|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Hugo_the_Dwarf Newbie cheater Reputation: 0
Joined: 17 Apr 2019 Posts: 13
|
Posted: Wed Apr 17, 2019 9:44 pm Post subject: Auto Assembly Code Hard Crashing Game When Injected Code Run |
|
|
Hey so I'm just trying my hand at some code injection with some minor logic, I've already had fun with the whole "replace code with code that does nothing" but for this game "Dead Effect 2" something like No Reload also means that if the gun has nothing loaded in the chamber it reloads until my spare ammo is also gone.
NOTE: I'm not an expert with assembler but I am looking things up as I go
So I tried to inject this code:
Code: |
code:
cmp eax,[esi+00000080]
jnl DoNothing
mov eax,[esi+00000080]
mov [esi+000000C0],eax
jmp return
DoNothing:
mov [esi+000000C0],eax
jmp return
|
I think it's crashing on the fact that I'm trying to access [esi+80], some screenshot of why I picked esi+80, as these data structures are what is loaded into esi
imgur(dot)com /hk6ICs8.png
What the memory view looks like of the code (before injection) looks like:
i.imgur(dot)com /PRpG4WQ.png
EDIT to include Fix:
sbryzl noticed a bad memory jump in my "return" code portion (see below) I was injecting: jmp NeverUseAmmo which was going to the wrong place it should have been jmp NeverUseAmmoMem (my new code location)
ParkourPenguin had gave some valuable AOB search suggestions, and "homework" that I should have done.
EDIT2: I had to make some changes to the code, as it stopped loading into a map, so I had to find a value that was shared between equipment addresses (grenades, guns) and check it, before I tried checking if the current ammo is < than max loadable ammo
Code: | [ENABLE]
aobscan(NeverUseAmmo,?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 89 86 C0 ?? ?? ?? 8B ?? ??) // should be unique
registersymbol(NeverUseAmmo)
alloc(NeverUseAmmoMem,$1000)
alloc(OldBytes,6)
registersymbol(OldBytes)
label(code)
label(return)
OldBytes:
readmem(NeverUseAmmo+0D,6)
NeverUseAmmoMem:
code:
cmp [esi+0000002c],0x0
jne DoNothing
cmp eax,[esi+00000080]
jnl DoNothing
mov eax,[esi+00000080]
DoNothing:
mov [esi+000000C0],eax
jmp return
NeverUseAmmo+0D:
jmp NeverUseAmmoMem
nop
return:
[DISABLE]
NeverUseAmmo+0D:
readmem(OldBytes,6)
unregistersymbol(NeverUseAmmo)
dealloc(NeverUseAmmoMem)
dealloc(OldBytes)
unregistersymbol(OldBytes) |
Last edited by Hugo_the_Dwarf on Thu Apr 18, 2019 1:21 pm; edited 2 times in total |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Wed Apr 17, 2019 10:08 pm Post subject: |
|
|
Don't worry about esi+80 - accessing it there won't cause a fault that wouldn't have been caused by the original code.
Does that code access other addresses? (right click on mov [esi+C0],eax and select "find out what addresses this instruction accesses")
You can use the debugger to figure out where (and perhaps why) it's crashing.
Posting the entire script may help us help you.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Hugo_the_Dwarf Newbie cheater Reputation: 0
Joined: 17 Apr 2019 Posts: 13
|
Posted: Wed Apr 17, 2019 10:10 pm Post subject: |
|
|
Here is the full script it's very well I mucked up something
EDIT: thinking of it I think this code also affects grenades, so you are right I should debug more and dissect more addresses and see if it's just something janky.
Code: | [ENABLE]
aobscan(NeverUseAmmo,?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 89 86 ?? ?? ?? ?? 8B ?? ??) // should be unique
alloc(NeverUseAmmoMem,$1000)
alloc(OldBytes,6)
label(code)
label(return)
OldBytes:
readmem(NeverUseAmmo+0D,6)
NeverUseAmmoMem:
code:
cmp eax,[esi+00000080]
jnl DoNothing
mov eax,[esi+00000080]
mov [esi+000000C0],eax
jmp return
DoNothing:
mov [esi+000000C0],eax
jmp return
NeverUseAmmo+0D:
jmp NeverUseAmmo
nop
nop
nop
nop
return:
registersymbol(NeverUseAmmo)
[DISABLE]
NeverUseAmmo+0D:
readmem(OldBytes,6)
unregistersymbol(NeverUseAmmo)
dealloc(NeverUseAmmoMem)
dealloc(OldBytes)
{
// ORIGINAL CODE - INJECTION POINT: 19ABFEC5
19ABFEB1: EB 03 - jmp 19ABFEB6
19ABFEB3: 8B 45 E8 - mov eax,[ebp-18]
19ABFEB6: C9 - leave
19ABFEB7: C3 - ret
19ABFEB8: 55 - push ebp
19ABFEB9: 8B EC - mov ebp,esp
19ABFEBB: 56 - push esi
19ABFEBC: 83 EC 04 - sub esp,04
19ABFEBF: 8B 75 08 - mov esi,[ebp+08]
19ABFEC2: 8B 45 0C - mov eax,[ebp+0C]
// ---------- INJECTING HERE ----------
19ABFEC5: 89 86 C0 00 00 00 - mov [esi+000000C0],eax
// ---------- DONE INJECTING ----------
19ABFECB: 8B 46 50 - mov eax,[esi+50]
19ABFECE: 85 C0 - test eax,eax
19ABFED0: 74 17 - je 19ABFEE9
19ABFED2: 8B 46 50 - mov eax,[esi+50]
19ABFED5: 8B 8E C0 00 00 00 - mov ecx,[esi+000000C0]
19ABFEDB: 83 EC 08 - sub esp,08
19ABFEDE: 51 - push ecx
19ABFEDF: 50 - push eax
19ABFEE0: 90 - nop
19ABFEE1: 90 - nop
} |
|
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Thu Apr 18, 2019 8:24 am Post subject: |
|
|
NeverUseAmmo+0D:
jmp NeverUseAmmoMem
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Thu Apr 18, 2019 8:43 am Post subject: |
|
|
Yep - bad jump target.
Also, you shouldn't be using that many wildcards. In your code, you're assuming the offset in the original instruction was C0. If that ever changes (more or less the point of using wildcards), your code injection may still run and overwrite the wrong memory. Avoid this by including that offset in the AoB signature.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Hugo_the_Dwarf Newbie cheater Reputation: 0
Joined: 17 Apr 2019 Posts: 13
|
Posted: Thu Apr 18, 2019 9:30 am Post subject: |
|
|
Had a look, Grenades do use the logic too, but they are the same structure (also it crashes when I shoot a gun, which wouldn't be accessing the grenade addresses anyways)
As much as I'd like to ask for someone to show me the correct way to do it (do the homework for me) I just don't have the understanding of why it's failing so I'll resort to just having a hotkey toggle for the "replace code with nothing" because that seems to work.
So I'll leave it at that, probably not the best game to start experimenting with custom code injection (I have went through Cheat Engine Tutorial and had no issues there with that test)
EDIT
Ninja'd when I posted my "I give up" message, Yeah I fixed that jump that sbryzl pointed out (as he corrected it for me)
And added C0 to the AOB scan.
Thanks ParkourPenguin and sbryzl. Rookie mistake on my part. I tested it and it works like a charm now. Well at least isn't crashing. I need to make a quick test case but it's gotten me a bit further.
Thank you so much.
EDIT2:
Did a test case, by having a half loaded gun, I was able to reload, and when I shoot I don't use ammo (that and it fully loads the gun)
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|