|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Thu May 23, 2019 9:32 pm Post subject: AOB Injection.. Could not find unique AOB |
|
|
Hi there dear CE Forum.
Today I've encountered a problem I cannot solve usually I do not ask for help unless I've tried every single possibility and read forums threads and so on, even read the forum created by TwistedFate, but with no use I've tried several methods and I still can not make this work.
What I'm trying to do is scan for a certain AOB then inject it with assembly with a code I wrote, however it's not finding a unique AOB, tried setting several other bytes to make it unique, that works (script activates, but no changes were made, I'm afraid the changes are being made elsewhere and not where I actually want it to).
So here's the script:
Code: | http://prntscr dot com/nsmp5k |
And here it is in assembly, with bytes around that I could use to make it unique:
Code: | http://prntscr dot com/nsmpjc |
Sorry for the dot com but for some reason it wont let me post URL nor IMG. Just kindly add http and the rest. Sorry.
Red arrow indicates the OPcode I want to inject
Could anyone here please rewrite what I have and make it possible to work? Or even give me some instructions on how to, thank you in advance.
Here's the code:
Code: |
[ENABLE]
aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,ERROR: Could not find unique AOB, tried code "89 41 1C 8B 42 20") // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5904A1)
label(code)
label(return)
newmem:
cmp [rcx+1BC],01
jne code
mov [rcx+1C],(float)1
code:
mov [rcx+1C],eax
mov eax,[rdx+20]
jmp return
INJECT+BE7268:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+BE7268:
db 89 41 1C 8B 42 20
unregistersymbol(INJECT)
dealloc(newmem) |
Here are the bytes I've marked that should make it unique (I guess):
Code: | 8B 42 08 89 41 08 8B 42 0C 89 41 0C 8B 42 10 89 41 10 8B 42 14 89 41 14 8B 42 18 89 41 18 8B 42 1C [b]89 41 1C[/b] |
The broad bytes are the ones I want to inject.
If additional information needed please let me know [/url]
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Thu May 23, 2019 10:41 pm Post subject: |
|
|
Why are you using an offset for the AOB that large? The module offset for the code is less than the offset you have for the AOB, so it's not even inside the same module.
Code: |
Address +5904A1
AOB +BE7268
|
This means the start of your AOB would need to be 0x656DC7 bytes before the module even begins.
_________________
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Fri May 24, 2019 1:49 am Post subject: |
|
|
Hi there TheyCallmeTim13,
Thank you for answering.
No let me clarify my problem, I didn't use any offset or anything what so ever, I just assembled the address I highlighted in the screenshot and it did that by itself (Cheat Engine).
That's why I'm asking what do I do with this code to add the bytes I want to be searched and the start address of my Opcode i want to inject (just like shown in the pictures in the main post)
Thanks in advance.
Also for more info, how did you figure out what the address should be before my module even begins? What kind of calculation method did you use, or format? Thanks in advance (learning purposes so I don't encounter same problem) - EDIT: Nvm I figured that question out, AOB - Address in hex, got'cha, but yeah what do I do then?
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Fri May 24, 2019 5:03 am Post subject: |
|
|
This might help.
https://youtu.be/IAo6pcMVUeA?list=PLMomQxQh6AdWw6L84t35Ms6-ylZmceC5U&t=430
But, basically you want to get rid of the offset for the injection symbol (i.e. "INJECT+BE7268"). And just select the line in the memory view form and hold shift and select another line a ways down and hit Ctrl+Alt+C to copy just the bytes and then do an AOB scan in the main CE form until you get a unique string of bytes.
But looking at that code, are you sure this isn't shared instruction? It looks like a large amount of memory is being copied in the game's code. If you can, you might even want to find a different injection spot.
