 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
MikeNoey
Advanced Cheater
![]() Reputation: 0
Joined: 08 Jun 2018
Posts: 64
|
 Posted: Sun Nov 03, 2019 2:45 pm Post subject: How to deal with repeateable instructions / saving values AA |
 |
|
| I have an instruction which accesses 15 addresses. The only difference in the registers is the actual address. The rest of the registers don't change. I am not sure how I go about saving the value of each EAX value to 15 symbols. If someone could help me with this that would be awesome sauce. Thank you in advance
|
|
| Back to top |
|
 |
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sun Nov 03, 2019 3:51 pm Post subject: |
|
|
If you gave any more information it would be better, like the opcode of the instruction, I can only show you a script that I made a long time ago that save 5 addresses in memory locations record with a symbol, you can simply readjust it
| Code: | [ENABLE]
alloc(Structure_Script,2048,"GameAssembly.dll"+5AAB5C)
alloc(Addres_Structure,8)
alloc(Addres_Structure_2,8)
alloc(Addres_Structure_3,8)
alloc(Addres_Structure_4,8)
alloc(Addres_Structure_5,8)
registersymbol(Addres_Structure)
registersymbol(Addres_Structure_2)
registersymbol(Addres_Structure_3)
registersymbol(Addres_Structure_4)
registersymbol(Addres_Structure_5)
label(exit)
label(returnhere)
label(Take_1st_Structure)
label(Take_2nd_Structure)
label(Take_3rd_Structure)
label(Take_4th_Structure)
label(Take_5th_Structure)
label(Check_1st_empty)
label(Check_2nd_empty)
label(Check_3rd_empty)
label(Check_4th_empty)
label(Not_OverWrite_2nd)
label(Not_OverWrite_3rd)
label(Not_OverWrite_4th)
label(Not_OverWrite_5th)
Structure_Script:
//Firts Structure (1)
Check_1st_empty:
cmp [Addres_Structure],0
jne Not_OverWrite_2nd
Take_1st_Structure:
mov [Addres_Structure],rsi
jmp exit
//Second Structure (2)
Not_OverWrite_2nd:
cmp [Addres_Structure],rsi
je exit
Check_2nd_empty:
cmp [Addres_Structure_2],0
jne Not_OverWrite_3rd
Take_2nd_Structure:
mov [Addres_Structure_2],rsi
jmp exit
//Third Structure (3)
Not_OverWrite_3rd:
cmp [Addres_Structure_2],rsi
je exit
Check_3rd_empty:
cmp [Addres_Structure_3],0
jne Not_OverWrite_4th
Take_3rd_Structure:
mov [Addres_Structure_3],rsi
jmp exit
//Fourth Structure (4)
Not_OverWrite_4th:
cmp [Addres_Structure_3],rsi
je exit
Check_4th_empty:
cmp [Addres_Structure_4],0
jne Not_OverWrite_5th
Take_4th_Structure:
mov [Addres_Structure_4],rsi
jmp exit
//Fifth Structure (5)
Not_OverWrite_5th:
cmp [Addres_Structure_4],rsi
je exit
Take_5th_Structure:
mov [Addres_Structure_5],rsi
exit:
mov r15d,[rsi+00000084]
jmp returnhere
"GameAssembly.dll"+5AAB5C:
jmp Structure_Script
nop
nop
returnhere:
[DISABLE]
dealloc(Structure_Script)
dealloc(Addres_Structure)
dealloc(Addres_Structure_2)
dealloc(Addres_Structure_3)
dealloc(Addres_Structure_4)
dealloc(Addres_Structure_5)
unregistersymbol(Addres_Structure)
unregistersymbol(Addres_Structure_2)
unregistersymbol(Addres_Structure_3)
unregistersymbol(Addres_Structure_4)
unregistersymbol(Addres_Structure_5)
"GameAssembly.dll"+5AAB5C:
mov r15d,[rsi+00000084]
{
// ORIGINAL CODE - INJECTION POINT: "GameAssembly.dll"+5AAB5C
"GameAssembly.dll"+5AAB37: 84 C0 - test al,al
"GameAssembly.dll"+5AAB39: 0F 84 55 03 00 00 - je GameAssembly.dll+5AAE94
"GameAssembly.dll"+5AAB3F: FF C3 - inc ebx
"GameAssembly.dll"+5AAB41: 41 3B DE - cmp ebx,r14d
"GameAssembly.dll"+5AAB44: 7C BE - jl GameAssembly.dll+5AAB04
"GameAssembly.dll"+5AAB46: 48 8B 86 88 00 00 00 - mov rax,[rsi+00000088]
"GameAssembly.dll"+5AAB4D: 48 85 C0 - test rax,rax
"GameAssembly.dll"+5AAB50: 0F 84 60 03 00 00 - je GameAssembly.dll+5AAEB6
"GameAssembly.dll"+5AAB56: 0F B6 58 75 - movzx ebx,byte ptr [rax+75]
"GameAssembly.dll"+5AAB5A: 33 D2 - xor edx,edx
// ---------- INJECTING HERE ----------
"GameAssembly.dll"+5AAB5C: 44 8B BE 84 00 00 00 - mov r15d,[rsi+00000084]
// ---------- DONE INJECTING ----------
"GameAssembly.dll"+5AAB63: 48 8B CE - mov rcx,rsi
"GameAssembly.dll"+5AAB66: 44 8B A6 B8 00 00 00 - mov r12d,[rsi+000000B8]
"GameAssembly.dll"+5AAB6D: E8 9E D2 CF FF - call GameAssembly.dll+2A7E10
"GameAssembly.dll"+5AAB72: 84 DB - test bl,bl
"GameAssembly.dll"+5AAB74: 75 0F - jne GameAssembly.dll+5AAB85
"GameAssembly.dll"+5AAB76: 48 85 C0 - test rax,rax
