 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
 Posted: Tue Nov 10, 2015 4:34 am Post subject: Code Injection crashes my game when enabled and try to shoot |
 |
|
Hello, Im making trainer for Mad Max that makes Thunderpoons Unlimited but my problem is it crashes my game when I try to shoot but sometimes it works for a while then crash I think something wrong in my code hope someone can help... here is the script I made dont know if this is correct coding
| Code: | [ENABLE]
alloc(newmem,2048,141FC22C7)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [rax],dx // This is where the ammo of Thunderpoons address when changed mov to add opcode it adds ammo for Thunderpoons
jmp 141D4CCEB
exit:
jmp returnhere
141FC22C7:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
141FC22C7:
mov [rax],dx
jmp 141D4CCEB |
|
|
| Back to top |
|
 |
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Tue Nov 10, 2015 9:10 am Post subject: |
|
|
In mad max, the same instruction is used to access different functions of game. You have to use a compare to only modify the thunderpoon value.
Just look in the tables section, i am sure there are already tables out for this game that you can see what compares are used.
_________________
|
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
 Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
| Posted: Tue Nov 10, 2015 10:47 am Post subject: |
|
|
Also, move a little up for the injection point because : jmp 141D4CCEB might
cause some issue.
_________________
... |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Tue Nov 10, 2015 7:17 pm Post subject: |
|
|
| Cake-san wrote: | Also, move a little up for the injection point because : jmp 141D4CCEB might
cause some issue. |
Im new to this stuff and dont know whats the issue I want to learn more here is part of the injection point
| Code: |
{
// ORIGINAL CODE - INJECTION POINT: "MadMax.exe"+1FC22C7
"MadMax.exe"+1FC2299: E9 A0 B9 73 00 - jmp MadMax.exe+26FDC3E
"MadMax.exe"+1FC229E: 51 - push rcx
"MadMax.exe"+1FC229F: E9 12 CC D6 FF - jmp MadMax.exe+1D2EEB6
"MadMax.exe"+1FC22A4: E9 DE A0 C5 FF - jmp MadMax.exe+1C1C387
"MadMax.exe"+1FC22A9: 51 - push rcx
"MadMax.exe"+1FC22AA: 48 8D 0D 33 10 BB FF - lea rcx,[MadMax.exe+1B732E4]
"MadMax.exe"+1FC22B1: E9 9A EB F0 01 - jmp MadMax.exe+3ED0E50
"MadMax.exe"+1FC22B6: 48 8B 45 00 - mov rax,[rbp+00]
"MadMax.exe"+1FC22BA: 48 8D 14 85 0F 37 55 E8 - lea rdx,[rax*4-17AAC8F1]
"MadMax.exe"+1FC22C2: E9 67 58 EC FF - jmp MadMax.exe+1E87B2E
// ---------- INJECTING HERE ----------
"MadMax.exe"+1FC22C7: 66 89 10 - mov [rax],dx
"MadMax.exe"+1FC22CA: E9 1C AA D8 FF - jmp MadMax.exe+1D4CCEB
// ---------- DONE INJECTING ----------
"MadMax.exe"+1FC22CF: 90 - nop
"MadMax.exe"+1FC22D0: 90 - nop
"MadMax.exe"+1FC22D1: 90 - nop
"MadMax.exe"+1FC22D2: 90 - nop
"MadMax.exe"+1FC22D3: 90 - nop
"MadMax.exe"+1FC22D4: 90 - nop
"MadMax.exe"+1FC22D5: 84 C6 - test dh,al
"MadMax.exe"+1FC22D7: 00 85 CE 90 7D C8 - add [rbp-37826F32],al
"MadMax.exe"+1FC22DD: D7 - xlatb
"MadMax.exe"+1FC22DE: 48 89 F8 - mov rax,rdi
} |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4709
|
| Posted: Tue Nov 10, 2015 10:19 pm Post subject: |
|
|
The main issue is what STN said. That instruction is accessing more than one address, so you're modifying more than you think by injecting code there. See this topic for information on how to deal with that.
Another thing I noticed was that there were a lot of NOPs after your injection point. I'd be surprised if they were there by default, and it looks like it's messing up the code after it quite a bit. Restarting the game should help.
Finally, you should reference your addresses in more of a static manner with module names. For example, instead of "141D4CCEB", have "MadMax.exe+1D4CCEB", and instead of "141FC22C7", have "MadMax.exe+1FC22C7". That way your script will still work even if the module gets moved.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Tue Nov 10, 2015 10:45 pm Post subject: |
|
|
| ParkourPenguin wrote: | The main issue is what STN said. That instruction is accessing more than one address, so you're modifying more than you think by injecting code there.
Another thing I noticed was that there were a lot of NOPs after your injection point. I'd be surprised if they were there by default, and it looks like it's messing up the code after it quite a bit. Restarting the game should help.
Finally, you should reference your addresses in more of a static manner with module names. For example, instead of "141D4CCEB", have "MadMax.exe+1D4CCEB", and instead of "141FC22C7", have "MadMax.exe+1FC22C7". That way your script will still work even if the module gets moved. |
Those NOPs are there by default
|
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Tue Nov 10, 2015 11:38 pm Post subject: |
|
|
Okay found this codes
| Code: | 141FBF118 - 0FB7 40 04 - movzx eax,word ptr [rax+04]
141FC067F - 0FB7 40 04 - movzx eax,word ptr [rax+04]
141D1DF33 - 66 8B 00 - mov ax,[rax]
141FC22C7 - 66 89 10 - mov [rax],dx
|
and select the first one which is movzx eax,word ptr [rax+04]
then I made AOB injection
| Code: | { Game : MadMax.exe
Version:
Date : 2015-11-11
Author : KiM
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,MadMax.exe,0F B7 40 04 C3 CC) // should be unique
alloc(newmem,$1000,"MadMax.exe"+1FBF118)
label(code)
label(return)
newmem:
code:
//movzx eax,word ptr [rax+04]
ret
jmp return
INJECT:
jmp code
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db 0F B7 40 04 C3
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "MadMax.exe"+1FBF118
"MadMax.exe"+1FBF100: 39 08 - cmp [rax],ecx
"MadMax.exe"+1FBF102: 75 06 - jne MadMax.exe+1FBF10A
"MadMax.exe"+1FBF104: 80 78 06 00 - cmp byte ptr [rax+06],00
"MadMax.exe"+1FBF108: 75 0E - jne MadMax.exe+1FBF118
"MadMax.exe"+1FBF10A: 48 83 C0 08 - add rax,08
"MadMax.exe"+1FBF10E: 4C 39 C0 - cmp rax,r8
"MadMax.exe"+1FBF111: 75 ED - jne MadMax.exe+1FBF100
"MadMax.exe"+1FBF113: 31 C0 - xor eax,eax
"MadMax.exe"+1FBF115: C3 - ret
"MadMax.exe"+1FBF116: 35 70 0F - db 35 70 0F // SHORTENED TO HIT INJECTION FROM: xor eax,40B70F70
// ---------- INJECTING HERE ----------
"MadMax.exe"+1FBF119: B7 40 - mov bh,40
"MadMax.exe"+1FBF11B: 04 C3 - add al,-3D
// ---------- DONE INJECTING ----------
"MadMax.exe"+1FBF11D: CC - int 3
"MadMax.exe"+1FBF11E: CC - int 3
"MadMax.exe"+1FBF11F: CC - int 3
"MadMax.exe"+1FBF120: CC - int 3
"MadMax.exe"+1FBF121: CC - int 3
"MadMax.exe"+1FBF122: 66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 - nop cs:[rax+rax+00000000]
"MadMax.exe"+1FBF130: 48 8B 01 - mov rax,[rcx]
"MadMax.exe"+1FBF133: 4C 8B 41 08 - mov r8,[rcx+08]
"MadMax.exe"+1FBF137: 4C 39 C0 - cmp rax,r8
"MadMax.exe"+1FBF13A: 74 18 - je MadMax.exe+1FBF154
} |
it works it freeze the thunderpoons ammo but I notice it also freeze the shotgun ammo and the ammo counts are different from default values
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
.I don't have the game =P .