| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| sandsmaster Newbie cheater
 
 ![]() Reputation: 1 
 Joined: 21 Jan 2021
 Posts: 24
 
 
 | 
			
				|  Posted: Fri Jan 22, 2021 12:51 pm    Post subject: Save values like registersymbol does, without injection |   |  
				| 
 |  
				| Hi everyone! 
 I'm trying to get the hunger pointer from a game called Cryofall.
 
 In a nuthell, I found the value and ran most of the pointer scans that cheat engine offers,
 but there are no stable pointers. I tried with pointers of level 9 and max offset 1024, and
 found around a bilion (10^9), but none is stable. I heard that Cryofall uses some kind of memory
 randomization, so this removes static adresses (but just heard about it).
 So I went for what writes to this address and found an entry that modifies 4 values. So far so good,
 but just that far, because then I tried AOB script with just a registersymbol for the "hunger" register.
 Unfortunately Cryofall has some anti-cheat there, so the game crashes on jumping to script
 
 Here's the code if you're curious:
 
 
  	  | Code: |  	  | { Game   : dotnet.exe Version:
 Date   : 2021-01-22
 Author : botcho
 
 This script does blah blah blah
 }
 
 [ENABLE]
 
 aobscan(GetHung,89 4A 04 C5 FB 11 B6 80 00 00 00) // should be unique
 alloc(newmem,$1000,7FFC6A52EC12)
 
 label(code)
 label(return)
 label(hunger)
 registersymbol(hunger)
 
 newmem:
 
 hunger:
 dd 0
 
 code:
 mov [rdx+04],ecx // ecx got the value
 mov [hunger],ecx
 vmovsd [rsi+00000080],xmm6
 jmp return
 
 GetHung:
 jmp newmem
 nop 6
 return:
 registersymbol(GetHung)
 
 [DISABLE]
 
 GetHung:
 db 89 4A 04 C5 FB 11 B6 80 00 00 00
 
 unregistersymbol(hunger)
 unregistersymbol(GetHung)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: 7FFC6A52EC12
 
 7FFC6A52EBED: 0F B6 D2                       -  movzx edx,dl
 7FFC6A52EBF0: 85 C2                          -  test edx,eax
 7FFC6A52EBF2: 74 14                          -  je 7FFC6A52EC08
 7FFC6A52EBF4: C5 FB 10 86 80 00 00 00        -  vmovsd xmm0,[rsi+00000080]
 7FFC6A52EBFC: C5 F9 2E C6                    -  vucomisd xmm0,xmm6
 7FFC6A52EC00: 7A 06                          -  jp 7FFC6A52EC08
 7FFC6A52EC02: 0F 84 E2 00 00 00              -  je 7FFC6A52ECEA
 7FFC6A52EC08: B8 01 00 00 00                 -  mov eax,00000001
 7FFC6A52EC0D: 48 8B D7                       -  mov rdx,rdi
 7FFC6A52EC10: 88 02                          -  mov [rdx],al
 // ---------- INJECTING HERE ----------
 7FFC6A52EC12: 89 4A 04                       -  mov [rdx+04],ecx
 7FFC6A52EC15: C5 FB 11 B6 80 00 00 00        -  vmovsd [rsi+00000080],xmm6
 // ---------- DONE INJECTING  ----------
 7FFC6A52EC1D: 48 8B 5E 50                    -  mov rbx,[rsi+50]
 7FFC6A52EC21: 48 83 7E 48 00                 -  cmp qword ptr [rsi+48],00
 7FFC6A52EC26: 75 4A                          -  jne 7FFC6A52EC72
 7FFC6A52EC28: 48 8B 0F                       -  mov rcx,[rdi]
 7FFC6A52EC2B: 48 89 4D A0                    -  mov [rbp-60],rcx
 7FFC6A52EC2F: 48 8D 4D A0                    -  lea rcx,[rbp-60]
 7FFC6A52EC33: E8 38 BF 1D FD                 -  call 7FFC6770AB70
 7FFC6A52EC38: 48 8B F0                       -  mov rsi,rax
 7FFC6A52EC3B: C5 F8 28 C6                    -  vmovaps xmm0,xmm6
 7FFC6A52EC3F: 33 D2                          -  xor edx,edx
 }
 
