 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
JohannesJoestar
Advanced Cheater
![]() Reputation: 0
Joined: 01 Nov 2015
Posts: 79
|
 Posted: Sun Apr 24, 2016 6:14 am Post subject: Script crashin game |
 |
|
Hey.
So in this game all players heal 1 hitpoint every second. A shared opcode manages this healing function. This is the best option for me to get playerbase and populate some adresses on the cheat table. So I wrote a script :
| Code: | { Game : lf2.exe
Version:
Date : 2016-04-24
Author : Vincent
This script does blah blah blah
}
[ENABLE]
aobscanmodule(LOUIS,lf2.exe,83 80 FC 02 00 00 01) // should be unique
alloc(newmem,$1000)
globalalloc(player1,4)
globalalloc(player2,4)
globalalloc(player3,4)
globalalloc(player4,4)
globalalloc(player5,4)
globalalloc(player6,4)
globalalloc(player7,4)
globalalloc(player8,4)
label(code)
label(return)
label(player1)
label(player2)
label(player3)
label(player4)
label(player5)
label(player6)
label(player7)
label(player8)
newmem:
cmp dword ptr [eax+354],10
je player1
cmp dword ptr [eax+354],11
je player2
cmp dword ptr [eax+354],2
je player3
cmp dword ptr [eax+354],13
je player4
cmp dword ptr [eax+354],14
je player5
cmp dword ptr [eax+354],15
je player6
cmp dword ptr [eax+354],16
je player7
cmp dword ptr [eax+354],17
je player8
jmp code
player1:
push edx
mov edx,eax
mov [player1],edx
pop edx
jmp code
player2:
push edx
mov edx,eax
mov [player2],edx
pop edx
jmp code
player3:
push edx
mov edx,eax
mov [player3],edx
pop edx
jmp code
player4:
push edx
mov edx,eax
mov [player4],edx
pop edx
jmp code
player5:
push edx
mov edx,eax
mov [player5],edx
pop edx
jmp code
player6:
push edx
mov edx,eax
mov [player6],edx
pop edx
jmp code
player7:
push edx
mov edx,eax
mov [player7],edx
pop edx
jmp code
player8:
push edx
mov edx,eax
mov [player8],edx
pop edx
code:
add dword ptr [eax+000002FC],01
jmp return
LOUIS:
jmp newmem
nop
nop
return:
registersymbol(LOUIS)
[DISABLE]
LOUIS:
db 83 80 FC 02 00 00 01
unregistersymbol(LOUIS)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "lf2.exe"+1FA79
"lf2.exe"+1FA4B: 8B 88 68 03 00 00 - mov ecx,[eax+00000368]
"lf2.exe"+1FA51: 83 B9 F8 06 00 00 00 - cmp dword ptr [ecx+000006F8],00
"lf2.exe"+1FA58: 0F 85 4A 01 00 00 - jne lf2.exe+1FBA8
"lf2.exe"+1FA5E: 8B 88 FC 02 00 00 - mov ecx,[eax+000002FC]
"lf2.exe"+1FA64: 85 C9 - test ecx,ecx
"lf2.exe"+1FA66: 7E 18 - jle lf2.exe+1FA80
"lf2.exe"+1FA68: 3B 88 00 03 00 00 - cmp ecx,[eax+00000300]
"lf2.exe"+1FA6E: 7D 10 - jnl lf2.exe+1FA80
"lf2.exe"+1FA70: 83 3D D0 0B 45 00 00 - cmp dword ptr [lf2.exe+50BD0],00
"lf2.exe"+1FA77: 75 07 - jne lf2.exe+1FA80
// ---------- INJECTING HERE ----------
"lf2.exe"+1FA79: 83 80 FC 02 00 00 01 - add dword ptr [eax+000002FC],01
// ---------- DONE INJECTING ----------
"lf2.exe"+1FA80: 8B B4 BB 94 01 00 00 - mov esi,[ebx+edi*4+00000194]
"lf2.exe"+1FA87: 83 BE 20 03 00 00 00 - cmp dword ptr [esi+00000320],00
"lf2.exe"+1FA8E: 0F 8D 90 00 00 00 - jnl lf2.exe+1FB24
"lf2.exe"+1FA94: 83 3D D0 0B 45 00 00 - cmp dword ptr [lf2.exe+50BD0],00
"lf2.exe"+1FA9B: 0F 85 83 00 00 00 - jne lf2.exe+1FB24
"lf2.exe"+1FAA1: 83 BE 40 03 00 00 00 - cmp dword ptr [esi+00000340],00
"lf2.exe"+1FAA8: B9 09 00 00 00 - mov ecx,00000009
"lf2.exe"+1FAAD: 7E 0E - jle lf2.exe+1FABD
"lf2.exe"+1FAAF: B8 84 03 00 00 - mov eax,00000384
"lf2.exe"+1FAB4: 99 - cdq
} |
It was working fine with just 1 player but this one with 8 players is not working. It crashes the game.
