 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Jsk2003
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2018
Posts: 2
|
 Posted: Tue Aug 28, 2018 12:40 pm Post subject: Help in auto-copying/restoring base address with aobscan |
 |
|
Hello, I've spent the past three days googling so much that it's been calling me a bot.
I've got normal AOB injection working, but I'm having trouble in making it into a script that never needs to be updated again for all future game versions of Kenshi.
I have a signature that in all versions always points to
mov rcx,[kenshi_x64.exe+????????]
488B0D********E8********48******E8********89842424070000
I'm trying to mark down the player base address + offset as seen in the first line here. It's always found here, but changes depending on the version.
| Quote: | kenshi_x64.exe+931A0A - 48 8B 0D 9FA2B601 - mov rcx,[kenshi_x64.exe+249BCB0]
kenshi_x64.exe+931A11 - E8 E5116FFF
kenshi_x64.exe+931A16 - 48 8B 48 78
kenshi_x64.exe+931A1A - E8 2F0C72FF
kenshi_x64.exe+931A1F - 89 84 24 24070000 |
anotver version "same" spot
| Quote: | kenshi_x64.exe+933BBA - 48 8B 0D FFC1B601 - mov rcx,[kenshi_x64.exe+249FDC0]
kenshi_x64.exe+933BC1 - E8 9BEE6EFF - call kenshi_x64.exe+22A61
kenshi_x64.exe+933BC6 - 48 8B 48 78 - mov rcx,[rax+78]
kenshi_x64.exe+933BCA - E8 30E971FF - call kenshi_x64.exe+524FF
kenshi_x64.exe+933BCF - 89 84 24 24070000 - mov [rsp+00000724],eax
|
Here is my auto-generated script aob injection that only works for a single version of the game, it injects just fine and my addresses that are based off of playerBase work fine.
| Quote: | [ENABLE]
aobscanmodule(playerAOB,kenshi_x64.exe,488B0D********E8********48******E8********89842424070000)
registersymbol(playerAOB)
alloc(newmem,$1000,playerAOB)
globalalloc(playerBase,4)
label(code)
label(return)
newmem:
code:
mov rcx,[kenshi_x64.exe+249FDC0]
mov [playerBase],rcx
jmp return
playerAOB:
jmp newmem
nop
nop
return:
[DISABLE]
playerAOB:
db 48 8B 0D FF C1 B6 01
unregistersymbol(playerAOB)
dealloc(newmem) |
I've tried many ways of readmem and reassemble but nothing I do seems to accomplish my objective of copying the first line down for injection/restoration.
Here's some of my trash code that injects and assigns the symbol to playerAOB atleast but then crashes the game one second later, it's prob the 20th revision of trash upon trash, so really don't pay any attention to it.
| Quote: | [ENABLE]
aobscanmodule(playerAOB,kenshi_x64.exe,488B0D********E8********48******E8********89842424070000)
registersymbol(playerAOB)
alloc(newmem,$1000,playerAOB)
globalalloc(_playerBase,4)
alloc(origbytes,7)
label(code)
label(return)
newmem:
origbytes:
readmem(playerAOB,7)
code:
reassemble(playerAOB)
mov [_playerBase],rcx
jmp return
playerAOB:
jmp newmem
nop
nop
return:
[DISABLE]
playerAOB:
readmem(origbytes,7)
unregistersymbol(playerAOB)
dealloc(origbytes)
dealloc(newmem) |
So how can I make it so the script never needs to be updated again when the game patches and the base address that is [game.exe+offset] changes?
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Tue Aug 28, 2018 1:31 pm Post subject: |
|
|
That instruction is using rip-relative addressing to specify the memory location. Copying the bytes won't help- that would give you the offset from the instruction pointer and not the actual address.
You could probably do this in pure AA if you wanted to, but you can also use Lua.
| Code: | if targetIs64Bit() then
local aobres = assert(AOBScan('48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 48 78 E8 ?? ?? ?? ?? 89 84 24 24 07 00 00','+X-C'),
'aob not found')
assert(aobres.Count == 1,'multiple aob results found')
local addr = getAddress(aobres[0])
aobres.destroy()
if getAddressSafe'playerBase' then unregisterSymbol'playerBase' end
registerSymbol('playerBase',('%08X'):format(addr+7+readInteger(addr+3, true)))
else
-- handle 32-bit targets
end |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Jsk2003
How do I cheat?
![]() Reputation: 0
Joined: 21 Aug 2018
Posts: 2
|
| Posted: Tue Aug 28, 2018 3:35 pm Post subject: |
|
|
 !
Thank you, it works like a charm.
I've just added it to an auto asm script between the enable/disable (with the obvious {$lua} and {$asm} ) and repeated that "if symbol of base already exists then unregister symbol" for the disable.
It does its job and works across both versions I have of Kenshi... so thank you!
For those curious:
| Code: | [ENABLE]
{$lua}
if targetIs64Bit() then
local aobres = assert(AOBScan('48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 48 78 E8 ?? ?? ?? ?? 89 84 24 24 07 00 00','+X-C'),
'aob not found')
assert(aobres.Count == 1,'multiple aob results found')
local addr = getAddress(aobres[0])
aobres.destroy()
if getAddressSafe'playerBase' then unregisterSymbol'playerBase' end
registerSymbol('playerBase',('%08X'):format(addr+7+readInteger(addr+3, true)))
else
-- handle 32-bit targets
end
{$asm}
[DISABLE]
{$lua}
if getAddressSafe'playerBase' then unregisterSymbol'playerBase' end
{$asm} |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
