Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Assistance needed with script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Fri Aug 16, 2019 11:08 pm    Post subject: Assistance needed with script Reply with quote

CE,
I'm pretty new to the CE scripting world although I have plenty of experience in data snooping. I can find hard to find values, multi level pointers, and that's about it.
I am trying to write a script that allows me to change the name of an address from the standard to a personal choice.(Got that down)
And then have AA or LUA or whatever it is to automatically go to that newly named address and "find out what addresses this instruction accesses" because the address that does appear is the one that I can use as a base address and create automatic offsets from.
[code]
[ENABLE]
aobscan(CallHP, my unqiue array of bytes)
label(_CallHP)
registersymbol(_CallHP)

CallHP:
_CallHP:

[DISABLE]
unregistersymbol(_CallHP)[/code]

This labels the address as _CallHP.
How do I write the next part that allows me to find the address this instruction addresses at _CallHP?

I would ideally like a working example that I can edit. If you guys can point me into the right direction as to where I can learn to write it myself that'd be awesome!
I looked throughout google searches and yt but i only find old posts that aren't helping me any.
thank you for your time
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 42

Joined: 09 Aug 2013
Posts: 1083

PostPosted: Sat Aug 17, 2019 7:43 am    Post subject: Reply with quote

typically you'd just write a hook and copy the register the instruction uses. Eg. for step 6 of the tutorial you could do this (copy pastable into CE or saveable as a CT file)

Code:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>1</ID>
      <Description>"Auto Assemble script"</Description>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>[ENABLE]
aobscanmodule(Step6CopyInjection,Tutorial-i386.exe,8B 45 F0 89 02 A1) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(step6base)

newmem:
  mov [step6base], edx // edx is the address we care about, so copy it
code: // and do original code stuff
  mov eax,[ebp-10]
  mov [edx],eax
  jmp return
// make sure if it's after the return so that the cpu can't try to run it as code
step6base:
  dq 0 // initial value and size if more stuff comes after
  // only 4 (dd) needed for 32 bit but 64 bit needs 8 and it's not too much of a waste really

Step6CopyInjection:
  jmp newmem
return:
registersymbol(Step6CopyInjection)
registersymbol(step6base) // register symbol so it can be used outside of the script section

[DISABLE]
Step6CopyInjection: // undo jmp hook to newmem
  db 8B 45 F0 89 02
unregistersymbol(Step6CopyInjection)
unregistersymbol(step6base) // memory will not be valid so make sure symbol isn't either
dealloc(newmem) // let CE free the memory that isn't going to be jumped to anymore

