 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Flexi
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 05 Dec 2006
Posts: 1544
Location: Singapore
|
 Posted: Mon Mar 12, 2007 4:11 am Post subject: [Tutorial] Making your own AA script |
 |
|
This is a beginner's Assembly language tutorial. For those who have gotten past the stage of simple hacking and want to learn how to start writing their own assembly scripts; I'd be glad to help. Many of the guides on Google are daunting and confusing, so I've tried to make this as easy as possible. I’m no expert at this, but I try to help with what I know 
A few terms to know:
| Code: | Assembly – A basic programming language
Binary – A number system in base 2
Bit – Binary digIT |
What is assembly language? Assembly language is one of the most basic programming languages; only a few steps up from binary itself. When you program in assembly, you are basically moving bits and bytes around.
I’ll start off with the basics. The Commands
| Code: | Mov – Move
Cmp – Compare
Jmp – Jump to
Je – Jump to if equal
Jne – Jump to if not equal
Jg – Jump to if greater than
Jl – Jump to if less than
Jng – Jump to if not greater than
Jnl – Jump to if not less than
Jge – Jump to if greater than or equal to
Jle – Jump to if less than or equal to |
Note: (There are many more Jump To’s, but most aren’t worth mentioning; to see them all check out ShadowSan’s mini-tut)
Inc – Increment
| Code: | Dec – Decrement
Push – Put a variable/value onto the stack
Pop – Remove a variable/value from the stack
Alloc – Allocate |
Registersymbol – Registers the word as a symbol that can be added as an address manually; I’ll explain later.
| Code: | Dealloc – Deallocate
Unregistersymbol – Guess Rolling Eyes
Label - Labels
|
THE MOV COMMAND
The mov command is probably one of the most important in Assembly. Mov = Move.
This means to move b into a. Get it?
That’s just the basics. Now you have to get more specific. What do you want to move into a? Do you want to move the address of b into a? Or do you want to move the value of b into a?
That means move the address of b into the address of a.
Move the value of b into the address of a.
Move the address of b into the value of a.
Getting it? Surrounding it by brackets makes it the value instead of the address.
You can not move a value into a value. For example, this code WILL NOT WORK.
WILL NOT WORK!
There are more things you can do with mov. Let’s say you wanted to move the value of b + c into a.
(notice that there is no space between b and the + sign, or the + sign and c)
That’s it for the mov command for now.
THE CMP COMMAND
Ah, the cmp command. Another crucial element in any assembler’s composition. Cmp = Compare.
Compare the address of a to the address b.
Compare the address of a to the value of b.
Compare the value of a to the address of b.
However, if you put
you don’t need brackets around the 00. Assembly recognizes it as an integer, and it compares a to the value of 00.
That’s it for the cmp command for now.
THE JMP COMMAND, AND ALL VERSIONS OF IT
Yet another crucial part of assembly is the jmp command. There are many different ways of saying it, but all come down to the same thing. Jmp = To Jump
Note: For more on jmp commands, see ShadowSan/thescorcerer (P.S duno how to spell =X)’s minitut.
Jumps to the address 6558ad. Any code that follows will impact 6558ad. For example;
| Code: | Jmp 6558ad
Mov eax, [-99999]
|
Jumps to the address 6558ad
Moves the value -99999 into the eax (I’ll explain later) of 6558ad.
You can also jump to variables within the script, such as:
| Code: |
Alloc(Crash, 4)
Jmp Crash |
| Code: | Crash:
Jmp 6558ad
Mov eax, [-99999] |
Of course, there are all the versions of jmp, such as je, jne, jg, jl, jge, jle, jng, jnl, but those are pretty self explanatory (once you know what they mean, see definitions above). Those are used with cmp. For example,
| Code: | Alloc(Compare, 1024)
Alloc(EatA, 4)
Alloc(EatB, 4)
Alloc(EatC, 4)
Alloc(EatMe, 4)
Label(MyStomach) |
| Code: | Compare:
Cmp eax,ebx
Jg EatA
Jl EatB
Je EatC
Jmp EatMe
|
| Code: | EatA:
Mov MyStomach,eax
Jmp Compare |
| Code: | EatB:
Mov MyStomach,ebx
Jmp Compare |
| Code: | EatC:
Mov MyStomach,ecx
Jmp Compare |
| Code: | EatMe:
Jmp Compare
Dealloc(Compare)
Dealloc(EatA)
Dealloc(EatB)
Dealloc(EatC)
Dealloc(EatMe) |
Let’s look at this script one step at a time.