_________________
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Fri May 24, 2019 5:17 am Post subject: |
|
|
Thanks I've done some digging myself and figured out why the offset was messing up, so this is what I've done for now:
Code: |
[ENABLE]
aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)
label(code)
label(return)
newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1
code:
mov [rcx+000000B8],(float)2
jmp return
INJECT+1E:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1E:
db 89 81 B8 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
However what I am having a problem with is my Dissect Data Structure, you are correct this is a shared OPCode with many addresses accessing it hence why I am using CMP, however all the addresses in the DDE (Dissect Data Structure for future reference) are either Green (Equal) or Red(Different) from the other groups that I've randomly selected.
The thing is, enemy resistances goes within this code, my resistances, weapon etc, etc, so it's a huge code, and the resistances change places all the time so there is no other place where I can inject really, this is like, the last resort.
Code: | http://prntscr dot com/nss8rp |
Above in DDE I managed to find which is 4 BYTES(However for some reason its Green color? but none of the groups are equal to it?), and to fail-test my code I've added float 1 if the code works and float 2 if it doesn't. The value keeps changing to float 2 ingame, so the is definitely not kicking in and jumping to not equal as code says, am I using wrong? If not, what do I do in this case when the DDE is filled with Red (Different) and Green addresses, along with purple and blue of course which I do not touch since they keep changing.
There is also one problem with the dissect data structure is that, the resistance I change has 4 different codes that accesses this OPAddress, however only one changes the result (The one I'm comparing out) so it's hard to find non equal since they're almost all identical except a few, (the one I showed you above)
The code works correctly in essence of changing the resistances, but right now its affecting my enemies and me The I added is supposed to rule me out from the others.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Fri May 24, 2019 7:35 am Post subject: |
|
|
You're setting the float to 1 then immediately setting back to 2. You need a jump to return after the float is set to 1.
Code: | [ENABLE]
aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)
label(code)
label(return)
newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1
jmp return
code:
mov [rcx+000000B8],(float)2
jmp return
INJECT+1E:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1E:
db 89 81 B8 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
_________________
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Fri May 24, 2019 8:41 am Post subject: |
|
|
TheyCallMeTim13 wrote: | You're setting the float to 1 then immediately setting back to 2. You need a jump to return after the float is set to 1.
Code: | [ENABLE]
aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00 8B 82 B8 00 00 00 89 81 B8 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905D0)
label(code)
label(return)
newmem:
cmp [rcx+12C],4
jne code
mov [rcx+000000B8],(float)1
jmp return
code:
mov [rcx+000000B8],(float)2
jmp return
INJECT+1E:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1E:
db 89 81 B8 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
|
Yeah thanks I know I realized that, I already put that ahead before you replied, thanks for your reply however, but it still didn't do anything, it still goes to value float 2
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Fri May 24, 2019 1:34 pm Post subject: |
|
|
You'll just have to set a breakpoint and debug your code to see what's actually going on. It might be that the value you're comparing gets changed before your code. Or that the float value is reset right after. You're not saving and restoring the flags registry so that might be an issue.
_________________
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Fri May 24, 2019 3:47 pm Post subject: |
|
|
TheyCallMeTim13 wrote: | You'll just have to set a breakpoint and debug your code to see what's actually going on. It might be that the value you're comparing gets changed before your code. Or that the float value is reset right after. You're not saving and restoring the flags registry so that might be an issue. |
Yeah with some more digging with the code and trying many different offsets, this is currently working 100%:
Code: | [ENABLE]
aobscanmodule(INJECT,Flagon-Win64-Shipping.exe,8B 82 AC 00 00 00 89 81 AC 00 00 00 8B 82 B0 00 00 00 89 81 B0 00 00 00 8B 82 B4 00 00 00 89 81 B4 00 00 00) // should be unique
alloc(newmem,$100,"Flagon-Win64-Shipping.exe"+5905C4)
label(code)
label(return)
newmem:
cmp [rcx+194],00000013
jne code
mov eax,(float)1
mov [rcx+000000B4],eax
jmp return
code:
mov [rcx+000000B4],eax
jmp return
INJECT+1E:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+1E:
db 89 81 B4 00 00 00
unregistersymbol(INJECT)
dealloc(newmem)
|
However what is annoying me is that, it's capping at 0.75 float and not changing its value to 1.0 when added, if I do this:
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"Flagon-Win64-Shipping.exe"+5905C4)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [rcx+194],00000013
jne originalcode
mov eax,(float)1
mov [rcx+000000B4],eax
jmp returnhere
originalcode:
mov [rcx+000000B4],eax
exit:
jmp returnhere
"Flagon-Win64-Shipping.exe"+5905C4:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Flagon-Win64-Shipping.exe"+5905C4:
mov [rcx+000000B4],eax |
It works perfectly fine and goes up to 100% which is 25% overcapped resistance ingame, (75% is the max), which I think is somewhat a reason why the first one is not working as I want it however my question is.. Why would Code Injection work okay and AOB not?
