|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
andrei1058 How do I cheat? Reputation: 0
Joined: 01 Jul 2020 Posts: 6
|
Posted: Wed Jul 01, 2020 5:40 am Post subject: Address showing up only after using another cheat table |
|
|
Recently got into game hacking, and I've made a lot of progress, working on even level 3-4 pointers. I've tried a new game today, and my problem is that, once I found the address and what writes to it, I see what address should I look for. I do a new scan, nothing shows up. If I use a cheat table and let it run its scripts and then go back to my original cheat engine window and do a new scan on the exact same address as found earlier, I get the address for the pointer. Why is that happening? If there is an explanation, how can I find that address in the future, provided that I won't have another cheat table made by someone else. Thanks!
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Wed Jul 01, 2020 10:20 am Post subject: |
|
|
Maybe a script in the other table is injecting code to copy the address (search "injection copy").
If you may post the relevant script(s) in that other table, I could say with more certainty.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
andrei1058 How do I cheat? Reputation: 0
Joined: 01 Jul 2020 Posts: 6
|
Posted: Wed Jul 01, 2020 10:24 am Post subject: |
|
|
ParkourPenguin wrote: | Maybe a script in the other table is injecting code to copy the address (search "injection copy").
If you may post the relevant script(s) in that other table, I could say with more certainty. |
Sweet. Thanks for answering, here's the script
Code: | [ENABLE]
aobscanmodule(WWZ_AccountData,wwzRetailEgs.exe,8B 42 08 C7 01 01 00 00 00) // should be unique
alloc(newmem,512,WWZ_AccountData)
label(classXP)
alloc(classXPPtr,8)
registersymbol(classXPPtr)
label(currentClassXP)
alloc(currentClassXPPtr,8)
registersymbol(currentClassXPPtr)
label(supplies)
alloc(suppliesPtr,8)
registersymbol(suppliesPtr)
label(credits)
alloc(creditsPtr,8)
registersymbol(creditsPtr)
alloc(weaponXPFlag,4)
alloc(classXPFlag,4)
alloc(supplyFlag,4)
alloc(creditFlag,4)
registersymbol(weaponXPFlag)
registersymbol(classXPFlag)
registersymbol(supplyFlag)
registersymbol(creditFlag)
weaponXPFlag:
dd 1
classXPFlag:
dd 1
supplyFlag:
dd 1
creditFlag:
dd 1
label(code)
label(return)
newmem:
push rax
cmp r14d,00800005
jne currentClassXP
cmp [rdx+20],0
jne classXP
cmp [rdx+28],#115
jne classXP
mov rax,rdx
cmp [rax+14],0
je code
mov rax,[rax+10]
test rax,rax
je code
cmp [rax],#203
jne code
cmp [rax+490],'XP c'
jne code
cmp [weaponXPFlag],1
jne code
mov [rdx+08],1 //weapon exp cost
jmp code
classXP:
//jmp code
cmp [rdx+20],1
jne code
cmp r12,B
jne code
cmp rax,1
jne code
cmp [rdx+68],#211
jne code
mov rax,rdx
cmp [rax+14],0
je code
mov rax,[rax+10]
test rax,rax
je code
cmp [rax+05F0],'XP t'
jne code
mov [classXPPtr],rdx
//cmp [rdx+08],1
jmp code
currentClassXP:
cmp r14d,00800012
jne supplies
cmp r12,1
jne code
test r11,r11
je code
cmp [r11+410],'expe'
jne code
mov [currentClassXPPtr],rdx
cmp [classXPFlag],1
jne code
//mov eax,[rdx+08]
mov [rdx+08],#99999
jmp code
supplies:
//jmp code
cmp r14d,00800014
jne credits
cmp [rdx+20],1
jne code
//cmp [rdx+28],0
//jne code
test r11,r11
je code
cmp [r11+1D10],'Curr'
jne code
//cmp [rdx+250],'resource'
//jne code
mov [suppliesPtr],rdx
cmp [supplyFlag],1
jne code
//mov eax,[rdx+08]
cmp [rdx+08],#30000
jge code
add [rdx+08],#99999
jmp code
credits:
//jmp supplies
cmp r14d,00800015
jne code
cmp [rdx+20],1
jne code
test r11,r11
je code
cmp [r11+1C70],'Curr'
jne code
//cmp [rdx+28],#25
//jne code
mov [creditsPtr],rdx
cmp [creditFlag],1
jne code
//mov eax,[rdx+08]
cmp [rdx+08],#30000
jge code
add [rdx+08],#99999
jmp code
code:
pop rax
mov eax,[rdx+08]
mov [rcx],00000001
jmp return
WWZ_AccountData:
jmp newmem
nop 4
return:
registersymbol(WWZ_AccountData)
[DISABLE]
WWZ_AccountData:
db 8B 42 08 C7 01 01 00 00 00
unregistersymbol(creditsPtr)
unregistersymbol(suppliesPtr)
unregistersymbol(currentClassXPPtr)
unregistersymbol(classXPPtr)
unregistersymbol(weaponXPPtr)
unregistersymbol(WWZ_AccountData)
dealloc(creditsPtr)
dealloc(suppliesPtr)
dealloc(currentClassXPPtr)
dealloc(classXPPtr)
dealloc(weaponXPPtr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "wwzRetailEgs.exe"+5CFC78
"wwzRetailEgs.exe"+5CFC4F: CC - int 3
"wwzRetailEgs.exe"+5CFC50: 48 63 02 - movsxd rax,dword ptr [rdx]
"wwzRetailEgs.exe"+5CFC53: 83 F8 07 - cmp eax,07
"wwzRetailEgs.exe"+5CFC56: 0F 87 89 00 00 00 - ja wwzRetailEgs.exe+5CFCE5
"wwzRetailEgs.exe"+5CFC5C: 4C 8D 0D 9D 03 A3 FF - lea r9,[wwzRetailEgs.exe]
"wwzRetailEgs.exe"+5CFC63: 45 8B 84 81 E8 FC 5C 00 - mov r8d,[r9+rax*4+005CFCE8]
"wwzRetailEgs.exe"+5CFC6B: 4D 03 C1 - add r8,r9
"wwzRetailEgs.exe"+5CFC6E: 41 FF E0 - jmp r8
"wwzRetailEgs.exe"+5CFC71: C7 01 00 00 00 00 - mov [rcx],00000000
"wwzRetailEgs.exe"+5CFC77: C3 - ret
// ---------- INJECTING HERE ----------
"wwzRetailEgs.exe"+5CFC78: 8B 42 08 - mov eax,[rdx+08]
"wwzRetailEgs.exe"+5CFC7B: C7 01 01 00 00 00 - mov [rcx],00000001
// ---------- DONE INJECTING ----------
"wwzRetailEgs.exe"+5CFC81: 89 41 08 - mov [rcx+08],eax
"wwzRetailEgs.exe"+5CFC84: C3 - ret
"wwzRetailEgs.exe"+5CFC85: 0F B6 42 08 - movzx eax,byte ptr [rdx+08]
"wwzRetailEgs.exe"+5CFC89: 88 41 08 - mov [rcx+08],al
"wwzRetailEgs.exe"+5CFC8C: C7 01 02 00 00 00 - mov [rcx],00000002
"wwzRetailEgs.exe"+5CFC92: C3 - ret
"wwzRetailEgs.exe"+5CFC93: F3 0F 10 42 08 - movss xmm0,[rdx+08]
"wwzRetailEgs.exe"+5CFC98: F3 0F 11 41 08 - movss [rcx+08],xmm0
"wwzRetailEgs.exe"+5CFC9D: C7 01 03 00 00 00 - mov [rcx],00000003
"wwzRetailEgs.exe"+5CFCA3: C3 - ret
}
|
suppliesPtr is what I look for
EDIT: So, I've searched what those instructions do. So suppliesptr takes the value of rdx. In my first table, when I tried to find what accessed that address, I had to search for the rdx and add an offset of 8. In this table, they add to suppliesptr the same offset, because is the same rdx and everything seems logical. What I don't understand is why when I search for that rdx nothing shows ?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Wed Jul 01, 2020 11:03 am Post subject: |
|
|
Yeah, that's an injection copy (in so many lines). Search on youtube or something else and you'll get a few tutorials.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
andrei1058 How do I cheat? Reputation: 0
Joined: 01 Jul 2020 Posts: 6
|
Posted: Wed Jul 01, 2020 11:08 am Post subject: |
|
|
ParkourPenguin wrote: | Yeah, that's an injection copy (in so many lines). Search on youtube or something else and you'll get a few tutorials. |
Alright, I'll do some research. If you can or just give me any source that will explains why this happens. I don't quite understand how and why this works( not talking about injection copy, but about the thing with the address ). Thanks a lot!
EDIT: Also, what impact does injection copy have on my process ?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Wed Jul 01, 2020 11:24 am Post subject: |
|
|
An injection copy is a type of code injection- a change to the game's code. What "impact" it has depends on what change you make.
Code: | mov [suppliesPtr],rdx | This is the instruction that copies the address. After the script is activated and the game executes this code, the address rdx gets written to [suppliesPtr]. It doesn't exist before; it will exist after. That's all there is to the "thing with the address". Nothing magical.
Perhaps you should try completing the CE tutorial.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
andrei1058 How do I cheat? Reputation: 0
Joined: 01 Jul 2020 Posts: 6
|
Posted: Thu Jul 02, 2020 2:26 am Post subject: |
|
|
ParkourPenguin wrote: | An injection copy is a type of code injection- a change to the game's code. What "impact" it has depends on what change you make.
Code: | mov [suppliesPtr],rdx | This is the instruction that copies the address. After the script is activated and the game executes this code, the address rdx gets written to [suppliesPtr]. It doesn't exist before; it will exist after. That's all there is to the "thing with the address". Nothing magical.
Perhaps you should try completing the CE tutorial. |
I actually did complete it, and aleardy knew what "mov" does. I didn't phrase well enough I think, the "thing with the address" was supposed to mean why I can't see it before ? Why when I'm searching for that address is not there before doing injection copy? I think I get it why I can see after, because I create it, it is present in the process.
EDIT: actually, what would be the difference between alloc and globalalloc, and why sometimes I see registerSymbol ?
EDIT2: figured out the first edit, the question why I can't see them before still remains, but now I got stuck. When I try to do AOB injection, it just gives me a random base. I think because there are a lot of addresses that access it, and I've seen that only 1 should be there. Why for the other cheat table this is working ? We are injecting at the same point
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Thu Jul 02, 2020 10:31 am Post subject: |
|
|
You can't see it before activating the script because the script is what creates it. It simply doesn't exist before then. If you try to scan for it, you won't find it because the script hasn't created it yet. The memory for the value hasn't even been allocated yet, let alone initialized.
registersymbol will make a symbol accessible outside of the script it's defined in. e.g. registersymbol(foo) will allow you to use "foo" in the address list.
alloc and globalalloc both allocate memory. globalalloc will only allocate memory for the same symbol once, and it will automatically register the symbol. alloc does neither- it just allocates memory.
That instruction accesses multiple addresses. See step 9 of the CE tutorial for more information, and various guides/tutorials of step 9 (or even that script you posted) for examples of how to deal with it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|