{
// ORIGINAL CODE - INJECTION POINT: "Tutorial-i386.exe"+252AE

"Tutorial-i386.exe"+25288: BA 01 00 00 00        -  mov edx,00000001
"Tutorial-i386.exe"+2528D: E8 9E BE 01 00        -  call Tutorial-i386.exe+41130
"Tutorial-i386.exe"+25292: BA 7D 52 42 00        -  mov edx,Tutorial-i386.exe+2527D
"Tutorial-i386.exe"+25297: 89 E9                 -  mov ecx,ebp
"Tutorial-i386.exe"+25299: E8 E2 84 FE FF        -  call Tutorial-i386.exe+D780
"Tutorial-i386.exe"+2529E: 8B 45 F0              -  mov eax,[ebp-10]
"Tutorial-i386.exe"+252A1: 3B 45 F4              -  cmp eax,[ebp-0C]
"Tutorial-i386.exe"+252A4: 74 BE                 -  je Tutorial-i386.exe+25264
"Tutorial-i386.exe"+252A6: EB 00                 -  jmp Tutorial-i386.exe+252A8
"Tutorial-i386.exe"+252A8: 8B 15 30 16 60 00     -  mov edx,[Tutorial-i386.exe+201630]
// ---------- INJECTING HERE ----------
"Tutorial-i386.exe"+252AE: 8B 45 F0              -  mov eax,[ebp-10]
"Tutorial-i386.exe"+252B1: 89 02                 -  mov [edx],eax
// ---------- DONE INJECTING  ----------
"Tutorial-i386.exe"+252B3: A1 30 16 60 00        -  mov eax,[Tutorial-i386.exe+201630]
"Tutorial-i386.exe"+252B8: 8B 00                 -  mov eax,[eax]
"Tutorial-i386.exe"+252BA: 3B 45 F4              -  cmp eax,[ebp-0C]
"Tutorial-i386.exe"+252BD: 74 02                 -  je Tutorial-i386.exe+252C1
"Tutorial-i386.exe"+252BF: EB 1C                 -  jmp Tutorial-i386.exe+252DD
"Tutorial-i386.exe"+252C1: 8B 45 F8              -  mov eax,[ebp-08]
"Tutorial-i386.exe"+252C4: 8B 80 68 04 00 00     -  mov eax,[eax+00000468]
"Tutorial-i386.exe"+252CA: B2 01                 -  mov dl,01
"Tutorial-i386.exe"+252CC: 8B 4D F8              -  mov ecx,[ebp-08]
"Tutorial-i386.exe"+252CF: 8B 89 68 04 00 00     -  mov ecx,[ecx+00000468]
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>2</ID>
          <Description>"step6base"</Description>
          <LastState Value="019F3B78" RealAddress="001A0010"/>
          <ShowAsHex>1</ShowAsHex>
          <VariableType>4 Bytes</VariableType>
          <Address>step6base</Address>
        </CheatEntry>
        <CheatEntry>
          <ID>3</ID>
          <Description>"[step6base]"</Description>
          <LastState Value="372" RealAddress="019F3B78"/>
          <VariableType>4 Bytes</VariableType>
          <Address>[step6base]</Address>
        </CheatEntry>
        <CheatEntry>
          <ID>4</ID>
          <Description>"[step6base] pointer style"</Description>
          <LastState Value="372" RealAddress="019F3B78"/>
          <VariableType>4 Bytes</VariableType>
          <Address>step6base</Address>
          <Offsets>
            <Offset>0</Offset>
          </Offsets>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>


Of course in this trivial case you can see right above the code that I hook where it's getting the address from mov edx,[Tutorial-i386.exe+201630] but that won't be the case most of the time lol. Also due to the fact that this code only runs when the "Change value" button is clicked it will only update when that button is clicked, but the same concept works for things the game calls on it's own as long as you can find them.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
sbryzl
Expert Cheater
Reputation: 5

Joined: 25 Jul 2016
Posts: 164

PostPosted: Sat Aug 17, 2019 7:44 am    Post subject: Reply with quote

There are templates you can use to make a more easily editable table. Look under tools / auto assemble. The template you would want here is aob injection, ctrl shift A is the shortcut.
Back to top
View user's profile Send private message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Sat Aug 17, 2019 3:05 pm    Post subject: .... Reply with quote

I appreciate the response but the issue with the provided solutions infers that my target address is uniquely identifiable. It is not.
The address I label callHP is always changing the address to my actual hp address and the array of bytes associated to it. During pointer scans the search is not deep enough and I don't see the point in wasting hours pointer scanning when I could, in theory, write a script that finds the address that calls the hp address and have CE automatically go to that address' memory, right click, find out what addresses accesses this instruction.
What you have provided is simply editing the code where the value is held and renaming it. Which I am already doing with the address that calls the hp address.

Perhaps I need to add insight.
The address that calls the HP address is NOT directly associated with the HP address. Somewhere in the deeper layers of its code is a pointer that generates the HP address. That address changes randomly. I haven't figured out if its based on a timer or how many levels i've gone through or if it's simply a random check that failed so it recreates it. BUT the address that calls the HP address is always the same in the instance but when closed it changes. However, I am able to instantly find it when I do a aobscan with the unique array of bytes. So the first part of my problem is solved.

I need insight as to how to code:
Take _CallHP and find the addresses that access this address.
Take it, and rename that found address to _AnythingIWant

So now I can go to my cheat table and add address manually and use _AnythingIWant+offset = new address of interest.

Literally, if someone could point to where I can find the ASM/LUA code guide to write a simply take address and find what access this instruction I can code the rest.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2295

PostPosted: Sat Aug 17, 2019 4:25 pm    Post subject: Reply with quote

It would be helpful if you stated your problem more specifically.

e.g. if you have an instruction like this:
Code:
mov eax,[edx+12]

and you know edx+12 is the address of your health, then inject code to copy edx (look up "injection copy" / "injection copies").

