Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


cheat engine tutorial script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun Jan 28, 2018 1:14 am    Post subject: cheat engine tutorial script Reply with quote

32-Bit
Code:
{
Author: OldCheatEngineUser
Website: forum.cheatengine.org
About: cheat engine tutorial version 3.3 script for all steps
Attention: requires "Tutorial-i386.exe" from "cheat engine 6.6" directory
ExtraInfo: script wont work on other versions
}

define(StepOneAddress,"Tutorial-i386.exe"+23B00)
define(StepOneBytes,89 83 80 04 00 00)
define(StepOneIp,"Tutorial-i386.exe"+23B06)
define(StepOneReq,66 B8 E8 03)

define(StepTwoAddress,"Tutorial-i386.exe"+23FE6)
define(StepTwoBytes,29 9E 84 04 00 00)
define(StepTwoIp,"Tutorial-i386.exe"+23FEC)
define(StepTwoReq,66 BB 88 13 89 9E 84 04 00 00)

define(StepThreeAddressF,"Tutorial-i386.exe"+2481F)
define(StepThreeBytesF,D9 9E 94 04 00 00)
define(StepThreeIpF,"Tutorial-i386.exe"+24825)
define(StepThreeReqF,fld dword ptr [StepThreeValueF])
define(StepThreeFloat,dd 459C4000)
define(StepThreeAddressD,"Tutorial-i386.exe"+24643)
define(StepThreeBytesD,DD 9B 98 04 00 00)
define(StepThreeIpD,"Tutorial-i386.exe"+24649)
define(StepThreeReqD,fld qword ptr [StepThreeValueD])
define(StepThreeDouble,dq 40B3880000000000)

define(StepFourAddress,"Tutorial-i386.exe"+24AE8)
define(StepFourBytes,89 10)
define(StepFourReq,90 90)

define(StepFiveAddress,"Tutorial-i386.exe"+2505A)
define(StepFiveBytes,8B 00 8D 55 C0)
define(StepFiveIp,"Tutorial-i386.exe"+2505F)
define(StepFiveReq,C7 02 88 13 00 00)

define(StepSixAddress,"Tutorial-i386.exe"+2553D)
define(StepSixBytes,83 AB 78 04 00 00 01)
define(StepSixReq,83 83 78 04 00 00 02)

define(StepSevenAddress,"Tutorial-i386.exe"+262C8)
define(StepSevenBytes,81 78 18 88 13 00 00)
define(StepSevenIp,"Tutorial-i386.exe"+262CF)
define(StepSevenReq,66 C7 40 18 88 13)

define(StepEightAddress,"Tutorial-i386.exe"+26534)
define(StepEightBytes,8B 45 FC 89 43 04)
define(StepEightIp,"Tutorial-i386.exe"+2653A)
define(StepEightReq,66 83 FE 01)

[enable]

assert(StepOneAddress,StepOneBytes)
assert(StepTwoAddress,StepTwoBytes)
assert(StepThreeAddressF,StepThreeBytesF)
assert(StepThreeAddressD,StepThreeBytesD)
assert(StepFourAddress,StepFourBytes)
assert(StepFiveAddress,StepFiveBytes)
assert(StepSixAddress,StepSixBytes)
assert(StepSevenAddress,StepSevenBytes)
assert(StepEightAddress,StepEightBytes)

globalalloc(script,$90)



StepOneAddress:
     jmp StepOne
     nop
StepTwoAddress:
     jmp StepTwo
     nop
StepThreeAddressF:
     jmp StepThreeF
     nop
StepThreeAddressD:
     jmp StepThreeD
     nop
StepFourAddress:
     db StepFourReq
StepFiveAddress:
     jmp StepFive
StepSixAddress:
     db StepSixReq
StepSevenAddress:
     jmp StepSeven
     nop
     nop
StepEightAddress:
     jmp StepEight
     nop

script:



StepOne:
     db StepOneReq
     db StepOneBytes
     jmp StepOneIp

StepTwo:
     db StepTwoReq
     jmp StepTwoIp

StepThreeF:
     db DD D8
      StepThreeReqF
     db StepThreeBytesF
     jmp StepThreeIpF

StepThreeD:
     db DD D8
      StepThreeReqD
     db StepThreeBytesD
     jmp StepThreeIpD

