|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Sun Mar 06, 2016 12:44 pm Post subject: |
|
|
The only thing that I do not like about CE's generator, is that it is limited, so it will fail if no unique signature can be found within a certain number of bytes.
GH*master's generator for his AAMaker is clever, in that, it uses wildcards for every byte, after the first or second byte on every line, so that you're only defining the jumps/moves etc.., allowing you to mitigate potential pattern breaks if/when the target is patched. The downside, of course, is that the signatures need to be much larger in order for a unique signature to be found, therefore, increasing the possibility that your signature may break if a major change is seen from any future patches.
Personally, I welcome any improvements. I think, if you really wanted to improve the signature generator, you would have it generate multiple signatures, such as the following:
1. Simple signature with no wildcards that begins above the point of injection.
2. Simple signature with no wildcards that begins at the point of injection.
3. Simple signature with no wildcards that begins below the point of injection.
4. Advanced signature with wildcards that begins above the point of injection.
5. Advanced signature with wildcards that begins at the point of injection.
6. Advanced signature with wildcards that begins below the point of injection.
Then, have all of these signatures 'bundled' in to a large, multi-signature that CE could scan until something was found, thus giving us a greater chance that our injection will succeed. In other words, instead of having 1 signature to rely on, we now have 6 different signatures, for the same injection point - all, automatically generated, of course.
Code: | AOBSuperScanModule(aob_ammo,game.exe,00000000000, 00000000000, 00000000000, 00xxxxxx0xxxxxxx0xxxxxxx, 00xxxxxx0xxxxxxx0xxxxxxx, 00xxxxxx0xxxxxxx0xxxxxxx) |
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sun Mar 06, 2016 1:13 pm Post subject: |
|
|
Quote: | GH*master's generator for his AAMaker is clever |
Yes, something similar to pattern generator from AAMaker.
_________________
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Apr 14, 2016 1:57 pm Post subject: |
|
|
While helping someone with a script today, I encountered this error:
Code: | Error:...Cheat Engine 6.5\autorun\customAOBInjectionTemplates.lua:723: bad argument #2 to 'gsub' (string/function/table expected) |
I had to resort to CE's Injection template. Here is was CE generated:
Code: | { Game : HuniePop.exe
Version:
Date : 2016-04-14
Author : METHOS
This script does blah blah blah
}
[ENABLE]
aobscan(traits,89 08 8B 43 30 40 89 43 30 8D 65 F4 5E 5F 5B C9 C3 6A) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax],ecx
mov eax,[ebx+30]
jmp return
traits:
jmp code
return:
registersymbol(traits)
[DISABLE]
traits:
db 89 08 8B 43 30
unregistersymbol(traits)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 04659BA7
04659B82: 8D 4F 01 - lea ecx,[edi+01]
04659B85: 39 70 0C - cmp [eax+0C],esi
04659B88: 0F 86 36 00 00 00 - jbe 04659BC4
04659B8E: 8D 44 B0 10 - lea eax,[eax+esi*4+10]
04659B92: 89 08 - mov [eax],ecx
04659B94: 8B 43 14 - mov eax,[ebx+14]
04659B97: 39 78 0C - cmp [eax+0C],edi
04659B9A: 0F 86 18 00 00 00 - jbe 04659BB8
04659BA0: 8D 44 B8 10 - lea eax,[eax+edi*4+10]
04659BA4: 8B 4D 10 - mov ecx,[ebp+10]
// ---------- INJECTING HERE ----------
04659BA7: 89 08 - mov [eax],ecx
04659BA9: 8B 43 30 - mov eax,[ebx+30]
// ---------- DONE INJECTING ----------
04659BAC: 40 - inc eax
04659BAD: 89 43 30 - mov [ebx+30],eax
04659BB0: 8D 65 F4 - lea esp,[ebp-0C]
04659BB3: 5E - pop esi
04659BB4: 5F - pop edi
04659BB5: 5B - pop ebx
04659BB6: C9 - leave
04659BB7: C3 - ret
04659BB8: 6A 2A - push 2A
04659BBA: 68 78 06 00 00 - push 00000678
} |
Any idea what could be causing the problem? I did notice that the script generation wasn't instant, but took a second or two to process...not sure if that matters. Perhaps a wait timer needs to be implemented or adjusted?
Thanks!
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Apr 15, 2016 4:42 am Post subject: |
|
|
++METHOS wrote: | Code: | Error:...Cheat Engine 6.5\autorun\customAOBInjectionTemplates.lua:723: bad argument #2 to 'gsub' (string/function/table expected) |
|
That line number, 723, doesn't tell me anything. I have vanilla script.
Could you copy paste that line here. Even better, post 5 lines: 2 before, one at 723, 2 after.
_________________
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Fri Apr 15, 2016 1:21 pm Post subject: |
|
|
Sorry...I didn't think about that.
Code: | template = template:gsub('%%authorName%%', authorName)
template = template:gsub('%%processName%%', processName)
template = template:gsub('%%isModuleScan%%', isModuleScan) --723
template = template:gsub('%%searchPattern%%', searchPattern)
template = template:gsub('%%CmoduleName%%', comma_moduleName) |
This particular process did not display module addressing, as you can see above.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Apr 15, 2016 3:43 pm Post subject: |
|
|
Test it again. Should be fixed.
Added:
%replacedInstructionsSize% - byte count of all original instructions that are overwritten., e.g. if there are three nops, it will be "8"
_________________
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Fri Apr 15, 2016 5:56 pm Post subject: |
|
|
Thanks. I will report back later. I need to grab the game again and figure out what changes you've made so that I can incorporate everything into my current script.
EDIT:
It's working now. Good work! Thank you.
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Sun May 15, 2016 1:19 pm Post subject: |
|
|
Thank you! This is really awesome and a time-saver
_________________
|
|
Back to top |
|
|
predprey Master Cheater Reputation: 24
Joined: 08 Oct 2015 Posts: 486
|
Posted: Thu Aug 18, 2016 7:21 pm Post subject: |
|
|
Added support for mono method addresses.
New "Mono Inject" template for JIT-ting and injecting into mono methods.
New Keyword:
%monoAddress% - If mono data collector is active, and address is part of a method, it returns the method name+offset. Else it is empty.
Update 1: Fixed rare bug if target process crashes which causes monoAddress to be nil.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Sep 14, 2016 6:02 am Post subject: |
|
|
@predprey, thank you. I will also add a fix for CE6.6Alpha/Beta/RC/Final (don't know).
Edit:
Added.
_________________
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3108
|
Posted: Wed Sep 14, 2016 1:40 pm Post subject: |
|
|
Hi guys,
any chance to create a template to generate exactly this?
Cheat name should be entered via popup.
Some bits and pieces are missing template-wise...
You can call it Csimbi's weird AOB
Thank you!
Code: |
[ENABLE]
aobscanmodule(aobCheatName,Game.exe,F3 41 0F 10 9C 24 ?? ?? 00 00 41 0F 28 D0 48 8D 95 ?? ?? 00 00)
alloc(newmem,4096,aobCheatName)
label(aobCheatName_r)
label(aobCheatName_i)
registersymbol(aobCheatName_r)
registersymbol(aobCheatName_i)
label(lblCheatName)
label(lblCheatNameSkip)
label(lblCheatNameRet)
label(bEnableCheatName)
registersymbol(bEnableCheatName)
newmem:
bEnableCheatName:
dd 1
lblCheatName:
//Alt: movss xmm3,[r12+0000034C]
//db F3 41 0F 10 9C 24 4C 03 00 00
readmem(aobCheatName,10)
cmp dword ptr [bEnableCheatName],1
jne short lblCheatNameSkip
// Place your code here
lblCheatNameSkip:
jmp lblCheatNameRet
aobCheatName_i:
readmem(aobCheatName,10)
//"Game.exe"+7D4FC3:
aobCheatName:
aobCheatName_r:
jmp lblCheatName
nop
nop
nop
nop
nop
lblCheatNameRet:
[DISABLE]
aobCheatName_r:
//"Game.exe"+7D4FC3:
//Alt: movss xmm3,[r12+0000034C]
//db F3 41 0F 10 9C 24 4C 03 00 00
readmem(aobCheatName_i,10)
unregistersymbol(aobCheatName_r)
unregistersymbol(aobCheatName_i)
unregistersymbol(bEnableCheatName)
dealloc(newmem)
|
|
|
Back to top |
|
|
predprey Master Cheater Reputation: 24
Joined: 08 Oct 2015 Posts: 486
|
Posted: Wed Sep 14, 2016 2:01 pm Post subject: |
|
|
try adding this under myAOBInjectionTemplate.Templates. don't forget to trim trailing spaces after copying (i use notepad++ to do it), CEF add blank spaces after each line.
EDIT:
Code: | readmem() does not work for EIP/RIP relative addressing. Use mgr.inz updated extension on first page instead. |
Last edited by predprey on Sat Sep 17, 2016 1:30 am; edited 7 times in total |
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3108
|
Posted: Wed Sep 14, 2016 2:16 pm Post subject: |
|
|
That was quick, thanks!
But it'll miss the comments and the code will crash - it was really just a quick replace and keeping fingers crossed.
mgr.inz.Player will need to add new fields before it can be done correctly:
- original code in ASM, commented (may be multiple lines): //Alt: movss xmm3,[r12+0000034C]
- original code in byte code, comments: // db F3 41 0F 10 9C 24 4C 03 00 00
- number of bytes replaced during injection: readmem(aobCheatName,10)
- original hook, commented: //"Game.exe"+7D4FC3:
|
|
Back to top |
|
|
predprey Master Cheater Reputation: 24
Joined: 08 Oct 2015 Posts: 486
|
Posted: Wed Sep 14, 2016 2:40 pm Post subject: |
|
|
- Added support for referencing hooking point by module name+offset.
- Fixed error if <<INFO>> section is omitted.
- Merged mgr.inz's "jmp newmem/code" fix for beta CE 6.6.
- Added support for commented original code.
- To change comment prefix, search for this line:
Code: | local commentPrefix = '//Alt: ' |
New Keyword:
%injectAddress% - Hooking point copied from comments in the line below "INJECTING HERE".
%CoriginalCodeLines% - Commented original code.
EDIT: Outdated, download removed. Use mgr.inz's update from first post which has a new keyword, %reassembleReplacedInstructions% - adds 1 or more reassemble() lines for original code.
Last edited by predprey on Wed Jan 25, 2017 2:30 pm; edited 5 times in total |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Sep 14, 2016 5:57 pm Post subject: |
|
|
Added %injectAddress% and Csimbi template (slightly modified).
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|