Ignore the allocating/labeling memory part for right now. Just think of those as the variable assignments for now.
| Code: | Compare:
Cmp eax, ebx
Jg EatA
Jl EatB
Je EatC
Jmp EatMe |
Under the label compare:
Compare eax to ebx.
If eax is greater than ebx, jump to EatA.
If eax is less than ebx, jump to EatB.
If eax is equal to ebx, jump to EatC.
If none of these are true (can’t happen under these circumstances, but is important), then jump to EatMe.
| Code: | EatA:
Mov MyStomach,eax
Jmp Compare
EatB:
Mov MyStomach,ebx
Jmp Compare
EatC:
Mov MyStomach,ecx
Jmp Compare
EatMe:
Jmp Compare
|
These are all the different possible places your script can make you jump, depending on what the values of eax and ebx are. If you jumped to EatA, you move the value of eax into the variable MyStomach, and jump back to compare. Then the cycle begins again. This is how a script would work (this particular script wouldn’t do anything for several reasons, but I’ll explain that later.)
Note: If you are confused about eax, ebx, etc.. Don’t worry. I will explain those later.
That’s it for the jump command for now.
THE PUSH/POP COMMANDS – THE STACK
If you don’t like something, you push it away from you. If you want it back, you pop it back to you. While it’s away from you, it is frozen in time from your perspective; it is in a different place, and no longer gets your attention. Therefore, to you, it is essentially frozen in time.
This is how pushing and popping – the stack – works.
This puts the variable eax onto the stack, away from your code. The stack is a separate place, where your variables/values are essentially frozen in time (from your codes perspective). On the stack, you can do whatever you want with that variable/value, and then put it back into the code. For example,
| Code: | push eax
mov eax,[curser pointer X]
mov [Item pointer X],eax
mov eax,[curser pointer y]
mov [Item pointer y],eax
pop eax
|
This is an attempt at mouse-item vac. It doesn’t work; I am merely using it as an example. If you look at the code, you will see that the value is pushed off the code, essentially frozen in time, away from all interferences. Then all the changes are done to it. When eax is finished with, it is taken off the stack and put back into the code.
Pushing/popping goes more in-depth, but that isn’t for this guide.
That is it for pushing/popping for now.
INC AND DEC COMMANDS
These are extremely simple.
Increment the value of eax by 1.
Decrement the value of eax by 1.
| Code: | Mov eax, 00
Inc eax |
Eax will now equal 1.
That’s it for increment and decrementing for now.
THE ALLOC, REGISTERSYMBOL, AND LABEL COMMANDS
A stuck-up person might say that every human has a certain number of brain cells assigned to them. With that number of brain cells assigned to them, they do the job in life that was meant for them. Those brain cells he has are under his command. That’s how alloc works. Alloc = allocate
| Code: | Alloc(Compare, 1024)
Alloc(Me, 4)
Alloc(You, 4)
Label(Compare)
Label(Me)
Label(You)
Compare:
Push eax
Push ebx
Mov eax,[00]
Mov ebx,[01]
Cmp eax, ebx
Pop eax
Pop ebx
Jg You
Jl Me
Me:
Xor eax, ebx
Jmp 614a0c
You:
Xor eax, ebx
Jmp 6abc0d
Mov eip, [00]
Dealloc(Compare)
Dealloc(Me)
Dealloc(You) |
| Code: | Alloc(Compare, 1024)
Alloc(Me, 4)
Alloc(You, 4)
|
This means that you are allocating, or assigning, a certain portion of memory to the variable to the left of the comma.
| Code: |
Label(Compare)
Label(Me)
Label(You) |
This is just labeling the variables so they can produce results.
General Note: When you inject scripts, you label variables. When you assign scripts to your Cheat Table, you register them as symbols.
| Code: | Compare:
Push eax
Push ebx
Mov eax,[00]
Mov ebx,[01]
Cmp eax, ebx
Pop eax
Pop ebx
Jg You
Jl Me |
Push eax and ebx onto the stack. Move the value of 00 into eax, and move the value of 01 into ebx. Compare them, then pop them back in the code. Note that even though you popped them back from the stack into the code, the compare results remain. If eax is greater than ebx, jump to You. If it’s less, jump to Me.
| Code: | Me:
Xor eax, ebx
Jmp 614a0c
You:
Xor eax, ebx
Jmp 6abc0d
Mov eip, [00] |
If the script jumped to Me, it follows the code under Me. Likewise if it jumped to You. Xor is a little complicated, but it basically kills the values. Don’t worry about it, it’s not very commonly used.
Under Me, the variables are killed, and then the allocated memory for Me jumps to the memory region defined by the address after jmp. This is the more exact definition of jumping. So the memory that is assigned to Me jumps to 614a0c.
Under You, the variables are killed, and then the assigned memory for You jumps to the memory region defined by 6abc0d. Then the script puts 0 into the eip of 6abc0d. (If you’re smart, you’ll know what that does  )
| Code: | Dealloc(Compare)
Dealloc(Me)
Dealloc(You) |
This is basically the opposite of the beginning; you’re taking back that memory that you assigned to each variable. They have served their purpose, and your UCE gets its memory back.
That would be a script you would inject. Here is an example of a script you would assign to a cheat table.
| Code: | Registersymbol(Bob)
Alloc(Bob, 1024)
Bob:
Mov eax,[00]
Mov ebx,[01]
Cmp eax, ebx
Jg 614a0c
Jl 6558ad
Je 6abc0d
Dealloc(Bob)
Unregistersymbol(Bob) |
Register symbol means that once you activate this script in your CT, you can add the word Bob as a manual address. The key part is what the actual address is of Bob. I’ll give an example later on of how this works.
Note: You must alloc and label OR alloc and registersymbol for a script to work. This is because allocating assigns a portion of memory to work for the script, and either label or registersymbol produces results.
That’s it for all the basic commands.
[b]Important: You can not just inject a script and expect it to start, or assign it and expect it to begin. You have to activate it somehow; so far I have just explained the basic commands to any AA script. Later I will explain how to make a script work.
REGISTERS/FLAGS: DIFFERENT TYPES AND THEIR USES
To learn more about registers and how they work, read my guide on the inside of a computer.
Here I will just explain the basic registers that we use in our UCEs, and how they apply to Assembly language.
There are 9 main registers we use.
EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP, EIP
EAX, EBX, ECX, and EDX are called general purpose registers. They can handle a wide variety of functions, such as adding, subtracting, multiplying, dividing... but in Assembly scripts they are usually used as variables, or storage places for values.
ESI and EDI can be used as pointers (a little complicated, don’t worry about it), but they are mostly used as general purpose registers as well.
EBP and ESP point to data on the stack (remember push/pop?). These aren’t as commonly used.
EIP is extremely important; it is an address register. It stores the information of where data/instructions are. In other words, it is a pointer register. If you put address A into the EIP of address B, address B will be re-directed to address A.
Now, let’s look back on some of those codes.
Code:
push eax
mov eax,[curser pointer X]
mov [Item pointer X],eax
mov eax,[curser pointer y]
mov [Item pointer y],eax
pop eax
Eax is being used as a storage space for the value of the curser pointer X, so the script can transfer curser pointer X into item pointer X. Same for Y.
There are 9 flags available to us as well, although we generally only use one of them. There are a few cases where we use other ones, but they are rare.
| Quote: | OF – Overflow Flag. Indicates an overflow
DF – Direction Flag. Used for strings to check direction
IF – Interrupt Flag. Enables interrupts
TF – Trap Flag. Allows CPU to work in single step mode.
SF – Sign Flag. Returns results as negative
ZF – Zero Flag. Returns results as zero
AF – Auxiliary Flag. A secondary carry flag
PF – Parity Flag. Indicates even or odd parity
CF – Carry Flag. Contains the left-most bit after calculations |
The one most commonly used is ZF, as you well know.