StepFive:
     db StepFiveReq
     db StepFiveBytes
     jmp StepFiveIp

StepSeven:
     db StepSevenReq
     db StepSevenBytes
     jmp StepSevenIp

StepEight:
    db StepEightReq
    jnz StepEightIp
    db StepEightBytes
    jmp StepEightIp

StepThreeValueF:
      StepThreeFloat
StepThreeValueD:
      StepThreeDouble

[disable]

StepOneAddress:
     db StepOneBytes

StepTwoAddress:
     db StepTwoBytes

StepThreeAddressF:
     db StepThreeBytesF
StepThreeAddressD:
     db StepThreeBytesD

StepFourAddress:
     db StepFourBytes

StepFiveAddress:
     db StepFiveBytes

StepSixAddress:
     db StepSixBytes

StepSevenAddress:
     db StepSevenBytes

StepEightAddress:
     db StepEightBytes


64-Bit
Code:
{
Author: OldCheatEngineUser
Website: forum.cheatengine.org
About: cheat engine tutorial version 3.3 script for all steps
Attention: requires "Tutorial-x86_64.exe" from "cheat engine 6.6" directory
ExtraInfo: script wont work on other versions
}

define(here,"Tutorial-x86_64.exe"+2F000)

define(StepOneAddress,"Tutorial-x86_64.exe"+2AD67)
define(StepOneBytes,29 93 90 07 00 00 8B 93 90 07 00 00 48 8D 4D F8)
define(StepOneIp,"Tutorial-x86_64.exe"+2AD77)
define(StepOneReq,BA E8 03 00 00 89 93 90 07 00 00)
define(StepOne...,8B 93 90 07 00 00 48 8D 4D F8)

define(StepTwoAddress,"Tutorial-x86_64.exe"+2B355)
define(StepTwoBytes,29 9E 98 07 00 00 8B 86 98 07 00 00 67 8D 90 30 F8 FF FF)
define(StepTwoIp,"Tutorial-x86_64.exe"+2B368)
define(StepTwoReq,BB 88 13 00 00 89 9E 98 07 00 00)
define(StepTwo...,8B 86 98 07 00 00 67 8D 90 30 F8 FF FF)

define(StepThreeAddressF,"Tutorial-x86_64.exe"+2BDB3)
define(StepThreeBytesF,F3 0F 11 8E B8 07 00 00 C7 44 24 20 04 00 00 00)
define(StepThreeIpF,"Tutorial-x86_64.exe"+2BDC3)
define(StepThreeReqF,B9 88 13 00 00 F3 0F 2A C9)

define(StepThreeAddressD,"Tutorial-x86_64.exe"+2BB8C)
define(StepThreeBytesD,F2 0F 11 83 C0 07 00 00 C7 44 24 20 04 00 00 00)
define(StepThreeIpD,"Tutorial-x86_64.exe"+2BB9C)
define(StepThreeReqD,B9 88 13 00 00 F2 0F 2A C1)

define(StepFourAddress,"Tutorial-x86_64.exe"+2C130)
define(StepFourBytes,89 10)
define(StepFourReq,90 90)

define(StepFiveAddress,"Tutorial-x86_64.exe"+2C62A)
define(StepFiveBytes,74 02)
define(StepFiveReq,EB 02)

define(StepSixAddress,"Tutorial-x86_64.exe"+2CDAB)
define(StepSixBytes,83 AE 80 07 00 00 01)
define(StepSixReq,83 86 80 07 00 00 02)

define(StepSevenAddress,"Tutorial-x86_64.exe"+2DDB2)
define(StepSevenBytes,74 02)
define(StepSevenReq,EB 02)

define(StepEightAddress,"Tutorial-x86_64.exe"+2E0B7)
define(StepEightBytes,F3 0F 11 43 08 F3 0F 10 43 08 0F 2F 05 A8 4E 1D 00)
define(StepEightIp,"Tutorial-x86_64.exe"+2E0C8)
define(StepEightReq,40 80 FE 01)

[enable]

assert(StepOneAddress,StepOneBytes)
assert(StepTwoAddress,StepTwoBytes)
assert(StepThreeAddressF,StepThreeBytesF)
assert(StepThreeAddressD,StepThreeBytesD)
assert(StepFourAddress,StepFourBytes)
assert(StepFiveAddress,StepFiveBytes)
assert(StepSixAddress,StepSixBytes)
assert(StepSevenAddress,StepSevenBytes)
assert(StepEightAddress,StepEightBytes)

globalalloc(script,$9A,here)