 | 
 
 I've cheated a few dozens of games, but never got that before. Curious there is a
 anti-cheat that resets the pointers on start. Maybe not, but haven't seen it before.
 What makes me more suspicous is, the game is nearly 700 mB
 
 Any help would be of help.[/b]
 _________________
 
 I don't post too much. yet. 
 Last edited by sandsmaster on Tue Jan 26, 2021 5:44 pm; edited 1 time in total
 |  |  
		| Back to top |  |  
		|  |  
		| ParkourPenguin I post too much
 
  Reputation: 152 
 Joined: 06 Jul 2014
 Posts: 4704
 
 
 | 
			
				|  Posted: Fri Jan 22, 2021 1:48 pm    Post subject: |   |  
				| 
 |  
				| Higher max offset, multiple pointermaps, and ~3 max offsets per node would be better pointer scanner settings. Might be irrelevant since the engine uses .NET, and I've always had problems finding static pointers in games using interpreted/jitted code. (I'm pretty sure it was actually some .NET game where I eventually traced back a pointer path's base address to an immediate in an instruction) 
 It crashes because you don't know how to write AA scripts. (code tags also exist)
 
 You're jumping to a bunch of 0 bytes before getting to the code. Put hunger far away from the code. 	  | Code: |  	  | newmem: 
 hunger:
 dd 0
 
 code:
 ...
 
 GetHung:
 jmp newmem
 ...
 | 
 
 You could also put the label right after the end of your code, but it might not be aligned then (not a big issue, just annoying to me). 	  | Code: |  	  | newmem+800: hunger:
 dd 0
 | 
 
 The third parameter to alloc should be the symbol used in the aobscan (i.e. "GetHung"); otherwise, it might get allocated more than 2GB away from the injection point and crash next time you restart the game. (this is the template's fault IIRC)
 
  	  | Code: |  	  | aobscan(GetHung,89 4A 04 C5 FB 11 B6 80 00 00 00) alloc(newmem,$1000,GetHung)
 
 | 
 
 You appear to be copying a value (i.e. ecx) and not the address of the value (i.e. rdx). If you only want to read from the value, I guess it's fine, but if you also want to write to it, this is wrong. (don't forget to change dd to dq under "hunger:" for storing 64-bit registers)
 _________________
 
 I don't know where I'm going, but I'll figure it out when I get there. |  |  
		| Back to top |  |  
		|  |  
		| sandsmaster Newbie cheater
 
 ![]() Reputation: 1 
 Joined: 21 Jan 2021
 Posts: 24
 
 
 | 
			
				|  Posted: Thu Jan 28, 2021 11:21 am    Post subject: |   |  
				| 
 |  
				| Hello again. 
 Thanks for the help man. You really know what you're doing. I changed everything you suggested, but sadly couldn't
 get the pointer out. Guess the .Net games don't like static addresses indeed. I even tried to backtrace the instruction
 to a call above it, but for some reason I coldn't find higher one. I tried with 4128 steps (maybe it's little)
 
 Anyways. After the script worked, I found that there aren't any static comparison values in the dissect data/structure
 either. But I wrote a python script to double check it and thought it might be useful to someone else too. It's nothing
 complicated. Just get's the name of the file and removes the addresses in the save values list, so you can put it inside
 a diff checker. I'll upload it here for now, but you can post it anywhere on the site, you want.
 
 EDIT:
 forgot to see the allowed extensions section lol. Guess won't be here. I can send it on private
 It's the .py file, not .exe.
 _________________
 
 I don't post too much. yet. |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |