 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Game Hacking Dojo
Master Cheater
 Reputation: 1
Joined: 17 Sep 2023
Posts: 250
|
 Posted: Sun Oct 15, 2023 10:22 am Post subject: Script for random allocation |
 |
|
I don't know how to explain this correctly.
I'm dealing with a game that allocates memory as it goes and in many cases out of its modules. So, there's no way to get a module base address and offset to make a script. Well of course using AOB is always the best to eliminate all that. But when there are no caves it becomes more challenging. There are no empty sections close by, so it requires a 14-byte jump to reach the cave. In this case, I have to rewrite more addresses than needed. Within those addresses, I may get calls like 7FF9D9CE1B90 jumps like 7FF9D9F6EE78. After writing the script and jumping far to the cave, those calls and jumps bytes will have to change because it's no longer relevant.
is there a way I could write the script where it gets the original code as opcodes and rewrites it as opcodes?
Example:
| Code: |
[ENABLE]
//aobscan(aob_CharacterSelect,89xxxxxxxxxx85xx7DxxE8xxxxxxxx48xxxxxx8BxxxxFFxx89xxxxxxxxxx48xxxxE8xxxxxxxx) //89 96 30 02 00 00 85
aobscanregion(aob_CharacterSelect,7FF9D9F00000,7FF9D9FFFFFF,89xxxxxxxxxx85xx7DxxE8xxxxxxxx48xxxxxx8BxxxxFFxx89xxxxxxxxxx48xxxxE8xxxxxxxx)
alloc(newmem_CharacterSelect,256)
registersymbol(aob_CharacterSelect)
alloc(oldBytes_CharacterSelect,15)
registersymbol(oldBytes_CharacterSelect)
alloc(Character1V,8)
registersymbol(Character1V)
oldBytes_CharacterSelect:
readmem(aob_CharacterSelect,15)
//define(OB,oldBytes_CharacterSelect)
newmem_CharacterSelect:
cmp rbx,A
ja originalCode_CharacterSelect
cmp rsi,[Player1BA]
je Player1L
jmp originalCode_CharacterSelect
Player1L:
mov edx,[Character1V]
jmp originalCode_CharacterSelect
originalCode_CharacterSelect:
mov [rsi+00000230],edx
test edx,edx
//jnl Paris.Game.Menu.CharacterSelectionPanel::set_CurrentSelection+38
//call Paris.Game.System.CharacterManager::get_Singleton
jnl 7FF9D9F6EE78
call 7FF9D9CE1B90
jmp return_CharacterSelect
aob_CharacterSelect:
jmp far newmem_CharacterSelect
nop
return_CharacterSelect:
[DISABLE]
aob_CharacterSelect:
readmem(oldBytes_CharacterSelect,15)
//db 89 96 30 02 00 00
unregistersymbol(*)
dealloc(*)
//unregistersymbol(aob_CharacterSelect)
//dealloc(newmem_CharacterSelect)
{
// ORIGINAL CODE - INJECTION POINT: 7FF9D9F8E37A
7FF9D9F8E34D: F0 00 00 - lock add [rax],al
7FF9D9F8E350: 40 00 00 - add [rax],al
7FF9D9F8E353: 00 00 - add [rax],al
7FF9D9F8E355: 00 00 - add [rax],al
7FF9D9F8E357: 00 E0 - add al,ah
7FF9D9F8E359: 9C - pushfq
7FF9D9F8E35A: 18 DA - sbb dl,bl
7FF9D9F8E35C: F9 - stc
7FF9D9F8E35D: 7F 00 - jg 7FF9D9F8E35F
7FF9D9F8E35F: 00 57 56 - add [rdi+56],dl
7FF9D9F8E362: 48 83 EC 28 - sub rsp,28
7FF9D9F8E366: 48 8B F1 - mov rsi,rcx
7FF9D9F8E369: 8B FA - mov edi,edx
7FF9D9F8E36B: E8 D0 37 D7 FF - call 7FF9D9D01B40
7FF9D9F8E370: 48 8B 48 08 - mov rcx,[rax+08]
7FF9D9F8E374: 8B C7 - mov eax,edi
7FF9D9F8E376: 99 - cdq
7FF9D9F8E377: F7 79 18 - idiv [rcx+18]
7FF9D9F8E37A: 89 96 30 02 00 00 - mov [rsi+00000230],edx
7FF9D9F8E380: 85 D2 - test edx,edx
// ---------- INJECTING HERE ----------
7FF9D9F8E382: 7D 14 - jnl 7FF9D9F8E398
// ---------- DONE INJECTING ----------
7FF9D9F8E384: E8 B7 37 D7 FF - call 7FF9D9D01B40
7FF9D9F8E389: 48 8B 48 08 - mov rcx,[rax+08]
7FF9D9F8E38D: 8B 49 18 - mov ecx,[rcx+18]
7FF9D9F8E390: FF C9 - dec ecx
7FF9D9F8E392: 89 8E 30 02 00 00 - mov [rsi+00000230],ecx
7FF9D9F8E398: 48 8B CE - mov rcx,rsi
7FF9D9F8E39B: E8 70 27 42 FF - call 7FF9D93B0B10
7FF9D9F8E3A0: 48 83 BE D0 00 00 00 00 - cmp qword ptr [rsi+000000D0],00
7FF9D9F8E3A8: 74 33 - je 7FF9D9F8E3DD
7FF9D9F8E3AA: 48 8B 8E D0 00 00 00 - mov rcx,[rsi+000000D0]
7FF9D9F8E3B1: 80 79 32 00 - cmp byte ptr [rcx+32],00
7FF9D9F8E3B5: 74 26 - je 7FF9D9F8E3DD
7FF9D9F8E3B7: 48 8B 8E E8 01 00 00 - mov rcx,[rsi+000001E8]
7FF9D9F8E3BE: 48 85 C9 - test rcx,rcx
7FF9D9F8E3C1: 74 1A - je 7FF9D9F8E3DD
7FF9D9F8E3C3: 48 89 4C 24 20 - mov [rsp+20],rcx
7FF9D9F8E3C8: 48 8D 51 08 - lea rdx,[rcx+08]
7FF9D9F8E3CC: 48 8B 0A - mov rcx,[rdx]
7FF9D9F8E3CF: 8B 96 5C 02 00 00 - mov edx,[rsi+0000025C]
7FF9D9F8E3D5: 48 8B 44 24 20 - mov rax,[rsp+20]
} |
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sun Oct 15, 2023 12:24 pm Post subject: |
|
|
Use `reassemble` if needed
Can't you just inject at 7FF9D9F8E374 instead?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Game Hacking Dojo
Master Cheater
Reputation: 1
Joined: 17 Sep 2023
Posts: 250
|
| Posted: Sun Oct 15, 2023 1:21 pm Post subject: |
|
|
What is reassemble?
Yes, I could inject a bit further from the jumps. But this script is only for demonstration purposes. I want a way to solve this issue completely without trying to solve it accordingly.
Worse case, I could inject a 5-byte jump to another address-free assembly code to inject my 14-byte jump there. But this is so inconvenient. There are always ways but I want something easy, secure and efficient.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Sun Oct 15, 2023 2:13 pm Post subject: |
|
|
use jmp1
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sun Oct 15, 2023 3:00 pm Post subject: |
|
|
`reassemble` disassembles an instruction at a given address and assembles it in place
e.g.
| Code: | newmem:
reassemble(INJECT+4) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Game Hacking Dojo
Master Cheater
Reputation: 1
Joined: 17 Sep 2023
Posts: 250
|
| Posted: Sun Oct 15, 2023 4:37 pm Post subject: |
|
|
I tried the reassemble method (it's the best in my opinion for such a problem)
But it didn't work. The script didn't run <<84:Failure assembling ?? at 1B41E63009F>>
What did I do wrong?
I searched for documentation on the function but only found Cheat Engine Wiki.
This code is used in the script above without it, it runs but with it, I get the error <<84:Failure assembling ?? at 1B41E63009F>>
| Code: | originalCode_CharacterSelect:
reassemble(oldBytes_CharacterSelect)
jmp return_CharacterSelect |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sun Oct 15, 2023 4:52 pm Post subject: |
|
|
Reassemble runs before instructions get written to memory
Read from the original injection point. In your first example, it would be `aob_CharacterSelect+8` and `aob_CharacterSelect+A` (pretty sure it uses hex)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Game Hacking Dojo
Master Cheater
Reputation: 1
Joined: 17 Sep 2023
Posts: 250
|
| Posted: Sun Oct 15, 2023 5:18 pm Post subject: |
|
|
Yes, it worked this way. Thank you both
And yes it is in hex
The moral of the story the reassemble function copies a single line of assembly opcodes and writes the line back at the preferred location.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
