 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
marco0999
Cheater
![]() Reputation: 0
Joined: 28 Jun 2020
Posts: 29
Location: Italy
|
 Posted: Sun Jun 28, 2020 7:21 am Post subject: memory scanner info |
 |
|
I like to add the force feedback on games that don't support it.
To do this I was thinked to intercept when the game open some specific audio wav file (ex. collision.wav , damage.wav, connon.wav, etc..)
I have tried with a memory scanner to see when the audio file will load. Here a part of code:
| Code: |
while (proc_min_address_l < proc_max_address_l)
{
// 28 = sizeof(MEMORY_BASIC_INFORMATION)
VirtualQueryEx(processHandle, proc_min_address, out mem_basic_info, 28);
// if this memory chunk is accessible
if (mem_basic_info.Protect == PAGE_READWRITE && mem_basic_info.State == MEM_COMMIT && (mem_basic_info.lType == MEM_MAPPED || mem_basic_info.lType == MEM_PRIVATE))
{
byte[] buffer = new byte[mem_basic_info.RegionSize];
// read everything in the buffer above
ReadProcessMemory((int)processHandle, mem_basic_info.BaseAddress, buffer, mem_basic_info.RegionSize, ref bytesRead);
string result = System.Text.Encoding.ASCII.GetString(buffer);
if (result.Contains(TextToFind))
MatchCount++;
// then output this in the file
//for (int i = 0; i < mem_basic_info.RegionSize; i++)
// sw.WriteLine("0x{0} : {1}", (mem_basic_info.BaseAddress + i).ToString("X"), (char)buffer[i]);
}
// move to the next memory chunk
proc_min_address_l += mem_basic_info.RegionSize;
proc_min_address = new IntPtr(proc_min_address_l);
}
|
unfortunatenly there is a problem, this code work only the first time, becouse in the memory when the time pass there are multiple match of 'TextToFind' (MatchCount) so it is not easy to detect when the game play again a wav file.
So I have thinked a solution like this:
for each memory scan I load a temp stucture array that contain information of every match (wav_name and base_address) ex:
Arr[0].FileName='Collision.wav';
Arr[0].BaseAdress= 54354646;
Arr[1].FileName='Collision.wav';
Arr[1].BaseAdress= 67576575;
Arr[2].FileName='Collision.wav';
Arr[2].BaseAdress= 354664;
after every scan I can do a check like this:
if (Updated_Array != Previous_Array_Copy)
// the wav file was load
theorically this work ? Or there is another easy way to do this ?
thanks !! |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Jun 28, 2020 6:11 pm Post subject: |
|
|
You'd be better off hooking the function (or creating a code cave within it) that loads the sounds and working from there than relying on scanning for memory allocations for the clips.
_________________
- Retired. |
|
| Back to top |
|
|
marco0999
Cheater
![]() Reputation: 0
Joined: 28 Jun 2020
Posts: 29
Location: Italy
|
| Posted: Mon Jun 29, 2020 1:50 am Post subject: |
|
|
Hi atom0s,
many thanks for your response 
To be honest at the moment I don't have the skill to do it, I suppose what you suggest can be done better in c++ ? Is correct ?
Do you known is exist a sample code ready to use that do a similar thing ? So I can modify it as well.
Thanks ! |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Jun 29, 2020 6:44 pm Post subject: |
|
|
The term 'better' is honestly subjective here and ultimately depends on what you are comfortable with handling. Doing this in C++ can be easy for some, impossible for others for example. You can accomplish this completely in CE's auto assembler as well.
In C++ it's generally a bit easier since you are able to write all the actual logic in normal code, vs. having to write out the assembly for it by hand.
There are various examples on this site in the coding section showing how to write code caves and function hooks/patches with various libraries that can help get you started if you decide to go the C++ route though. But, any language that can access the Win32 API and can create a standard DLL can handle this.
_________________
- Retired. |
|
| Back to top |
|
|
marco0999
Cheater
![]() Reputation: 0
Joined: 28 Jun 2020
Posts: 29
Location: Italy
|
| Posted: Wed Jul 01, 2020 2:17 am Post subject: |
|
|
Hi atom0s,
Your response is useful.
For now I have understand that what I like to do is not easy expecially if there is no experience in game hacking in general.
Probably know what are the best tools can be a good start point.
I ask you, what are the best debugger, exe patcher, and other tools, that can be useful for this porpues.
In short I think (and for this I ask your suggest) these are the steps:
1) Debug the game and find all assembly points (in my case there are minumum 7-10 points) where I must put the jump to my external DLL that excucute the force feedback.
2) patch the exe to force the calls to my external dll for each points.
3) Create the dll in c++ or C# with the code that I need (to begin is sufficient a message 'jump 1' , 'jump 2' , etc..). If work I can replace it with FFB code.
4) Becouse the force feedback need to initialize and clear, I must add other 2 jumps to my dll when the game start and close, and this value must be keeped in a dll variable until the game will not close.
These steps are correct in theory ? Or a different approch is better ?
Thanks ! |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Jul 01, 2020 7:51 pm Post subject: |
|
|
I'd suggest finding the function that is actually playing the wave files and not where they are being loaded/stored in memory. Hook onto the function that is playing them and you can do all the work needed from there to deal with the feedback and such instead of trying to specifically monitor for the chunks in memory.
So for your list of steps:
1. - I'd avoid doing it that way, unless absolutely required. This is just more work than needs to be done to get something like this accomplished.
2. - This would need to be done, yes. If you can narrow down things to the single function, you would only need 1 patch then.
3. - For basics to get started, yea that's generally a simple way to ensure things are working and your stuff is being called.
4. - Not really needed. You can use bool checks in your code to tell if the initialization has happened yet, if not, do it and set the flag to true. When the DLL is unloaded/game is unloaded you can handle the cleanup as needed. That'll allow things to work on the fly whenever you want.
_________________
- Retired. |
|
| Back to top |
|
|
marco0999
Cheater
![]() Reputation: 0
Joined: 28 Jun 2020
Posts: 29
Location: Italy
|
| Posted: Thu Jul 02, 2020 1:55 am Post subject: |
|
|
Hi atom0s,
Your suggest open my eyes to this world that until some days ago seem impossible but now all make more sense.
About hook directly the function that play the wav, you have right that is the best solution, but If I hook directly this function is possible known what audio file play ?
Apart this, if you are in my place, what tools you would use (patcher, debugger, etc..) ?
Many thanks again !! |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Jul 03, 2020 2:03 pm Post subject: |
|
|
It would depend on the function parameters that it expects. You would need to reverse the function and see how it's being called and what parameters it takes. In some cases, this may involve hooking more than one function though.
For example, in a simple case, the function may be defined as:
| Code: |
bool play_sound(const char* filepath, int32_t volume);
|
In this kind of case, you have the path passed directly to the play function which you can hook onto and know the path from the parameters.
In another case, they could be using a more generalized setup such as:
| Code: |
void* load_sound(const char* filepath);
bool play_sound(void* buffer, int32_t volume);
|
In this case, you would need to hook both of these functions. You would hook load_sound to monitor for file loads and store the returned buffer pointer and the file name somewhere for later use. You would also hook the play_sound function to monitor for what pointer is being passed through the buffer parameter. You would compare that pointer to the ones you stored in load_sound to match the names and such then.
(There would generally be a 3rd function to hook too which frees the buffers so you don't keep large maps of data laying around if they are constantly reloading sounds over and over from disk instead of reusing old buffers.)
Tool wise, ultimately depends on the target. I personally mostly use:
- Cheat Engine
- IDA
- OllyDbg
- x64Dbg
Hooking/patching wise, I code all my own stuff. But for doing the main hooking, I generally use Microsoft Detours if I have no concerns of being detected by an anti-cheat or similar. Otherwise, I'll do my own hooking manually.
_________________
- Retired. |
|
| Back to top |
|
|
marco0999
Cheater
![]() Reputation: 0
Joined: 28 Jun 2020
Posts: 29
Location: Italy
|
| Posted: Sat Jul 04, 2020 9:44 am Post subject: |
|
|
Hi atom0s,
Thank to your help I think we have do a progress.
Here there is function that I suppose play the wav file (or begin to do it)
| Code: |
sub_43AC70
int __cdecl sub_43AC70(char *a1, int a2)
{
int i; // [esp+0h] [ebp-4h]
for ( i = sub_43BC50(); i; i = *(_DWORD *)i )
{
if ( *(_DWORD *)(i + 88) == a2 && (!a1 || !stricmp((const char *)(i + 4), a1)) )
return i;
}
return 0;
|
Attached there are some screenshot that contain the reasons why I think this is the right function. Is correct ? or is necessary seach again ?
To confirm if is true or not I thought one of these way:
1) (simply way) add a jump to a easy command line utility ex:
call FFback.exe "weapon.wav". (so I can create a empty project that write a log file with write the parameter in this case 'weapon.wav')
2) (more complicated) a jump to a DLL FFback.dll that call ExecFFB(string FileName). (so I can create a empty DLL project in c# with one function ExecFFB(string FileName) with a log file that write the parameter.
To do one of these 2 options I need to write in assembler the "jump" code.
I'm not familiar with assembler, but I don't think need too much code.
Can you please suggest me the assembly code for jump to add to game exe ?
Thanks ! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