Any ideas, suggestions ?
|
|
| Back to top |
|
 |
Cake-san
Grandmaster Cheater
 Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Sun Apr 24, 2016 9:03 am Post subject: |
|
|
Use a breakpoint to figure out when exactly it crashes.
Pause the process using the Advanced Options window (bottom left of main window), enable the script, go to the registered symbol LOUIS, set a breakpoint at that jump, run the game, and step into that asm when the breakpoint triggers. If nothing crashes in that iteration, then let it run and check the next. When it does crash, figure out why. Look at the instruction it was trying to execute, the registers, the stack... whatever.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
JohannesJoestar
Advanced Cheater
![]() Reputation: 0
Joined: 01 Nov 2015
Posts: 79
|
| Posted: Sun Apr 24, 2016 9:32 am Post subject: |
|
|
| Cake-san wrote: | You can try shortening your script by eleminate that push edx and copying eax to edx and pop edx, eg:
mov [player1],eax
jmp code
If that doesn't change anything, you can revamp the script by making injection at 2 point or just make 2 script. First point is the base script which you have to go a lil' deeper.The base needs to be connected to all player related variables.Then the other point is instruction that accesed every player's health so you can make anything you want with it which is what you are doing rightnow.  |
Yeah I just realised that I don't need to use the stack , thanks !
| ParkourPenguin wrote: | Use a breakpoint to figure out when exactly it crashes.
Pause the process using the Advanced Options window (bottom left of main window), enable the script, go to the registered symbol LOUIS, set a breakpoint at that jump, run the game, and step into that asm when the breakpoint triggers. If nothing crashes in that iteration, then let it run and check the next. When it does crash, figure out why. Look at the instruction it was trying to execute, the registers, the stack... whatever. |
Oookaay... so I did what you told me to try and I found what's causing the crash... Please examine following images
Thanks again for your time!
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Sun Apr 24, 2016 9:42 am Post subject: |
|
|
Oh. Right. How did I not notice that...
Assume your code jumped to this small block:
| Code: | player4:
push edx
mov edx,eax
mov [player4],edx
pop edx
jmp code |
Now just look at what this does. Specifically the line mov [player4],edx. player4 is defined to be the address where that code starts. If you store edx into the address of player4, then your code will modify itself, resulting in the garbage you see in the disassembler.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
JohannesJoestar
Advanced Cheater
![]() Reputation: 0
Joined: 01 Nov 2015
Posts: 79
|
| Posted: Sun Apr 24, 2016 9:46 am Post subject: |
|
|
| ParkourPenguin wrote: | Oh. Right. How did I not notice that...