TO ACTIVATE A SCRIPT. SCRIPT EXAMPLES!
The best way to teach this is to give examples, and show how they work. This is an auto-dc/godmode script, written by me.
Note: The values in this script are for gMS/oMS.
| Code: | [ENABLE]
registersymbol(Godmode)
alloc(Godmode, 1024)
Godmode:
mov edi, [755a4c]
cmp [edi+18], 00
je 614ff7
jmp 6558ad
mov eax, [-99999]
[DISABLE]
unregistersymbol(Godmode)
dealloc(Godmode) |
When you assign a script to a CT, you have to put [ENABLE] and [DISABLE].
In the beginning, I register Godmode as a symbol and allocate 1024 bytes of memory to it.
Then I write the code for Godmode:
Move the value of 755a4c to edi.
Compare edi+18 to 0. 755a4c, offset 18 is the people scanner. Therefore I am essentially comparing the value of the people scanner (how many people are on the map) to zero. I have to use a register to hold the value of 755a4c because if I put
| Code: | | cmp [755a4c+18], 00 |
it would add them.
If the value of the people scanner is equal to zero, in other words there are no people on the map, then the script jumps to 614ff7. This activates godmode because it’s the same thing as ticking ZF. If you look at 614a0c (the address for 1-hit godmode), next to it you will see “jne 614ff7.” Ticking ZF returns the result as zero, causing it to always jump to 614ff7. In my script, I just say
So when there are no people on my map, Godmode is activated.
On the other hand, if the people scanner’s value is not equal to zero, it jumps to 6558ad (the SSEAX Y address), and puts the value of EAX as -99999, causing me to DC.
Now, here comes the important part.
Assigning this script to your cheat table and ticking it won’t automatically turn on Godmode. If you think about it, these instructions are under the variable Godmode. So for these instructions to be activated, that variable Godmode has to be activated somewhere. So what do you do to activate that script?
Godmode is registered as a symbol; it can be added manually as an address. Add Godmode as an address manually. That address now has the instructions of your script in it. Then take the address of Godmode, which you just added, and put it into the EIP of 614a0c, the godmode address. This re-directs your godmode address to your Godmode script, activating the script.
Why can’t you put it in the EIP of any ol’ address? The script needs the information inside the address of godmode. For more information, read the guide that I posted above.
Here is another example. This script doesn’t actually do anything, but it gives you an idea.
| Code: | alloc(Compare, 11)
alloc(Jumpin, 11)
alloc(BunnyBreed,1024)
Compare:
Mov eax,Brownbunny
cmp eax,[bunny]
jne [Jumpin]
je [BunnyBreed]
Jumpin:
mov ecx,[bunny]
mov ecx,[gun]
push ecx
xor ecx,ecx
BunnyBreed:
Move eax,[bunnyMale]
Move eax,[bunnyFemale]
inc eax
inc eax
inc eax |
This is an injection script, and you would use the results of the injection to activate it. This script has many problems in it.. if you can figure them out, you’re doing well. Another example would be Static DupeX, which has pre-defined ways of activating (inserting 400300, then 400350).
Hope you learned something 
Feel free to ask any questions or put forth any suggestions
_________________
|
|
| Back to top |
|
 |
Onen
How do I cheat?
![]() Reputation: 0
Joined: 11 Mar 2007
Posts: 6
|
| Posted: Mon Mar 12, 2007 6:25 am Post subject: |
|
|
First of all, great job ! Now for the question...
