 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
AylinCE
Grandmaster Cheater Supreme
 Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
 Posted: Wed Mar 04, 2020 1:05 am Post subject: Is there any idea about code activation methods? |
 |
|
Possible online game.
And likely, for "Flash" codes.
As a rule, the game name will not be shared.
-------------------------------------------------
Below are a few Aobs exchange codes.
I also tried 3 scenarios in Trainer in the same game.
In the game, he did not react. It just reacts correctly while the game is loading.
But when I change the same codes as "C ++ Trainer" in the game, it responds correctly.
My question:
Do you have an idea of coding that effectively modifies Aobs codes (probably as "C ++ Trainer" does)?
Example scenario 1;
| Code: | function DEC_HEX(IN)
local B,K,OUT,I,D=16,"0123456789ABCDEF","",0
if IN<1 then
OUT=0
return OUT
end
while IN>0 do
I=I+1
IN,D=math.floor(IN/B),math.mod(IN,B)+1
OUT=string.sub(K,D,D)..OUT
end
return OUT
end
function Aobswap(search, change)
aobs = AOBScan(search)
if(aobs ~= nil) then
j = stringlist_getCount(aobs)
--print("Found:",j);
for i = 1, j do
--print(stringlist_getString(aobs,i-1));
--66 ?? ?? d1 a1 68 ?? ?? d0 d0
address=stringlist_getString(aobs,i-1)
for i = 1, string.len(change), 3 do
z = string.sub(change, i, i+2)
x, y = string.find(z, "%?+")
if (x == nil) then
script=[[
]]..address.."+"..(DEC_HEX((i-1)/3))..[[:
db ]]..z..[[
]]
autoAssemble(script)
--print(z)
--print(address.."+"..(DEC_HEX((i-1)/3)))
end
end
end
object_destroy(aobs);
aobs=nil
end
end
--Active
Aobswap("60 ?? ?? 66 ?? ?? 66 ?? ?? a2 a0","02 02 02 02 02 02 25 e8 07 a2 a0")
-- or
codescan1 = "60 ?? ?? 66 ?? ?? 66 ?? ?? a2 a0"
Aobswap(codescan1,("02 02 02 02 02 02 25 e8 07 a2 a0")) |
Example scenario 2;
| Code: | function Hack4()
local script4 = ([[
[ENABLE]
Aobscan(_code4,63 05 ?? ?? 24 00 ?? 63 04 d0 46)
Aobscan(_code5,63 05 ?? ?? 24 00 ?? 63 04 d0 46)
Aobscan(_code6,63 05 ?? ?? 24 00 ?? 63 04 d0 46)
_code4:
db 25 90 4e ?? 25 90 4e
_code5:
db 25 90 4e ?? 25 90 4e
_code6:
db 25 90 4e ?? 25 90 4e
[DISABLE]
]]);
autoAssemble(script4);
end |
Example scenario 3; ( Probably the closest coding to "C ++" language )
| Code: | function GoldReplacer()
local search = "60 ?? ?? 66 ?? ?? 66 ?? ?? a2 a0"
------------------02 02 02 02 02 02 25 e8 07 a2 a0
local changeTable = {}
local aobs = AOBScan(search)
if(aobs ~= nil) then
check = 2
for i=0,stringlist_getCount(aobs)-1 do
local address=stringlist_getString(aobs,i)
local changeTable = readBytes(address,50,true)
for i=1,6 do
changeTable[i] = 0x02
end
changeTable[7],changeTable[8],changeTable[9] = 0x25,0xe8,0x07 writeBytes('0x'..address,changeTable)
end
object_destroy(aobs);
aobs=nil
end
-- if check==2 then
-- print("ON")
-- else
-- print("OFF")
-- end
end |
( Maybe I should trigger the activation with a Timer. )
The codes above; It is not effective when it is activated in the game.
Results can only be obtained while the game is loading.
But with "C ++ Trainer"; If activated within the game, the result is successful.
Do you have an effective Aobs exchange coding idea?
Thanks in advance for your different ideas.