"GameAssembly.dll"+5AAB79: 0F 84 37 03 00 00 - je GameAssembly.dll+5AAEB6
"GameAssembly.dll"+5AAB7F: 48 8B 48 30 - mov rcx,[rax+30]
"GameAssembly.dll"+5AAB83: EB 0D - jmp GameAssembly.dll+5AAB92
"GameAssembly.dll"+5AAB85: 48 85 C0 - test rax,rax
} |
Last edited by DanyDollaro on Mon Nov 04, 2019 1:39 pm; edited 1 time in total |
|
| Back to top |
|
|
MikeNoey
Advanced Cheater
![]() Reputation: 0
Joined: 08 Jun 2018
Posts: 64
|
| Posted: Sun Nov 03, 2019 4:37 pm Post subject: |
|
|
Hey bro. thanks for posting your script. It looks really long. I'm just wondering if there are simpler ways to do it than that. I'll provide you the opcodes though incase that'd help you help me better.
| Code: | originalcode:
mov ecx,[eax]
push edi
push ecx
call game.exe+29712E |
Also I was doing some searching on the forums and I found this post by DarkByte. Although I don't fully understand how to get it working. Mainly the "storage" part. He says you can add 10 addresses to storage.. I think.
DarkByte- "in the injection allocate a counter and storage for 10 wntries
then each time write the address to the next available storage and increase the counter
e.g "
| Code: | alloc(counter,4)
alloc(storage,40)
registersymbol(storage)
...
cmp [counter],#10
jae full
make it so eax contains the address (you didn't post the instruction so no idea.
...
push ebx
mov ebx,[counter]
mov [storage+ebx*4],eax
pop ebx
full:
originalcode
jmp back
...
coseinjection stuff
... |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Sun Nov 03, 2019 4:54 pm Post subject: |
|
|
You can also compare against something in the stack and/or another memory location accessed through a value in a register.
If you need all the addresses an instruction accesses, this code logs up to 128 addresses to a buffer with no repeats:
| Code: | alloc(my_code, 2048)
alloc(addresses, 512)
alloc(end, 4)
label(loop)
label(loopEnter)
label(quickExit)
label(append)
registersymbol(addresses)
my_code:
// edx - end of buffer
mov edx, [end]
// check to avoid buffer overflow
cmp edx, addresses+200
je short quickExit
// if it's empty, no check necessary- append it
cmp edx, addresses
je short append
// [eax] - value presently stored in buffer
mov eax, addresses
jmp short loopEnter
loop:
add eax, 4
// if it reaches the end, append it
cmp edx,eax
je short append
loopEnter:
// edi - address to log
cmp [eax], edi
jne short loop
// if it's already in the buffer, return
quickExit:
ret
append:
// push back end & write new value
lea eax, [edx+4]
mov [end], eax
mov [edx], edi
ret
addresses:
end:
dq addresses
|
I haven't tested this, and you'll need to adapt it (e.g. rename edi -> eax, eax -> something else; backup registers as necessary; maybe change ret instructions depending on how you inject this; etc.).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
MikeNoey
Advanced Cheater
![]() Reputation: 0
Joined: 08 Jun 2018
Posts: 64
|
| Posted: Sun Nov 03, 2019 6:10 pm Post subject: |
|
|
@DanyDollaro I got your code working. I appreciate the assist. You're the man.
@Parkour Thank you man. I will definitely take a look at that and play around with it in the future. You've answered quite a few of my questions over the last few months. I cant stress enough how much I appreciate it and I am sure everyone else you help appreciates it too.
|
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Mon Nov 04, 2019 12:45 pm Post subject: |
|
|
Oh sure! when I did that code I was not so good at programming and the idea of creating a loop like in the DarkByte code hadn't occurred to me.
Its operation is simple:
has as base address "Storage" and after saving an address in "Storage" it increases the counter used by EBX, at the next interaction of the cycle it will save the next address in "Storage + 4" to the next interaction "Storage + 8" and so up to "Storage + 36" after which when "jae full" is reached it will skip without saving "Storage + 40" (It will actually save 9 addresses not 10, unless you replace the "jae" with "ja").
Obviously the code is very generic and must be readjusted, but in this way it could also save 9 addresses all the same since there is no comparison between the addresses already saved.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
