base pointer. CE pointer-scanner checks all variables within a process if they store the address of the just found pointer. It's a "simple" recursively process. |
So what are these base pointers? How come they always point towards the "same" values? Not the same address, but the same values in terms of function.
|
|
| Back to top |
|
|
zm0d
Master Cheater
Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Fri May 02, 2014 7:53 am Post subject: |
|
|
| Kolkina wrote: | | If so, how does the program become modified during runtime? |
That's simple. You can easily use the CE disassembler to modify the running game, since you know how to deal with ASM. Just attach CE to the process of the game and open up the "Memory View" function, or find interesting opcodes with the functions "What writes/accesses t othis address?". Do the buil-tin CE tutorial to learn it.
| Kolkina wrote: | | So what are these base pointers? |
Static base pointers are pointers always lcoated at the same address within a processes virtual memory (only if the application doesn't use ASLR (google it)). If the application uses ASLR you still can call it a base pointer (note that there isn't a static in this sentence). Then you just get the module base address and calculate a offset to it (e.g. "Game.exe"+00001337 => here Game.exe is a place holder for the dynamically base address of the module "Game.exe").
An application always needs this base pointers, since the CPU loads values from the RAM to its registers. This wouldn't be possible if you don't have some base addresses, from where you start.
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Fri May 02, 2014 8:57 am Post subject: |
|
|
The link I posted shows you how to set up some quick code injection from within CE. When you use it you can see, live, what happens to the targeted ASM when the script is enabled and when it's disabled.
_________________
|
|
| Back to top |
|
|
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
| Posted: Fri May 02, 2014 8:58 am Post subject: |
|
|
| zm0d wrote: | | That's simple. You can easily use the CE disassembler to modify the running game, since you know how to deal with ASM. Just attach CE to the process of the game and open up the "Memory View" function, or find interesting opcodes with the functions "What writes/accesses t othis address?". Do the buil-tin CE tutorial to learn it. |
What I meant was, how does cheat engine do it? I already completed the tutorial, but it only explains how to do it, not really how it works. (Unless I missed that part)
| zm0d wrote: |
Static base pointers are pointers always lcoated at the same address within a processes virtual memory (only if the application doesn't use ASLR (google it)). If the application uses ASLR you still can call it a base pointer (note that there isn't a static in this sentence). Then you just get the module base address and calculate a offset to it (e.g. "Game.exe"+00001337 => here Game.exe is a place holder for the dynamically base address of the module "Game.exe").
An application always needs this base pointers, since the CPU loads values from the RAM to its registers. This wouldn't be possible if you don't have some base addresses, from where you start. |
Alright, I didn't know what virtual memory was (bet I still actually don't), but I found a few links explaining what virtual memory, paging and static base pointers are.
From what I understood, these base pointers are found at some "static offset" from the relative address of "Game.exe" and from these we can find the address to the next pointer we need, until we find a final pointer that will point to our object, and in that object our value at some offset.
Why then, does the pointer scanner in cheat engine return so many different pointers? Shouldn't there only be at most a few different pointers that will point to the object, where the value is stored, not the 25k it returns when doing it on something as 'simple' as the CE tutorial?
EDIT:
| Rydian wrote: | | The link I posted shows you how to set up some quick code injection from within CE. When you use it you can see, live, what happens to the targeted ASM when the script is enabled and when it's disabled. |
I did read your link, and your tutorials are really good, but it didn't answer my question on how exactly cheat engine itself does the trick. (Again, unless I missed it.)
EDIT2:
Actually, I might as well ask some things regarding script writing that are somewhat unclear to me.
| Code: |
//This is not a cave story script, this is from another game.