_________________
|
|
| Back to top |
|
 |
Corroder
Grandmaster Cheater Supreme
 Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Wed Mar 04, 2020 1:42 am Post subject: Re: Is there any idea about code activation methods? |
|
|
| Quote: | "Aylin"
My question:
Do you have an idea of coding that effectively modifies Aobs codes (probably as "C ++ Trainer" does)?
|
Then, what exactly C ++ Trainer does?
By Zanzer: Scan And Replace Specific
| Code: | The following script will scan for the provided array of bytes.
Once found, the script will overwrite the bytes with the ones provided.
You can use '??' as a wildcard within the search and replace it to ignore those bytes.
For the replacement, this means the original bytes in those locations will not change.
The script will replace the bytes at each address in which the pattern matched.
Simply give the cheat a unique name and provide it with the pattern and replacement bytes.
{$lua}
cheat_name = "MyCheat"
[ENABLE]
local pattern = "48 83 EC 28 E8 ?? ?? ?? ?? 48 83 C4 28"
local replace = "?? ?? ?? ?? 90 90 90 90 90 ?? ?? ?? ??"
-- edit the name of the cheat
-- edit the pattern to search
-- edit the replacement bytes
-- use ?? to ignore the bytes
-- do not edit the code below
local scans = AOBScan(pattern)
if scans == nil then
showMessage("Unable to find pattern:\n"..pattern)
else
local saved = {}
local length = (#replace + 1) / 3
for i = 0, scans.Count - 1 do
local backup = readBytes(scans[i], length, true)
local bytes = {}
for hex in string.gmatch(replace, "%S+") do
local size = #bytes + 1
if hex == "??" then
bytes[size] = backup[size]
else
bytes[size] = tonumber(hex, 16)
end
end
saved[i] = backup
writeBytes(scans[i], bytes)
end
_G[cheat_name] = {
["scans"] = scans,
["saved"] = saved
}
end
[DISABLE]
local vars = _G[cheat_name]
if vars ~= nil then
local scans = vars.scans
local saved = vars.saved
for i = 0, scans.Count - 1 do
writeBytes(scans[i], saved[i])
end
scans.Destroy()
vars.scans = nil
vars.saved = nil
vars = nil
_G[cheat_name] = nil
end
|
By Panraven: AOB Manipulation
| Code: | function byte2aob(b) return type(b)=='number' and b<256 and b>=0 and string.format('%02X',b) or '??' end
function aob2byte(a) a = tonumber(a,16) return type(a)=='number' and a <256 and a>=0 and a or -1 end
function imap(t,f) local s={} for i=1,#t do s[i]=f(t[i]) end return s end
function n2bt(n,t) t=type(t)=='string' and t or 'dword' return rawget(_G,t..'ToByteTable')(n) end
function t2aob(t,sep) return table.concat(imap(t,byte2aob),type(sep)=='string' and sep or ' ') end
function n2aob(n,t) return t2aob(n2bt(n,t)) end
function s1aob(s) return t2aob(n2bt(s,'string')) end
function s2aob(s) return t2aob(n2bt(s,'wideString')) end
function aob2bt(a)
local s = a:gsub('%S+',function(r) -- check parts
local t,l = {},string.len(r)
assert(string.len(r) % 2 == 0, 'some aob part has odds number of hex digits:'..l..'-'..r)
for i=1,l/2 do t[i] = byte2aob(aob2byte(string.sub(r,i*2-1,i*2))) end-- extract byte from each 2 hex digits
return table.concat(t)
end):gsub('%s+','') -- trim all spaces
local t,l = {},string.len(s)
assert(l % 2 == 0, 'the aob has odds number of hex digits:'..l..'-'..s)
for i=1,l/2 do t[i] = aob2byte(string.sub(s,i*2-1,i*2)) end-- extract byte from each 2 hex digits
return t
end
function normalize(a,sep) return t2aob(aob2bt(a),type(sep)=='string' and sep or '') end -- check even hex digits, default no space form
function replaceBytes(a,p,r,m)
assert(p>0,'replace position must be positive')
local t = aob2bt(a)
local isTable = type(r)=='table'
local l = isTable and #r or r
assert(type(l)=='number','replace table or length not valid')
l = math.min(l,type(m)=='number' and m or l)
for i=#t+1,p+l-1 do t[i]=0 end
for i=1,l do t[p+i-1] = isTable and r[i] or -1 end
return t2aob(t)
end
function join(sep,...) return table.concat(imap({...},tostring),type(sep)=='string' and sep or " ") end
function ajoin(...)