Using a breakpoint to do the same thing is almost always unnecessary, but if you really want to, look into CE's Lua debugging interface in celua.txt.
Code:
debug_setBreakpoint(address, 1, bptExecute, function()
  -- do something with EDX
  debug_continueFromBreakpoint(co_run)
  return 1
end)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 42

Joined: 09 Aug 2013
Posts: 1083

PostPosted: Sat Aug 17, 2019 4:54 pm    Post subject: Re: .... Reply with quote

QuantumDialect wrote:
Literally, if someone could point to where I can find the ASM/LUA code guide to write a simply take address and find what access this instruction I can code the rest.
Yeah, that's basically what the asm I gave does... but it only works if it's the only address that instruction uses because it overwrites the same memory address with what the register the instruction accesses the memory with is. So if it's used for more than 1 thing then it breaks.

There's no simple method with lua to use CE's find what accesses window to my knowledge, though you could recreate it by setting a breakpoint and adding every address to a table similar to how this works https://github.com/FreeER/CE-Extensions/blob/907d496113e07b16ba503e0fa9d273abf6c699da/get%20returnaddresses.lua except you wouldn't always have it read ESP at the start of a function.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Sat Aug 17, 2019 6:00 pm    Post subject: Progress 8% Reply with quote

Injection copy does not work. Address I am accessing is a double.
ex: movsd mxx0,r2

injection copy says:
aobscan for target address, finds it.
globalalloc(Health)
registersymbol(Health)


code:
mov [Health],xmm0
movsd xmm0,[r3+20]
mov r3,r4

etc etc like all scripts using the template AOB INJ
try to save to cheat table > ERROR > Cannot compile on X line.
X line refers to Mov [Health],xxm0

-----------------

To the individual who shared CE-Extensions/get returnaddresses.lua
Thank you, but could you perhaps also link the CTG yt tut that uses it?
That script is pretty much what I am looking for but I need to mod it for my use. (obviously)
But without understanding the construct of that code it's a hard guess.
I have the general idea as to where I should be adding my target address. But I don't have a way to just AOB scan that adddres like a static address. I would need to append that script to AOB scan using an Array of Bytes.
Thanks for the bread, baker.

I'll keep digging
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2295

PostPosted: Sat Aug 17, 2019 7:05 pm    Post subject: Reply with quote

Code:
movsd xmm0,[r3+20]
I'm assuming this instruction accesses your health.

r3+20 is the address of your health. xmm0 is the value of your health (after that instruction is executed). You're trying to save the value of your health when you should be saving the address of your health. e.g.:
Code:
...
alloc(myHealthStruct,8)
registersymbol(myHealthStruct)

myHealthStruct:
  dq 0

newmem:
code:
  mov [myHealthStruct],r3
  movsd xmm0,[r3+20]
  ...

Then, click on "Add address manually" and enter "[myHealthStruct]+20" (no quotes) for the address. After you enable the script and the game eventually runs that code, it'll be the address of your health.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Sat Aug 17, 2019 9:05 pm    Post subject: eh Reply with quote

So I tried using:

globalalloc(Health,8/) // added a / to remove emoji

newmem:

code:
mov [Health],r3
movsd xmm0,[r3+20]
jmp return

and sure enough the aob scan works.
But the second i see the value under health+20 the game crashes...

I dealloc everything when disabled. But its crashing when active.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2295

PostPosted: Sat Aug 17, 2019 9:37 pm    Post subject: Reply with quote

It probably doesn't allocate all the memory within 2GB of the injection point. This makes CE have to use a 14-byte jump instead of a 5-byte jump. Make sure you're including all the instructions CE overrides with the jump to your code injection and including the correct amount of nop instructions after the jump so the return address is aligned to the next relevant instruction.
(or just make sure all the allocs are within 2GB of the injection point - 5 bytes is much easier to deal with than 14 bytes)

If you use the AoB injection template as was previously suggested, CE should take care of all that for you. Just copy the newmem alloc, rename it, set the size to 8, and register the new name (if there's a third parameter, don't touch it: it's there for a reason).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Sat Aug 17, 2019 9:40 pm    Post subject: Reply with quote

[quote="ParkourPenguin"]It probably doesn't allocate all the memory within 2GB of the injection point. This makes CE have to use a 14-byte jump instead of a 5-byte jump. Make sure you're including all the instructions CE overrides with the jump to your code injection and including the correct amount of nop instructions after the jump so the return address is aligned to the next relevant instruction.
(or just make sure all the allocs are within 2GB of the injection point - 5 bytes is much easier to deal with than 14 bytes)