Assume your code jumped to this small block:
| Code: | player4:
push edx
mov edx,eax
mov [player4],edx
pop edx
jmp code |
Now just look at what this does. Specifically the line mov [player4],edx. player4 is defined to be the address where that code starts. If you store edx into the address of player4, then your code will modify itself, resulting in the garbage you see in the disassembler. |
So since I saw that I could remove the push/pop the script is now this :
| Code: | { Game : lf2.exe
Version:
Date : 2016-04-24
Author : Vincent
This script does blah blah blah
}
[ENABLE]
aobscanmodule(LOUIS,lf2.exe,83 80 FC 02 00 00 01) // should be unique
alloc(newmem,$1000)
globalalloc(player1,4)
globalalloc(player2,4)
globalalloc(player3,4)
globalalloc(player4,4)
globalalloc(player5,4)
globalalloc(player6,4)
globalalloc(player7,4)
globalalloc(player8,4)
label(code)
label(return)
label(player1)
label(player2)
label(player3)
label(player4)
label(player5)
label(player6)
label(player7)
label(player8)
newmem:
cmp dword ptr [eax+354],A
je player1
cmp dword ptr [eax+354],B
je player2
cmp dword ptr [eax+354],2
je player3
cmp dword ptr [eax+354],D
je player4
cmp dword ptr [eax+354],E
je player5
cmp dword ptr [eax+354],F
je player6
cmp dword ptr [eax+354],10
je player7
cmp dword ptr [eax+354],11
je player8
jmp code
player1:
mov [player1],eax
jmp code
player2:
mov [player2],eax
jmp code
player3:
mov [player3],eax
jmp code
player4:
mov [player4],eax
jmp code
player5:
mov [player5],eax
jmp code
player6:
mov [player6],eax
jmp code
player7:
mov [player7],eax
jmp code
player8:
mov [player8],eax
code:
add dword ptr [eax+000002FC],01
jmp return
LOUIS:
jmp newmem
nop
nop
return:
registersymbol(LOUIS)
[DISABLE]
LOUIS:
db 83 80 FC 02 00 00 01
unregistersymbol(LOUIS)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "lf2.exe"+1FA79
"lf2.exe"+1FA4B: 8B 88 68 03 00 00 - mov ecx,[eax+00000368]
"lf2.exe"+1FA51: 83 B9 F8 06 00 00 00 - cmp dword ptr [ecx+000006F8],00
"lf2.exe"+1FA58: 0F 85 4A 01 00 00 - jne lf2.exe+1FBA8
"lf2.exe"+1FA5E: 8B 88 FC 02 00 00 - mov ecx,[eax+000002FC]
"lf2.exe"+1FA64: 85 C9 - test ecx,ecx
"lf2.exe"+1FA66: 7E 18 - jle lf2.exe+1FA80
"lf2.exe"+1FA68: 3B 88 00 03 00 00 - cmp ecx,[eax+00000300]
"lf2.exe"+1FA6E: 7D 10 - jnl lf2.exe+1FA80
"lf2.exe"+1FA70: 83 3D D0 0B 45 00 00 - cmp dword ptr [lf2.exe+50BD0],00
"lf2.exe"+1FA77: 75 07 - jne lf2.exe+1FA80
// ---------- INJECTING HERE ----------
"lf2.exe"+1FA79: 83 80 FC 02 00 00 01 - add dword ptr [eax+000002FC],01
// ---------- DONE INJECTING ----------
"lf2.exe"+1FA80: 8B B4 BB 94 01 00 00 - mov esi,[ebx+edi*4+00000194]
"lf2.exe"+1FA87: 83 BE 20 03 00 00 00 - cmp dword ptr [esi+00000320],00
"lf2.exe"+1FA8E: 0F 8D 90 00 00 00 - jnl lf2.exe+1FB24
"lf2.exe"+1FA94: 83 3D D0 0B 45 00 00 - cmp dword ptr [lf2.exe+50BD0],00
"lf2.exe"+1FA9B: 0F 85 83 00 00 00 - jne lf2.exe+1FB24
"lf2.exe"+1FAA1: 83 BE 40 03 00 00 00 - cmp dword ptr [esi+00000340],00
"lf2.exe"+1FAA8: B9 09 00 00 00 - mov ecx,00000009
"lf2.exe"+1FAAD: 7E 0E - jle lf2.exe+1FABD
"lf2.exe"+1FAAF: B8 84 03 00 00 - mov eax,00000384
"lf2.exe"+1FAB4: 99 - cdq
} |
The images are from this script running.
Just letting you know if that changes anything. If not , how to fix what you mentioned ?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Sun Apr 24, 2016 9:53 am Post subject: |
|
|
...don't use self-modifying code. Store the values somewhere else in that memory block. For example, after the jump out of your code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
JohannesJoestar
Advanced Cheater
![]() Reputation: 0
Joined: 01 Nov 2015
Posts: 79
|
| Posted: Sun Apr 24, 2016 10:03 am Post subject: |
|
|
| ParkourPenguin wrote: | | ...don't use self-modifying code. Store the values somewhere else in that memory block. For example, after the jump out of your code. |
oh wow.
Yeah okay I got what you mean by self-modifying code. Can't believe I gave allocations and labels the same name. Script is working great now.
Thanks everyone for your time!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
