 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
WTa
How do I cheat?
![]() Reputation: 0
Joined: 20 Jan 2018
Posts: 6
|
 Posted: Sat Jan 20, 2018 7:09 pm Post subject: [CE] Trying to Execute a Assembly / Making a Code Injection |
 |
|
I'll try to explain what I'm trying to do actually. Hope you understand and find a great solution to my problem.
I'm currently testing a Terraria Singleplayer mode for testing. It's testing purposes only to learn calling a game functions. I want to call a function that increases a Dirt Block by 1. Later on I'm gonna try to change these values with a different item without "recording" all these with different item.
1. I have 116 Dirt Blocks.
2. I'm scanning a 116 as "4 Bytes" value.
3. I'll take one out of the stack so I got 115 of Dirt Blocks.
4. I scan again, but now for 115 as "4 Bytes" value.
5. I find the address which is correct for Dirt Block. It's not a pointer address, but I don't care about that for now.
6. I right click the address and I choose to see what accesses to this address.
7. I see that there's some things accessing to this address and count is highly increasing. I guess it's "tickrate" of the game which is running on.
8. I'll mine a one Dirt Block to see what's the part when I mine it. I'm getting a FOUR instructions with (1) count. So basically this will be the functions that accesses it.
Line 1: 295A3444 - 8B B9 80000000 - mov edi,[ecx+00000080]
Line 2: 295A34F7 - 8B B9 80000000 - mov edi,[ecx+00000080]
Line 3: 295A3512 - 01 81 80000000 - add [ecx+00000080],eax
Line 4: 295A2F32 - 83 BE 80000000 64 - cmp dword ptr [esi+00000080],64
Line 1:
| Code: | 295A343A - 83 79 6C 00 - cmp dword ptr [ecx+6C],00
295A343E - 0F8E CC010000 - jng Terraria.Player::GetItem+2F8
295A3444 - 8B B9 80000000 - mov edi,[ecx+00000080] <<
295A344A - 8B 91 84000000 - mov edx,[ecx+00000084]
295A3450 - 3B FA - cmp edi,edx |
Line 2:
| Code: | 295A34ED - 0F83 78040000 - jae Terraria.Player::GetItem+653
295A34F3 - 8B 4C 91 08 - mov ecx,[ecx+edx*4+08]
295A34F7 - 8B B9 80000000 - mov edi,[ecx+00000080] <<
295A34FD - 03 C7 - add eax,edi
295A34FF - 8B 91 84000000 - mov edx,[ecx+00000084] |
Line 3:
| Code: | 295A3509 - 8B 45 DC - mov eax,[ebp-24]
295A350C - 8B 80 80000000 - mov eax,[eax+00000080]
295A3512 - 01 81 80000000 - add [ecx+00000080],eax <<
295A3518 - 0FB6 45 08 - movzx eax,byte ptr [ebp+08]
295A351C - 85 C0 - test eax,eax |
Line 4:
| Code: | 295A2F28 - 0F83 E7000000 - jae Terraria.Player::DoCoins+105
295A2F2E - 8B 74 86 08 - mov esi,[esi+eax*4+08]
295A2F32 - 83 BE 80000000 64 - cmp dword ptr [esi+00000080],64 <<
295A2F39 - 0F85 D0000000 - jne Terraria.Player::DoCoins+FF
295A2F3F - 8B 56 6C - mov edx,[esi+6C] |
If I select the "Line 3" which "adds" the count by one and I click "Show disassembler" it brings me a disassembler on the place where's that address.
I see line:
| Code: | | Terraria.Player::GetItem+1FA - 01 81 80000000 - add [ecx+00000080],eax |
I open auto-assembler with CTRL-A and I choose "Template -> Code Injection" and then I see:
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
add [ecx+00000080],eax
exit:
jmp returnhere
Terraria.Player::GetItem+1FA:
jmp newmem
nop
returnhere: |
I'll edit the code (I copy original to newmem):
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
add [ecx+00000080],eax
originalcode:
add [ecx+00000080],eax
exit:
jmp returnhere
Terraria.Player::GetItem+1FA:
jmp newmem
nop
returnhere: |
I execute it and I go to location of new "code cave" I created. I select the starting address and I create a thread from that address.
After that the game crashes. What I actually should take a notice when I try to execute this assembly?
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Sat Jan 20, 2018 7:18 pm Post subject: |
|
|
this is not the right way to use createthread function, thats why it gonna crash.
| WTa wrote: | | I want to call a function that increases a Dirt Block by 1. |
| Code: | newmem:
inc eax
originalcode:
add [ecx+00000080],eax
; ... |
beware that if this instruction is used to add and subtract by simply adding positive / negative values, then this is not a perfect solution.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
WTa
How do I cheat?
![]() Reputation: 0
Joined: 20 Jan 2018
Posts: 6
|
| Posted: Sat Jan 20, 2018 7:32 pm Post subject: |
|
|
| OldCheatEngineUser wrote: | this is not the right way to use createthread function, thats why it gonna crash.
| WTa wrote: | | I want to call a function that increases a Dirt Block by 1. |
| Code: | newmem:
inc eax
originalcode:
add [ecx+00000080],eax
; ... |
beware that if this instruction is used to add and subtract by simply adding positive / negative values, then this is not a perfect solution. |
Does it replace the current original code with this in the place it is currently or can I simply run this kind of thread to increase it's value by spamming it?
My end/final goal is trying to execute assembly like that it adds the item to my inventory (was it there or not) by pressing a one button from my external application, but on this state of learning I'm trying to do simple things.
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
 Reputation: 50
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Jan 20, 2018 7:41 pm Post subject: |
 |
|
When you use code injections; you are using the games threads, not your own. By calling a thread on it, it runs your code with empty registries and crashes (or would run until it hits a RET (return).
The code injection you made only runs when you increase the value, and what OldCheatEngineUser gave you just INCs (increases) the value by 1.
To call a game function you are going to have to do a lot to a little reversing to figure out what parameters it needs to run. Plus you have to find the start of the function, not some random spot in the middle of code.
_________________
|
|
| Back to top |
|
|
WTa
How do I cheat?
![]() Reputation: 0
Joined: 20 Jan 2018
Posts: 6
|
| Posted: Sun Jan 21, 2018 6:38 am Post subject: |
|
|
| TheyCallMeTim13 wrote: | When you use code injections; you are using the games threads, not your own. By calling a thread on it, it runs your code with empty registries and crashes (or would run until it hits a RET (return).
The code injection you made only runs when you increase the value, and what OldCheatEngineUser gave you just INCs (increases) the value by 1.
To call a game function you are going to have to do a lot to a little reversing to figure out what parameters it needs to run. Plus you have to find the start of the function, not some random spot in the middle of code. |
Thank you for explaining. Now I got it.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