If you use the AoB injection template as was previously suggested, CE should take care of all that for you. Just copy the newmem alloc, rename it, set the size to 8, and register the new name (if there's a third parameter, don't touch it: it's there for a reason).[/quote]

Could you send me a PM? I would like to post this list but for whatever reason i can't. I think if you see the area im working in you can get a better picture.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2295

PostPosted: Sat Aug 17, 2019 10:14 pm    Post subject: Reply with quote

Code:
/aobscan taken out/
alloc(newmem,$1000,2B8A31B511F)

label(code)
label(return)

newmem:

code:
  mov [_HP],r9 // r9 has the address i need to lock HP value. R9 also changes
  movsd xmm0,[r9+00]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F2 41 0F 10 41 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 2B8A31B511F

2B8A31B50FC: 44 3B D8                       -  cmp r11d,eax
2B8A31B50FF: 77 4C                          -  ja 2B8A31B514D
2B8A31B5101: 41 3B C3                       -  cmp eax,r11d
2B8A31B5104: 45 1B DB                       -  sbb r11d,r11d
2B8A31B5107: B8 04 00 00 00                 -  mov eax,00000004
2B8A31B510C: 41 F7 D3                       -  not r11d
2B8A31B510F: 41 81 C2 E8 01 00 00           -  add r10d,000001E8
2B8A31B5116: 45 23 D3                       -  and r10d,r11d
2B8A31B5119: 45 8B D2                       -  mov r10d,r10d
2B8A31B511C: 4D 03 CA                       -  add r9,r10
// ---------- INJECTING HERE ----------
2B8A31B511F: F2 41 0F 10 41 00              -  movsd xmm0,[r9+00]
// ---------- DONE INJECTING  ----------
2B8A31B5125: 4D 8B C8                       -  mov r9,r8
2B8A31B5128: 49 81 C1 D2 79 04 4F           -  add r9,4F0479D2
2B8A31B512F: 49 81 C1 56 47 FC B0           -  add r9,B0FC4756
2B8A31B5136: F2 41 0F 11 41 00              -  movsd [r9+00],xmm0
2B8A31B513C: 41 89 48 20                    -  mov [r8+20],ecx
2B8A31B5140: 48 8B 4D E8                    -  mov rcx,[rbp-18]
2B8A31B5144: 48 89 4A 58                    -  mov [rdx+58],rcx
2B8A31B5148: 48 8B E5                       -  mov rsp,rbp
2B8A31B514B: 5D                             -  pop rbp
2B8A31B514C: C3                             -  ret
}

It looks like CE isn't that helpful in assigning a good third parameter to alloc. I don't recall if aobscans are handled before allocations, but try it anyways by replacing 2B8A31B511F w/ INJECT. If it still crashes, set a breakpoint before the injection point, enable the script, and post the changes made by the script in that region.

You also didn't alloc _HP in this script. Since it's not giving an error, I guess it's fine, but if it ever does, use a register to access it:
Code:
push rax
mov rax,_HP
mov [rax],r9
pop rax


If, by "R9 also changes," you're saying that instruction can access more than just the address of your HP, you should probably look for a different injection point. (right click the instruction in the disassembler and select "find out what addresses this instruction accesses" to make sure)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
QuantumDialect
How do I cheat?
Reputation: 0

Joined: 16 Aug 2019
Posts: 6

PostPosted: Sat Aug 17, 2019 10:23 pm    Post subject: ... Reply with quote

I will give that a go. I did globalalloc(_HP,32) sorry for leaving that out.
R9 only has 1 instruction. It gives the address for the HP value. I'm trying to copy R9's address because the address for HP changes every so often but that area you're looking at is constant.
Perhaps I am misusing the information.
The VALUE r9 holds is not an address. I need the address from r9.
My thought was that if I can copy r9, i can then give it a symbol(_HP), and add that to my cheat table to always have r9's address.


No luck: Tried the rax method. Game still crashes after a few seconds of activating the script. Wish i could say more as to what changes but everything goes ??? || stand corrected. Changed address to INJECT. No longer crashes.
But the addresses don't match the targeted address. RIP. Thanks for the help!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites