 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Chris12
Expert Cheater
![]() Reputation: 1
Joined: 27 Apr 2012
Posts: 103
|
 Posted: Sat Nov 08, 2014 10:54 am Post subject: AOB with changing codes |
 |
|
Hello dark byte (or anyone else who feels up to the question)
The game I'm hacking sometimes gets some small patches.
But it seems the compiler used to compile the game is optimizing everything in a new way every time.
This means:
Functions stay the same in what they do, but the assembler codes are new every time.
Registers are changed (ebx instead of eax).
Or sometimes mov and push are swapped(while not changing anything at all in the logic).
Or sometimes stuff like add esp,8 is not folded and will read: add esp,4; add esp 4.
These are only examples. Field offsets stay the same but relative jumps also often change because the code is a little bigger or smaller.
I need a AOB scan that is a bit more abstract and does not Rely on the bytes that are used.
I strongly believe that those changes are not made to prevent hacking. They seem to be completely automated and there is no obfuscation at all.
Does CE provide something to counter that ?
Is there a tool to decompile a region into code that is a bit more abstract?
Is it possible to write this myself?
What should I do?
Every AOB I make is obsolete with every patch.
IDA can decompile it just fine and output the c code which always (almost always ) looks exactly the same.
Any hints or tips? Maybe some library that can decompile it for me?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Nov 08, 2014 9:49 pm Post subject: |
|
|
The C code generated by IDA is just a best-guess visual of the flow of the code. It is not something you should ever take for face value or assume is 100% correct. HexRays (the plugin that does this) has plenty of bugs, although it is a great plugin, so be weary of assuming what you see is proper / correct.
The most you can do to counter-act something like this is making more generic AOB's to scan with. Mark more things as wildcards. Such as the registers being used in the various mov's. The values / offsets being used in the mov's and pushes, etc. It may land up making your AOB's a lot longer, but they may survive the random patches better then.
If the issue is simply optimization, there is not much to be done since its how the compiler is compiling down the raw code. If it is a compression method or obfuscation of some sort you could take other methods to handle things but from how you are explaining it, it doesn't sound like that is the case.
_________________
- Retired. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