Also there is something that Code injection does make a mistake with however..
Those extra 25%, they get added to me, and the enemy, looks like overcapped resistances are handled by another code?
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Fri May 24, 2019 5:13 pm Post subject: |
|
|
Did you try the changes with the AOB. It really shouldn't matter witch you use so long as the AOB string actually gets only one result.
But what you can also do is enable your script and see what writes to the address to see where it's being checked and overwritten, then just NOP that code.
And you'll have to find a better way to filter is out.
_________________
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Fri May 24, 2019 6:31 pm Post subject: |
|
|
TheyCallMeTim13 wrote: | Did you try the changes with the AOB. It really shouldn't matter witch you use so long as the AOB string actually gets only one result.
But what you can also do is enable your script and see what writes to the address to see where it's being checked and overwritten, then just NOP that code.
And you'll have to find a better way to filter is out. |
The problem is the AOB always gets two results, no matter how long I make the AOB, one is identical to the other, however, one does not change anything in the game what so ever, and the other one does. The other one that does change stuff ingame, I can manually change it to.. whatever I want and it works (By changing the AOB manually) However, when I inject it, it does not change to the value I want, unless I use CODE INJECTION as explained above, however that for some reason bugs out and gives different results than intended, even though they're running the same code, one caps at 75% (ingame resistance) and the other one can go above 100+++ but anything above 75% starts giving enemies resistances to. The AOB I inject I rule it out from the other by using so it only changes one of the AOB's (the correct one)
Hmm, okay so I enable my script, and then check the AOB that I changed to see what writes to the address on top of my script, correct?
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sat May 25, 2019 10:07 am Post subject: |
|
|
limit the scan region to specific boundary by using aobscanregion.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
xUnknownHostX Newbie cheater Reputation: 0
Joined: 22 May 2019 Posts: 10
|
Posted: Sat May 25, 2019 6:31 pm Post subject: |
|
|
OldCheatEngineUser wrote: | limit the scan region to specific boundary by using aobscanregion. |
Thank you for answering and chipping in OldCheatEngineUser, would you please show an example with the information I've given? So I can take that and learn from there? Thank you
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sun May 26, 2019 9:46 pm Post subject: |
|
|
if you cant find a unique pattern, then code injection is an option.
Code: | aobscanregion (symbol, start address, end address, bytes to search)
aobscanregion(inject,module.exe+1234,module.exe+5678, 9a bc de f0) |
in you case:
Code: | [ENABLE]
// injection address "Flagon-Win64-Shipping.exe"+5905C4
aobscanmodule(INJECT,"Flagon-Win64-Shipping.exe"+590000,"Flagon-Win64-Shipping.exe"+590FFF,8B 82 B4 00 00 00 89 81 B4 00 00 00) // should be unique
alloc(newmem,$100,INJECT)
label(code)
label(return)
newmem:
cmp [rcx+194],00000013
jne code
mov eax,(float)1
mov [rcx+000000B4],eax
jmp return
code:
mov [rcx+000000B4],eax
jmp return
INJECT+06:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+06:
db 89 81 B4 00 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|