return join(" ",unpack(imap({...},function(a)
if type(a) == 'number' then a = byte2aob(a) end
if type(a) == 'table' then a = t2aob(a) end
return a
end)))
end
-- application
function unityString(s,wide)
local stoaob = wide == true and s2aob or s1aob
return ajoin(n2aob(string.len(s)),stoaob(s))
end
-- test
print(n2aob(999,'double'))
local u = unityString('Hello CheatEngine')
local w = unityString('Hello CheatEngine',true)
print(u)
print(normalize(w))
-- r = aobscan(u) --
local r = 0x451200 - 8 -- unity string struct address at -8 offset of pattern [str-len:4bytes][str-chars]
local c = ajoin(0x68,n2aob(r),'50 ?? ?? e8') -- push [string addr] ; push some-eax ; call some-where
print(c)
local d,e = replaceBytes(c,2,4),replaceBytes(c,10,n2bt(1000000),2)
print(d) -- replace with how many wildcard, here 4, at position 2
print(e) -- replace/insert 1st 2 bytes of aob(1000000):0f4240 after e8, give ... e8 40 42
--[[ output
00 00 00 00 00 38 8F 40
11 00 00 00 48 65 6C 6C 6F 20 43 68 65 61 74 45 6E 67 69 6E 65
11000000480065006C006C006F0020004300680065006100740045006E00670069006E006500
68 F8 11 45 00 50 ?? ?? e8
68 ?? ?? ?? ?? 50 ?? ?? E8
68 F8 11 45 00 50 ?? ?? E8 40 42
--]]
|
By DaSpammer: AOBSwap Complicate (If I am not wrong with who made this)
| Code: | --=============== Complicated AOB Swap =======================---
-- Search(string) = The AoB we will look for
-- Replace(string) = the AoB we will replace with
-- Index(number/nil) = Change a specific index counting from 0+ or keep as nil (nil replaces all)
-- ActiveHack(true/false) = If false the AOBSwap function will not replace the bytes, useful if you enable ReturnTable, and then for each entry and entry do table[n].enable() or table[n].disable();
-- RegisterAsAddress(true/false) = Register address as a symbol
-- RegisteredAddressName(string) = how to call the address if RegisterAsAddress is true, if theres no specific index, each address and address will be registered as RegisteredAddressName+1.
-- For example RegisteredAddressName, RegisteredAddressName1, RegisteredAddressName2,RegisteredAddressName3 .. RegisteredAddressNameN
-- ReturnTable(true/false) = Parses up everything, adds an enable and disable function for each address and address that was found
function AOBSwap(Search, Replace, Index, ActiveHack, RegisterAsAddress, RegisteredAddressName, ReturnTable)
local AoBLength;
local Table;
local AddressCount = '';
if (ReturnTable) then
Table = {};
AoBLength = string.gsub(Search, ' ', ''):len();
end
if (not Index) then
AddressCount = 1;
end
local ScanAoB = AOBScan(Search);
if (ScanAoB) then
local count = stringlist_getCount(ScanAoB);
if (Index) then
if (Index > count) then
Index = count;
end
end
if (count) then
for i = 1, count do
if (Index) then
i = Index;
end
local address = stringlist_getString(ScanAoB,i-1);
local symbol;
if (RegisterAsAddress and RegisterAsAddress~= '') then
unregisterSymbol(RegisteredAddressName .. AddressCount);
registerSymbol(RegisteredAddressName .. (AddressCount or ''), address);
symbol = RegisteredAddressName .. AddressCount;
if (not Index) then
AddressCount = AddressCount + 1;
end
end
local original_AoB ;
if (ReturnTable and AoBLength) then
original_AoB = '';
local ReadBytes = readBytes(address, (AoBLength / 2),true);
for _,String in pairs(ReadBytes) do
local Hex = string.format("%x",String);
if (Hex:len()==1) then
Hex = '0' .. Hex;
end
original_AoB = original_AoB .. ' ' .. Hex;
end
end
if (ActiveHack) then
for i = 1, string.len(Replace), 3 do
local z = string.sub(Replace, i, i+2);
local x, y = string.find(z, "%?+");
if (x == nil) then
autoAssemble(address .. "+" .. (string.format("%x",(i-1)/3)) .. ':\ndb' .. z);
end
end
end
if (Table and ReturnTable and AoBLength) then
Table[#Table+1] = {
address = address;
symbol = symbol;
originalaob = original_AoB;
enable = function ()
for i = 1, string.len(Replace), 3 do
local z = string.sub(Replace, i, i+2);
local x, y = string.find(z, "%?+");
if (x == nil) then
autoAssemble(address .. "+" .. (string.format("%x",(i-1)/3)) .. ':\ndb' .. z);
end
end
end;
disable = function ()
autoAssemble(address .. ':\ndb ' .. original_AoB);
end;
};
local TableIndex = Table[#Table];
TableIndex.remove = function ()
TableIndex.disable();
for k,v in pairs(TableIndex) do
TableIndex[k] = nil;
end
TableIndex = nil;
end;
Table[symbol] = TableIndex;
end
if (Index and i == Index) then
break;
end
end
end
object_destroy(ScanAoB);
end
if (Table and ReturnTable) then
return Table;
end
end
-- Example
function AOB_active()
t = AOBSwap('9A 99 99 99 99 99 C9 3F','9A 99 99 99 99 99 B9 3F', nil, false, true, 'Address', true)
-- 1st parameter : 00 01 03 68 00 21 03 69 = AoB we search for
-- 2nd parameter : 00 02 03 = AoB we replace with
-- 3rd parameter : nil = Index, specific index if you wish to activate a single hack
-- 4th parameter : false = activate hack or not automatically, we didn't want to activate it so we set to false.
-- 5th parameter : true = register each address and address with a specific symbol (it will unregister if the the specific symbol is taken already..)
-- 6th parameter : how would we want to define our symbol.. Address1, Address2 .. AddressN
-- 7th parameter : this is very useful:
-- returns a table that contains all addresses, entry and entry contains the following:
-- t[1].address = returns the address (for example 0028978F)
-- t[1].symbol = returns the symbol of the address if any (for example Address1)
-- t[1].originalaob = returns the original aob of the address (00 01 03 68 00 21 03 69), useful when using wildcards and wishing to disable (same about the disable and enable function).
-- t[1].enable() = activates the hack
-- t[1].disable() = deactivates the hacks (writes back the original bytes of THAT specific address, no wildcards and such..).
-- t[1].remove() = removes the whole objects of that entry (address,symbol, originalaob,enable(),disable() and remove() will not take any affect anymore), it also disables the hacks.
print(#t) -- prints how much entries in the t table (like how much aobs were found) in my case 1572.
t[1].enable() -- will activate first hack of the very first address.
print(t[1].symbol); --> 'Address1'
print(t[2].symbol); --> 'Address2'
-- You may also access the address this way. (as long as they're stored in that table).
print(t['Address1'].address)
end
|
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Wed Mar 04, 2020 2:19 am Post subject: |
|
|
Thanks @Correder. experimenting with them, I'll write the result.
I hope they interact in-game.
_________________
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Mar 04, 2020 8:38 am Post subject: |
|
|
Flash gsmes bytecode cheats 'apply' only as long as the method you're modifying hasn't been executed ( jitted ), that explains why you are capable of apply cheats during loading (data is present but has not been initialized).
If the method is being called as soon as game is loaded, and not whenever user interacting with the game then I would recommend trying to apply the very same cheat from a different method, or perhaps attempt to pause process before hand.