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
aobscan(infair, 80 7B 28 00 D9 18 74 09 D9 18 EB 07 90 8D 74 26 00 DD D8 8D 65 F4)
label(_infair)
registersymbol(_infair)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
cmp byte ptr [ebx+28],00
fstp dword ptr [eax]
exit:
jmp returnhere
infair:
_infair:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_infair:
cmp byte ptr [ebx+28],00
fstp dword ptr [eax]
//Alt: db 80 7B 28 00 D9 18 |
What exactly is happening when you do:
| Code: | aobscan(infair, 80 7B 28 00 D9 18 74 09 D9 18 EB 07 90 8D 74 26 00 DD D8 8D 65 F4)
label(_infair)
registersymbol(_infair) |
From what I understand, the address found from the aobscan is saved in infair and then assigned to _infair. infair is the location of the code and labels are, from what I understand, address points in the script that you can jump to. What does it change that _infair was registered as a symbol?
Here, how is this an assignment of the value stored in infair to _infair? Aren't these just two jump points located after each other?
|
|
| Back to top |
|
|
zm0d
Master Cheater
Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Fri May 02, 2014 9:34 am Post subject: |
|
|
| Kolkina wrote: | | Why then, does the pointer scanner in cheat engine return so many different pointers? Shouldn't there only be at most a few different pointers that will point to the object, where the value is stored, not the 25k it returns when doing it on something as 'simple' as the CE tutorial? |
This comes from what a compiler does with the higher level code. Also you often have multiple copies of your original value (range of validity, multi-threading...). There may sometimes be false hits, that just randomly have the same value like an address. (e.g. address 1337 stores another address 1338 (1337 is a pointer), 1339 stores 1338, but this time 1338 is a real value, not an address! So 1339 is not definied as a pointer.)
| Kolkina wrote: | | What I meant was, how does cheat engine do it? |
Seems like I don't understand you really. You've the opportunity to make use of integrated CE scripting language to easily inject code.
If you want to know how this will look like without CE, then take a look at my post before with the JMP...
|
|
| Back to top |
|
|
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
| Posted: Fri May 02, 2014 10:06 am Post subject: |
|
|
| zm0d wrote: | Seems like I don't understand you really. You've the opportunity to make use of integrated CE scripting language to easily inject code.
If you want to know how this will look like without CE, then take a look at my post before with the JMP... |
What I wanted to know was "How do you manually inject code into a process?", but since I by now understand what I'm asking, google is a great place for help.
|
|
| Back to top |
|
|
zm0d
Master Cheater
Reputation: 7
Joined: 06 Nov 2013
Posts: 423
|
| Posted: Fri May 02, 2014 10:25 am Post subject: |
|
|
Yes you find tons of code example on how to do that 
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Fri May 02, 2014 9:15 pm Post subject: |
|
|
Well, the ASM is hex in RAM.
CE overwrites that just like other stuff in RAM.
_________________
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Fri May 02, 2014 11:39 pm Post subject: |
|
|
| Kolkina wrote: | | So what are these base pointers? How come they always point towards the "same" values? Not the same address, but the same values in terms of function. |
Because programs need some way to access their own data, there is always going to be at least one pointer through which something on the heap can be reached.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
Kolkina
Newbie cheater
![]() Reputation: 0
Joined: 13 Oct 2012
Posts: 17
|
| Posted: Sat May 03, 2014 3:17 pm Post subject: |
|
|
| Rydian wrote: | Well, the ASM is hex in RAM.
CE overwrites that just like other stuff in RAM. |
I just assumed it was write-protected, because when you want to search for an AOB you have to uncheck "write".
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Sat May 03, 2014 7:19 pm Post subject: |
|
|
| Kolkina wrote: | | Rydian wrote: | Well, the ASM is hex in RAM.
CE overwrites that just like other stuff in RAM. |
I just assumed it was write-protected, because when you want to search for an AOB you have to uncheck "write". |
1 - Depends on the game, most games I've messed with do not bother to mark their executable code as non-writable. Starbound is one of the few that does (surprising for a game in alpha like that).
2 - From what I understand, the read/write things are just the program voluntarily limiting itself for safety reasons (so a messed-up pointer won't lead it into overwriting it's own code for example), CE and outside tools have no problem editing the stuff anyways.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