I wanted to ask about push / pop. You said by "pushing" eax or any other variable you freeze it. So that means when you pop it back it has the same value when you pushed it ? For example.
| Code: |
Compare:
Push eax
Push ebx
Mov eax,[00]
Mov ebx,[01]
Cmp eax, ebx
Pop eax
Pop ebx
Jg You
Jl Me |
So when you pop eax and ebx they would have the save values when you pushed them? And the code Mov eax,[00] Mov ebx,[01] would only change those values temporarly ?
|
|
| Back to top |
|
|
Flexi
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 05 Dec 2006
Posts: 1544
Location: Singapore
|
| Posted: Mon Mar 12, 2007 7:25 am Post subject: |
|
|
| Code: | | Mov eax,[00] Mov ebx,[01] |
Just an example
_________________
|
|
| Back to top |
|
|
omgms
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 13 Jul 2006
Posts: 1254
Location: Hacking Island
|
| Posted: Mon Mar 12, 2007 8:04 am Post subject: |
|
|
| how long you took to write this?? or u just copy paste?? are you from fajar sec?
|
|
| Back to top |
|
|
Onen
How do I cheat?
![]() Reputation: 0
Joined: 11 Mar 2007
Posts: 6
|
| Posted: Mon Mar 12, 2007 8:08 am Post subject: |
|
|
| You didn't answer my question
|
|
| Back to top |
|
|
Flexi
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 05 Dec 2006
Posts: 1544
Location: Singapore
|
| Posted: Mon Mar 12, 2007 11:25 am Post subject: |
|
|
| omgms wrote: | | how long you took to write this?? or u just copy paste?? are you from fajar sec? |
i got to know fajar when i was learning AA script.
Im not from fajarsec.
I took 3-4 hours and lifted some from thesocerer
_________________
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Mar 12, 2007 3:11 pm Post subject: Re: [Tutorial] Making your own AA script |
|
|
| DeadPool wrote: |
There are more things you can do with mov. Let’s say you wanted to move the value of b + c into a.
|
Incorrect! This would move the value at the ADDRESS b+c into a. It would NOT move the sum of the values at b and c. To do this correctly, you would use:
| Code: |
mov a,b // or mov a,[b] if b is a pointer or a variable name
add a,c
|
~nog_lorp
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
Silentkill
Cheater
![]() Reputation: 0
Joined: 17 Nov 2006
Posts: 28
|
| Posted: Fri Mar 16, 2007 1:23 am Post subject: Re: [Tutorial] Making your own AA script |
|
|
| nog_lorp wrote: | | DeadPool wrote: |
There are more things you can do with mov. Let’s say you wanted to move the value of b + c into a.
|
Incorrect! This would move the value at the ADDRESS b+c into a. It would NOT move the sum of the values at b and c. To do this correctly, you would use:
| Code: |
mov a,b // or mov a,[b] if b is a pointer or a variable name
add a,c
|
~nog_lorp |
PWNED
|
|
| Back to top |
|
|
ipohboy
Expert Cheater
![]() Reputation: 0
Joined: 24 May 2006
Posts: 229
Location: Ipoh
|
| Posted: Fri Mar 16, 2007 3:08 am Post subject: |
|
|
This is a nice asm tutorial.
| Code: | alloc(Compare, 11)
alloc(Jumpin, 11)
alloc(BunnyBreed,1024)
Compare:
Mov eax,Brownbunny // Brownbunny is undefine, causing error
cmp eax,[bunny]
jne [Jumpin] // this will jump to the value of jumping label instead of jump to the jumping label
je [BunnyBreed] // same as above problem
Jumpin:
mov ecx,[bunny] // bunny is undefine, causing error
mov ecx,[gun] // gun is undefine, causing error
push ecx
xor ecx,ecx
BunnyBreed:
Move eax,[bunnyMale] // bunnyMale is undefine, causing error
Move eax,[bunnyFemale] // bunnyFemale isundefine, causing error
inc eax
inc eax
inc eax |
This is what i find out. i am not sure is it correct.
comment please[/code]
_________________
怡保 : 芽菜鸡
Spearman LV 4x |
|
| Back to top |
|
|
Flexi
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 05 Dec 2006
Posts: 1544
Location: Singapore
|
| Posted: Fri Mar 16, 2007 11:01 am Post subject: |
|
|
Stfu noob.
Don't know anything about ASM and come here whining.
_________________
|
|
| Back to top |
|
|
Gunblade
Cheater
![]() Reputation: 0
Joined: 12 Mar 2007
Posts: 31
|
| Posted: Mon Mar 19, 2007 11:35 am Post subject: |
|
|
| hahaha
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
