| View previous topic :: View next topic |
| Author |
Message |
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
 Posted: Sat Feb 25, 2023 11:50 pm Post subject: Failer assembling error (reassemble command) ce 7.5 |
 |
|
Hi, I am trying to use reassemble but im getting failure assembling error. Im trying to reassemble a jne address:
blah,blah - jne TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2290
or
jne 1992BC5ADB0
However, this unity game requires far/long jumps. The question is: Can CE 7.5 calculate when the code cave is a far/long jump away? I can't seem to get it to work.. Maybe something is wrong with my script?
| Code: |
[ENABLE]
define(checkroyal_two,TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224c)
alloc(newmem4,$100)
label(code4)
label(return4)
label(readjump)
registersymbol(readjump)
newmem4:
code4:
cmp eax,ecx
reassemble(checkroyal_two+2)
jmp return4
readjump:
reassemble(checkroyal_two+2)
checkroyal_two:
jmp!near newmem4; 00 00* 55
nop 3
return4:
registersymbol(checkroyal_two)
[DISABLE]
checkroyal_two:
db 85 C0
reassemble(readjump)
unregistersymbol(*)
dealloc(*)
|
I have jmp!near newmem4; 00 00* 55 there cause Im using panravens great trampoline script for unity games. jmp newmem4 doesn't work either though. If reassemble has not been fixed for far jumps is there an alternative cause with unity the jump address will definitely change when loading savegames and what not so pretty sure readmem won't work. Thanks!
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 467
Joined: 09 May 2003
Posts: 25698
Location: The netherlands
|
| Posted: Sun Feb 26, 2023 2:26 am Post subject: |
|
|
i can't quickly see, but readjump should be filled with readmem not reassemble as reassemble may return more than 1 instruction
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Sun Feb 26, 2023 3:12 am Post subject: |
|
|
| Dark Byte wrote: | | i can't quickly see, but readjump should be filled with readmem not reassemble as reassemble may return more than 1 instruction |
I thought reassemble only assembled one line of code? Here is the injection point:
| Code: |
{
// ORIGINAL CODE - INJECTION POINT: TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224c
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+221d: 48 8B 85 18 FF FF FF - mov rax,[rbp-000000E8]
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2224: 48 85 C0 - test rax,rax
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2227: 74 12 - je TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+223b
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2229: 48 8D 64 24 00 - lea rsp,[rsp+00]
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+222e: 49 BB 8B 5C 92 2D 99 01 00 00 - mov r11,000001992D925C8B
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2238: 41 FF D3 - call r11
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+223b: E9 00 16 00 00 - jmp TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+3840
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2240: 48 8B CE - mov rcx,rsi
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2243: 48 8B 06 - mov rax,[rsi]
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2246: FF 90 C8 09 00 00 - call qword ptr [rax+000009C8]
// ---------- INJECTING HERE ----------
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224c: 85 C0 - test eax,eax
// ---------- DONE INJECTING ----------
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224e: 0F 85 3C 00 00 00 - jne TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2290
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2254: 33 C0 - xor eax,eax
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2256: 4C 0F B6 E8 - movzx r13,al
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+225a: 48 C7 85 18 FF FF FF 00 00 00 00 - mov qword ptr [rbp-000000E8],00000000
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2265: 48 83 EC 08 - sub rsp,08
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2269: E8 B7 15 00 00 - call TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+3825
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+226e: 48 83 C4 08 - add rsp,08
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2272: 48 8B 85 18 FF FF FF - mov rax,[rbp-000000E8]
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+2279: 48 85 C0 - test rax,rax
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+227c: 74 0D - je TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+228b
}
|
I tried like this as well:
| Code: |
define(checkroyal_two,TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224c)
alloc(newmem4,$100)
label(code4)
label(return4)
newmem4:
code4:
cmp eax,ecx
reassemble(checkroyal_two+2)
jmp return4
checkroyal_two:
jmp!near newmem4; 00 00* 55
nop 3
return4:
registersymbol(checkroyal_two)
[DISABLE]
checkroyal_two:
db 85 C0
reassemble(checkroyal_two+2)
unregistersymbol(*)
dealloc(*)
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 467
Joined: 09 May 2003
Posts: 25698
Location: The netherlands
|
| Posted: Sun Feb 26, 2023 3:22 am Post subject: |
|
|
Have you tried doing a normal 14 byte or 1 byre large distance codeinjection template script?
I don't think reassemble is even needed here with the new template
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Sun Feb 26, 2023 3:46 am Post subject: |
|
|
| Dark Byte wrote: | Have you tried doing a normal 14 byte or 1 byre large distance codeinjection template script?
I don't think reassemble is even needed here with the new template |
Ah, yes in this particular instance the 14byte jump should work fine as there aren't any movs or anything with offsets (that can change from mov to lea with unity) in the 14 bytes. I usually avoid the 14 byte jumps and opt for panravens trampoline script due to that fact. The smaller the injection bytes the better. In this case though I don't need a readmem or anything I guess? Given that reassemble won't work with far jumps though, you are saying basically that reassemble isn't needed anymore for jumps due to the new templates in 7.5?
What about calls? Thanks!
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 467
Joined: 09 May 2003
Posts: 25698
Location: The netherlands
|
| Posted: Sun Feb 26, 2023 4:00 am Post subject: |
|
|
ce 7.5: j* and call instructions outside of their range will generate multiline code that does the same
and the template will rewrite instructions like mov [addressbeyond2gb],reg into a suitable replacement
As for reassemble, it does look like there is an issue (not new, also in 7.4 and earlier) when used with case sensitive symbol names instead of addresses you get from AOB's (Of course, that's another reason why I said that this script doesn't need reassemble, because if you use the exact unchangable symbolname, then reassemble is not useful anymore)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Sun Feb 26, 2023 4:47 am Post subject: |
|
|
| Dark Byte wrote: | ce 7.5: j* and call instructions outside of their range will generate multiline code that does the same
and the template will rewrite instructions like mov [addressbeyond2gb],reg into a suitable replacement
As for reassemble, it does look like there is an issue (not new, also in 7.4 and earlier) when used with case sensitive symbol names instead of addresses you get from AOB's (Of course, that's another reason why I said that this script doesn't need reassemble, because if you use the exact unchangable symbolname, then reassemble is not useful anymore) |
I decided to try to use a readmem because I wanted to use aobscanregion in case the offset for the jump changed with an update or on another persons pc when unity does its JIT. Readmem definitely will not reassemble the jne properly. And I can't use reassemble with the far jumps, but even then I could never get reassemble to work with an aobscanregion and unity.
Hm, I guess Ill just backtrace and throw the code onto the end of the structure that was called. Much simpler. Thanks!
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 467
Joined: 09 May 2003
Posts: 25698
Location: The netherlands
|
| Posted: Sun Feb 26, 2023 5:20 am Post subject: |
|
|
in your original script your readjmp didn't need reassemble, because it's a store of the original code and you do not want to modify that
but in code4 you would need to use reassemble, if you use an AOB scan to find it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Sun Feb 26, 2023 5:42 am Post subject: |
|
|
| Dark Byte wrote: | in your original script your readjmp didn't need reassemble, because it's a store of the original code and you do not want to modify that
but in code4 you would need to use reassemble, if you use an AOB scan to find it |
Ah but it appears reassemble won't work with 14 byte jumps in unity. Also, since unity, then would need aobscanregion NOT aobscan. Not sure if Aobscanregion would even work with reassemble either in unity. But its a mute point since reassemble doesn't work with far jumps. I was able to just change a value of the function that was called just before the compare and used that instead as an injection point. So its all good. Would be nice if reassemble was fixed for 14 byte jumps and tested to work with aobscanregion also in unity at some point though.
Thanks!
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 467
Joined: 09 May 2003
Posts: 25698
Location: The netherlands
|
| Posted: Sun Feb 26, 2023 6:04 am Post subject: |
|
|
reassemble works, but you can not give it a string/symbol which is case sensitive like mono, it has to be an address, like the result of an aob
e.g it can reassemble
23fe8224c+2
but not
TenCrowns.GameCore.Player:isValidSubjectAnyCharacter+224c+2
Of course, knowing the EXACT address means reassemble isn't needed. You can just use the j* <symbolname> notation and CE will assemble it correctly for you regardless of the destination distance
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