Your activatiob algorithm are valid and are not the cause of the issue.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Wed Mar 04, 2020 2:48 pm Post subject: |
|
|
Is @Corroder; I tried your suggestions. The result is the same.
The codes are changing, but the interaction does not appear in the game.
Is @DaSpamer; You are probably right. I have to explain again.
When the code change is made with CE; (All scenarios above have been tried)
 While the game is loading, things go well and the codes change.
Sometimes the codes don't change if they are activated in the game.
With C ++ Trainer;
Codes are changing in the game, interaction is successful at every step.
The closest code to the method C ++ Trainer uses is the following code.
| Code: | function GoldReplacer()
local search = "60 ?? ?? 66 ?? ?? 66 ?? ?? a2 a0"
------------------02 02 02 02 02 02 25 e8 07 a2 a0
local changeTable = {}
local aobs = AOBScan(search)
if(aobs ~= nil) then
check = 2
for i=0,stringlist_getCount(aobs)-1 do
local address=stringlist_getString(aobs,i)
local changeTable = readBytes(address,50,true)
for i=1,6 do
changeTable[i] = 0x02
end
changeTable[7],changeTable[8],changeTable[9] = 0x25,0xe8,0x07 writeBytes('0x'..address,changeTable)
end
object_destroy(aobs);
aobs=nil
end
-- if check==2 then
-- print("ON")
-- else
-- print("OFF")
-- end
end |
Is there a different idea of code change similar to that I can use in CE?  
_________________
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4718
|
| Posted: Wed Mar 04, 2020 3:04 pm Post subject: |
|
|
The other trainer is doing something else if it can toggle options after the code gets jitted. e.g. make the vm jit the code again, or change the assembly if it can be found.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Mar 04, 2020 3:32 pm Post subject: |
|
|
Unless a swf objects are being (re)loaded, it would work just fine with any of algorithms above, its not comilcated as you wish it was.
Assuming the C++ trainer uses the very same as3 bytecodes then it is doing exactly what you are doing with the aobswap
| ParkourPenguin wrote: | The other trainer is doing something else if
it can toggle options after the code gets jitted. e.g. make the vm jit the code again, or change the assembly if it can be found. |
Its either that, or it modifies a different method, if it can be enabled and disabled during gameplay, then its most likely some asm hook.
In order to find the assembly procedure of your as3 method I would recommend initalizing some odd number into a variable (_loc_1 = 7399205;),aferward jit the modified method and attempt to locate the asm procedure (by searching for 7399205 with all flags), then you would likely to be able to enable/disable and apply even more advanced hacks from this method, but only as long as it is jitted initally.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Wed Mar 04, 2020 5:27 pm Post subject: |
|
|
What I'm trying to say is C ++; the code exchange works as if it were inside the system.
Perhaps it is time for CE to level up in this regard.
Is @DaSpamer; You have complex but functional, code samples.
The @ParkourPenguin; You have unique skills in assembly and Lua language.
Is @mgr.inz.Player; You have the intelligence to code CE fundamentally.
@Zanzer, @Panraven, @Csimbi, of course; @Corroder, @freeEr ..
The "CE AobSwap" classic should now be upgraded during the masters' era.
Maybe it should change faster, deeper code. "C ++" or "C #" is faster,
but we want to use CE.
Please take note of this request and speed up the classic "AobSwap".
( Sorry for the exuberant article ) 
_________________
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Wed Mar 04, 2020 6:15 pm Post subject: |
|
|
| Aylin wrote: | What I'm trying to say is C ++; the code exchange works as if it were inside the system.
|
Like I said before: "Then, what exactly C ++ Trainer does? ". That means, we can ported what steps in C++ to CE Lua does.
C++ Game Trainer General Rules (from somewhere in this planet):
1. First of all, there's a comment need to add :
| Code: | #pragma comment(linker,"/FILEALIGN:512 /MERGE:.rdata=.text /MERGE:.data=.text /SECTION:.text,EWR /IGNORE:4078")
|
2. Handle to the actual window of the game use the FindWindow function
| Code: | | HWND FindWindow (LPCTSTR lpClassName, LPCTSTR lpWindowName); |
3.Use the function GetWindowThreadProcessId to get this ID
| Code: | | DWORD GetWindowThreadProcessId (HWND hWnd, LPDWORD lpdwProcessId); |
4. ID as an argument to call to the OpenProcess function.
| Code: | HANDLE OpenProcess (DWORD fdwAccess, BOOL fInherit, DWORD IDProcess);
|
5. Search for the game for want to find, would want to be able to start the trainer before starting the game, we'll use a timer as well.
| Code: | void FindGame (HWND hwnd, WPARAM wParam, LPARAM lParam)
{
hwndWindow = FindWindow(NULL,GameWindow);
if(hwndWindow)
{
GetWindowThreadProcessId(hwndWindow, &pid);
handle = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
Run = true; // we kill the timer by setting the bool to true
}
}
|
6. call this function with timer, use a boolean. When this is set to true, it means the gamewindow has been found, kill the timer.
| Code: | case WM_TIMER:
if(!Run)
{
FindGame(hWnd, wParam, lParam);
}
else
{
KillTimer(hWnd, Timer2);
}
|
7. Another timer for our hotkeys for executing the function. Example:
| Code: | void HotKeys()
{
if (GetAsyncKeyState(VK_NUMPAD1))
}
|
8. Poke memory addresses.
To do this after a certain hotkey is pressed, so it's only logical this part is done under the actual hotkey. Use the WriteProcessMemory function. This will write whatever want to write, and hence activate the hack.
| Code: | BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten);
|
9. DWORD bytes, call WriteProcessMemory after hotkey has been pressed. Example:
| Code: | void HotKeys()
{
if (GetAsyncKeyState(VK_NUMPAD1))
BYTE Name[3] = {0x90, 0x90, 0x90};
WriteProcessMemory(Hand, (void*)0x1234FF, &Name, 3, &bytes);
} |
Note : set the tiner to 200ms works best for the hotkeys
Addition:
cover VirtualProtect, and the use of a "dynamic" array as a function argument.
Have a look at VirtualProtect to change the protection attributes of a certain address. Using NOP.
VirtualProtect
| Code: | | BOOL VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); |
| Code: | lpAddress
A pointer to the base address of the region of pages whose access protection attributes are to be changed.
dwSize
The size of the region whose access protection attributes are to be changed, in bytes. The region of affected pages includes all pages containing one or more bytes in the range from the lpAddress parameter to (lpAddress+dwSize).
flNewProtect
The memory protection option. This parameter can be one of the memory protection constants.
lpflOldProtect
[out] A pointer to a variable that receives the previous access protection value of the first page in the specified region of pages. If this parameter is NULL or does not point to a valid variable, the function fails.
|
As opposed to OpenProcess, VirtualProtect only changes the attributes for a certain adress, not an entire process.
To avoid the use of a large amount of code, one could write a function.
The only tricky part would be passing the byte array, which we use with WriteProcessMemory.
Because arrays can't be dynamic, one has to create an array on the heap in order for this to work.
Example:
| Code: | | VirtualProtect(0x123456, 4, PAGE_EXECUTE_READWRITE, &OldProtect); |
First off, change the protection attributes of the address, which is 0x123456.
To do so, use PAGE_EXECUTE_READWRITE.
Most of the time, dwSize is simply 4, since most of the time are nopping 4 byte addresses.
OldProtect is a DWORD variable, which use to store the old protection attributes.
| Code: | | WriteProcessMemory(hProc, 0x123456, ByteArray, NumberOfBytes, &Bytes); |
VirtualProtect(0x123456, 4, OldProtect, &OldProtect);
Last but not least, restore the old protection attributes for the address
| Code: | void WriteMemory(HANDLE hProc, LPVOID MemAddress, BYTE* ByteArray, int NumberOfBytes)
{
DWORD OldProt;
DWORD Bytes;
BYTE * TempArray = new BYTE [NumberOfBytes];
for(int i = 0; i < NumberOfBytes; i++)
{
TempArray[i] = ByteArray[i];
}
VirtualProtect(MemAddress, 4, PAGE_EXECUTE_READWRITE, &OldProt);
WriteProcessMemory(hProc, MemAddress, TempArray, NumberOfBytes, &Bytes);
VirtualProtect(MemAddress, 4, OldProt, &OldProt);
delete [] TempArray;
}
|
This function takes a pointer to a BYTE as an argument.
Because the identifier of an array is also a pointer to its first element, it can use this pointer to copy the data from one array to another.
Don't forget to delete the array on the heap at the end of the function, otherwise, it will create a memory leak.
MemAddress
The function expects a long pointer to void.
Simply create identifiers for each address, which can be like this:
| Code: | void* MemoryAddress = (void*) 0x123456
|
So, for your (@Aylin) answers should be: "look for no. 5 and 6 above".
Notice this: I am not an expert for any programming languages, at least I try to understand for something happened.
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4718
|
| Posted: Wed Mar 04, 2020 8:18 pm Post subject: |
|
|
| DaSpamer wrote: | | Its either that, or it modifies a different method, if it can be enabled and disabled during gameplay, then its most likely some asm hook. |
If the other trainer doesn't work before the code gets jitted, then that's almost certainly what's going on.
| Aylin wrote: | | What I'm trying to say is C ++; the code exchange works as if it were inside the system. |
Post or link the source code of the other trainer and someone can tell you what you're doing differently in CE. If you don't have the source code, then how do you know what it's doing?
| Aylin wrote: | | Perhaps it is time for CE to level up in this regard. |
Don't blame your tools if you don't know how to use them.
If the other trainer is changing the machine code and not the byte code, then use the auto assembler.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Thu Mar 05, 2020 1:04 am Post subject: |
|
|
You know the CE code exchange and "C ++" code exchange scenarios.
You have more information in the "comparison" phase.
In addition, I will give an example;
The code below is a code from game.swf. A code built in 3 points.
| Code: | | 63 05 ?? ?? 24 00 ?? 63 04 d0 46 |
This tells us that the unique code has 3.
CE ASM Script method; It changes the code in 24 seconds. ("??" wildcards may increase the time)
CE AobSwap method; It changes the code in 38 seconds.
C ++ Trainer; It changes the code in 4 seconds.
The codes are 3 and the same. But replacement reactions are different.
If I put such 4x3 code in a "Function"; The change will exceed minutes.
@ Corroder's comment is an example of how "C ++" works.
But for example; How much of this encoding can be reflected on CE AobSwap?
Has a faster "AobSwap" method been attempted?
I hope a faster change method will be created. (With CE Lua Script functionality) 
_________________
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Thu Mar 05, 2020 3:46 am Post subject: |
|
|
I am very rare using AOBswab(), my method is something this below (example code taken from hack a multi player flash game online):
| Code: | function Btn_fun1Click(sender)
s = AOBScan("a0 62 08 12 0b 00 00 60 bb 4e 66 96 30", "+W*X-C")
if (s) then
lngt = s.getCount()
for x=0, lngt-1, 1 do
writeBytes(s[x], 0xa0, 0x62, 0x08, 0x11, 0x0b, 0x00, 0x00, 0x60, 0xbb, 0x4e, 0x66, 0x96, 0x30)
end
success_msg()
Btn_fun1.Caption = "Active"
s.Destroy()
s = nil
else
fail_msg()
Btn_fun1.Caption = "Failed"
end
end |
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Thu Mar 05, 2020 5:35 am Post subject: |
|
|
| Aylin wrote: | You know the CE code exchange and "C ++" code exchange scenarios.
You have more information in the "comparison" phase.
In addition, I will give an example;
The code below is a code from game.swf. A code built in 3 points.
| Code: | | 63 05 ?? ?? 24 00 ?? 63 04 d0 46 |
This tells us that the unique code has 3.
CE ASM Script method; It changes the code in 24 seconds. ("??" wildcards may increase the time)
CE AobSwap method; It changes the code in 38 seconds.
C ++ Trainer; It changes the code in 4 seconds.
The codes are 3 and the same. But replacement reactions are different.
If I put such 4x3 code in a "Function"; The change will exceed minutes.
@ Corroder's comment is an example of how "C ++" works.
But for example; How much of this encoding can be reflected on CE AobSwap?
Has a faster "AobSwap" method been attempted?
I hope a faster change method will be created. (With CE Lua Script functionality) |
Use aobscan with writeable memory flag, try to avoid wildcards at the beginning of the aob ( as it will match more results and thrn narrow it down), you also use memscan to optimize it much more and supply start and ending addresses you would expect.
Or you could try hook as3 interpreter (via asm hook), and while loading the swf read bytes and apply cheats accordingly, I have a video somewhere laying in youtube with bubble mystery deluxe.
Anyway we have given you some solutions and ideas, the very same result can be done through many different techinques, it isnt really related to ce functionallity, if you dont like it then change it or they way you are working.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Thu Mar 05, 2020 9:47 am Post subject: |
|
|
@DaSpamer, your comments are nice.
But if I could do what I said, I wouldn't open this topic.
I have ideas on dozens of topics, but my coding skills are limited or inadequate.
I gave the idea, the masters give the idea, no solution!
@Corroder, the function you provided doesn't want wildcards (in the exchange code)
But the same encoding below accepts wildcards. 
| Code: | function GoldReplacer()
local search = "60 ?? ?? 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? a2 a0"
------------------02 02 02 02 02 02 ?? ?? ?? ?? 25 e8 07 a2 a0
local changeTable = {}
local aobs = AOBScan(search)
if(aobs ~= nil) then
check = 2
for i=0,stringlist_getCount(aobs)-1 do
local address=stringlist_getString(aobs,i)
local changeTable = readBytes(address,50,true)
for i=1,6 do
changeTable[i] = 0x02
end
changeTable[11],changeTable[12],changeTable[13] = 0x25,0xe8,0x07 writeBytes('0x'..address,changeTable)
end
object_destroy(aobs);
aobs=nil
end
if check==2 then
print("Done !")
else
print("Could not activate!")
end
end |
------------------------------------
I think you should keep in mind. This may be a need. People are wondering about the result.
_________________
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Fri Mar 06, 2020 5:15 am Post subject: |
 |
|
Well I think I understood what you meant.
Using aobscan can be time consuming operation especially on much lower end computers.
Running this example
| Code: | local aob = "1F ?? ?? ?? 60 ?? 66 ?? ?? 66"
local ts = os.clock();
--aobs = AOBScan(aob,"+W-X")
aobs = AOBScan(aob)
if (aobs) then
print('found aob');
aobs.destroy();
end
print('it took',os.clock()-ts,'sec');
|
@800 Mhz i7-4790k,took about 3.3 - 3.5 seconds to find the aob when using Aobscan without any flags.
When supplying "+W-X" flags it took about 2.2-2.3 seconds to find the aob, which is quite significant.
when running at normal cpu speeds it translates to 0.55-0.6 sec for normal aobscan versus 0.35-0.37 sec with flags.
So as said earlier supply also flags, and if its not sufficient enough then you may try memscan class.
Heres a simple aobswap function, hopefully it would fit your needs
| Code: | function aobswap(search,replace)
if (type(search) == 'string' and type(replace)=='string') then
local aobs = AOBScan(search,"+W-X");
if (aobs) then
-- prepare replace table;
local tn,rt,i = tonumber,{},0
for byte,id in replace:gsub('[^%w%?]+',''):gmatch('..') do
byte = tn(byte,16)
if (byte) then
rt[i] = byte;
end
i = i + 1;
end
for i=0,aobs.Count-1 do
local addr = tn(aobs.getString(i),16);
for k,v in pairs(rt) do
writeBytes(addr+k,v)
end
end
aobs.destroy();
return true;
end
end
return false;
end
local ts = os.clock();
print('changed bytes? - ',tostring(aobswap('1f ?? ?? ?? 60 ?? 66 ?? ?? 66 ?? ?? 66','1f FF FF FF 60 ?? 66 ?? ?? 66 ?? ?? 66')))
print('it took',os.clock()-ts,'sec'); |
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