StepOneAddress:
     jmp StepOne
     nop
     nop
StepTwoAddress:
     jmp StepTwo
     nop
     nop
     nop
     nop
     nop
StepThreeAddressF:
     jmp StepThreeF
     nop
     nop
StepThreeAddressD:
     jmp StepThreeD
     nop
     nop
StepFourAddress:
     db StepFourReq
StepFiveAddress:
     db StepFiveReq
StepSixAddress:
     db StepSixReq
StepSevenAddress:
     db StepSevenReq
StepEightAddress:
     jmp StepEight
     nop
     nop
     nop

script:



StepOne:
     db StepOneReq
     db StepOne...
     jmp StepOneIp

StepTwo:
     db StepTwoReq
     db StepTwo...
     jmp StepTwoIp

StepThreeF:
     db StepThreeReqF
     db StepThreeBytesF
     jmp StepThreeIpF
StepThreeD:
     db StepThreeReqD
     db StepThreeBytesD
     jmp StepThreeIpD

StepEight:
     db StepEightReq
     jnz StepEightIp
     db StepEightBytes
     jmp StepEightIp

[disable]

StepOneAddress:
     db StepOneBytes

StepTwoAddress:
     db StepTwoBytes

StepThreeAddressF:
     db StepThreeBytesF
StepThreeAddressD:
     db StepThreeBytesD

StepFourAddress:
     db StepFourBytes

StepFiveAddress:
     db StepFiveBytes

StepSixAddress:
     db StepSixBytes

StepSevenAddress:
     db StepSevenBytes

StepEightAddress:
     db StepEightBytes

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.


Last edited by OldCheatEngineUser on Tue Jan 30, 2018 2:23 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Sun Jan 28, 2018 5:56 pm    Post subject: Reply with quote

This works or the x32 Tutorial versions 3.3 and 3.4:

Code:
{$STRICT}
define(step2Bytes, 89 83 80 04 00 00)
define(step3OldBytes, 83 C0 01 89 C3 29)
   // add eax,01
   // mov ebx,eax
   // sub // sub [esi+00000484],ebx
define(step3NewBytes, BB 88 13 00 00 89)
   // mov ebx,00001388 // mov ebx,(int)5000
   // mov // mov [esi+00000484],ebx
define(step4Bytes, D9 9E 94 04 00 00)
define(step5Bytes, 89 10)
define(step6Bytes, 89 02)
define(step7OldBytes, 83 AB 78 04 00 00 01)
   // sub dword ptr [ebx+00000478],01
define(step7NewBytes, 83 83 78 04 00 00 02)
   // add dword ptr [ebx+00000478],02
define(bytes, A1 60 C6 5F 00)
define(step8WrtBytes, 89 42 18 8B 45 DC)
define(step9Bytes, 8B 45 FC 89 43 04)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep2Hook, Tutorial-i386.exe, 8Dxxxx8Bxxxxxxxxxx29xx89xxxxxxxxxx8DxxxxE8xxxxxxxx8Bxxxx8BxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx)
define(injStep2Hook, aobStep2Hook+B)
assert(injStep2Hook, step2Bytes)
registerSymbol(injStep2Hook)
alloc(memStep2Hook, 0x400, injStep2Hook)
label(ptrStep2Hook)
registerSymbol(ptrStep2Hook)
label(step2n_code)
label(step2o_code)
label(step2exit)
label(step2return)
memStep2Hook:
   ptrStep2Hook:
      dd 0
   align 10 CC
   step2n_code:
      mov [ptrStep2Hook],ebx
      mov eax,(int)1000
   step2o_code:
      mov [ebx+00000480],eax
   step2exit:
      jmp step2return
////
//// ---------- Injection Point ----------
injStep2Hook:
   jmp step2n_code
   nop
   step2return:


aobScanModule(aobStep3Hook, Tutorial-i386.exe, 83xxxx89xx29xxxxxxxxxx8Bxxxxxxxxxx8Dxxxxxxxxxx8BxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx)
define(injStep3Hook, aobStep3Hook)
assert(injStep3Hook, step3OldBytes)
registerSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
   db step3NewBytes


aobScanModule(aobStep4Hook, Tutorial-i386.exe, DBxxxxDBxxxxxxxxD9xxxxD9xxxxD8xxxxxxxxxxD9xxxxxxxxxxFFxxxxxxxxxx8DxxxxxxB9xxxxxxxxBAxxxxxxxxB8xxxxxxxx)
define(injStep4Hook, aobStep4Hook+14)
assert(injStep4Hook, step4Bytes)
registerSymbol(injStep4Hook)
alloc(memStep4Hook, 0x400, injStep4Hook)
label(ptrStep4Hook)
registerSymbol(ptrStep4Hook)
label(step4n_code)
label(step4o_code)
label(step4exit)
label(step4return)
memStep4Hook:
   dq (double)5000
   align 10 CC
   ptrStep4Hook:
      dd 0
   align 10 CC
   step4n_code:
      mov [ptrStep4Hook],esi
      fstp st(0)
      mov [esi+494],(float)5000
      fld qword ptr [memStep4Hook]
      fstp qword ptr [esi+498]
   step4o_code:
      // fstp dword ptr [esi+00000494]
   step4exit:
      jmp step4return
////
//// ---------- Injection Point ----------
injStep4Hook:
   jmp step4n_code
   nop
   step4return:


aobScanModule(aobStep5Hook, Tutorial-i386.exe, 8Bxxxx8Bxxxxxxxxxx8Bxxxx89xx8Bxxxx8Bxxxxxxxxxx8Bxx3Bxxxx)
define(injStep5Hook, aobStep5Hook+C)
assert(injStep5Hook, step5Bytes)
registerSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
   db 90 90


aobScanModule(aobStep6Hook, Tutorial-i386.exe, 8Bxxxx3Bxxxx74xxEBxx8Bxxxxxxxxxx8Bxxxx89xxA1xxxxxxxx8Bxx3Bxxxx)
define(injStep6Hook, aobStep6Hook+13)
assert(injStep6Hook, step6Bytes)
registerSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
   db 90 90


aobScanModule(aobStep7Hook, Tutorial-i386.exe, 8Bxxxxxxxxxx83xxxxxxxxxxxx8Bxxxxxxxxxx8DxxxxE8xxxxxxxx8Bxxxx8BxxxxxxxxxxE8xxxxxxxx8Bxxxxxxxxxx)
define(injStep7Hook, aobStep7Hook+6)
assert(injStep7Hook, step7OldBytes)
registerSymbol(injStep7Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
   db step7NewBytes


aobScanModule(aobStep8Hook, Tutorial-i386.exe, A1xxxxxxxx89xxxx8Bxxxx8Bxxxx8Bxx3Bxxxx74xxEBxx8Bxxxx8Bxxxx8Bxxxx3Bxxxx)
define(ptrStep8Hook, aobStep8Hook+1)
registerSymbol(ptrStep8Hook)


aobScanModule(aobStep8WrtHook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
define(injStep8WrtHook, aobStep8WrtHook+3)
assert(injStep8WrtHook, step8WrtBytes)
registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
label(ptrStep8WrtHook)
registerSymbol(ptrStep8WrtHook)
label(step8wrtn_code)
label(step8wrto_code)
label(step8wrtexit)
label(step8wrtreturn)
memStep8WrtHook:
   ptrStep8WrtHook:
      dd 0
   align 10 CC
   step8wrtn_code:
      mov [ptrStep8WrtHook],edx
      mov eax,(int)5000
   step8wrto_code:
      mov [edx+18],eax
      mov eax,[ebp-24]
   step8wrtexit:
      jmp step8wrtreturn
////
//// ---------- Injection Point ----------
injStep8WrtHook:
   jmp step8wrtn_code
   nop
   step8wrtreturn:


aobScanModule(aobStep9Hook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx89xxxxxxxxD9xxxxxxxxxxxxxx7Axx75xx8Bxxxx)
define(injStep9Hook, aobStep9Hook+6)
assert(injStep9Hook, step9Bytes)
registerSymbol(injStep9Hook)
alloc(memStep9Hook, 0x400, injStep9Hook)
label(ptrStep9Hook)
registerSymbol(ptrStep9Hook)
label(step9n_code)
label(step9o_code)
label(step9exit)
label(step9return)
memStep9Hook:
   ptrStep9Hook:
      dd 0
      dd 0
   align 10 CC
   step9n_code:
      pushfd
      cmp [ebx+10],1
      jne @f
         mov eax,(float)5000
         jmp step9o_code
      @@:
      mov eax,0
   step9o_code:
      // mov eax,[ebp-04]
      mov [ebx+04],eax
   step9exit:
      popfd
      jmp step9return
////
//// ---------- Injection Point ----------
injStep9Hook:
   jmp step9n_code
   nop
   step9return:



////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep2Hook:
   db step2Bytes
unregisterSymbol(injStep2Hook)
unregisterSymbol(ptrStep2Hook)
dealloc(memStep2Hook)


////
//// ---------- Injection Point ----------
injStep3Hook:
   db step3OldBytes
unregisterSymbol(injStep3Hook)


////
//// ---------- Injection Point ----------
injStep4Hook:
   db step4Bytes
unregisterSymbol(injStep4Hook)
unregisterSymbol(ptrStep4Hook)
dealloc(memStep4Hook)


////
//// ---------- Injection Point ----------
injStep5Hook:
   db step5Bytes
unregisterSymbol(injStep5Hook)


////
//// ---------- Injection Point ----------
injStep6Hook:
   db step6Bytes
unregisterSymbol(injStep6Hook)


////
//// ---------- Injection Point ----------
injStep7Hook:
   db step7OldBytes
unregisterSymbol(injStep7Hook)


unregisterSymbol(ptrStep8Hook)


////
//// ---------- Injection Point ----------
injStep8WrtHook:
   db step8WrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)


////
//// ---------- Injection Point ----------
injStep9Hook:
   db step9Bytes
unregisterSymbol(injStep9Hook)
unregisterSymbol(ptrStep9Hook)
dealloc(memStep9Hook)



This works or the x64 Tutorial versions 3.3 and 3.4:
Code:
{$STRICT}
define(step2Bytes, 29 93 90 07 00 00)
define(step3OldBytes, 67 8D 40 01 89 C3 29)
define(step3NewBytes, BB 88 13 00 00 90 89)
define(step4Bytes, F3 0F 11 8E B8 07 00 00)
define(step5Bytes, 89 10)
define(step6Bytes, 89 02)
define(step7OldBytes, 83 AE 80 07 00 00 01)
   // sub dword ptr [rsi+00000780],01
define(step7NewBytes, 83 86 80 07 00 00 02)
   // add dword ptr [rsi+00000780],02
define(step8Bytes, 48 8B 05)
define(step8wrtBytes, 89 42 18 48 8B 45 B8)
define(step9Bytes, F3 0F 11 43 08)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep2Hook, Tutorial-x86_64.exe, 67xxxxxx29xxxxxxxxxx8Bxxxxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx)
define(injStep2Hook, aobStep2Hook+4)
assert(injStep2Hook, step2Bytes)
registerSymbol(injStep2Hook)
alloc(memStep2Hook, 0x400, injStep2Hook)
label(ptrStep2Hook)
registerSymbol(ptrStep2Hook)
label(step2n_code)
label(step2o_code)
label(step2exit)
label(step2return)
memStep2Hook:
   ptrStep2Hook:
      dq 0
   align 10 CC
   step2n_code:
      mov [ptrStep2Hook],rbx
      mov edx,(int)1000
      mov [rbx+00000790],edx
   step2o_code:
      // sub [rbx+00000790],edx
   step2exit:
      jmp step2return
////
//// ---------- Injection Point ----------
injStep2Hook:
   jmp step2n_code
   nop
   step2return:


aobScanModule(aobStep3Hook, Tutorial-x86_64.exe, 67xxxxxx89xx29xxxxxxxxxx8Bxxxxxxxxxx67xxxxxxxxxxxx48xxxxxxxxxxxxE8xxxxxxxx83xxxxxxxxxxxx7Dxx48xxxxxxxxxxxxE8xxxxxxxxB9xxxxxxxxE8xxxxxxxx89xxxxxxxxxx)
define(injStep3Hook, aobStep3Hook)
assert(injStep3Hook, step3OldBytes)
registerSymbol(injStep3Hook)
////
//// ---------- Injection Point ----------
injStep3Hook:
   db step3NewBytes


aobScanModule(aobStep4Hook, Tutorial-x86_64.exe, F2xxxxxxF2xxxxxxF2xxxxxxF3xxxxxxxxxxxxxxF3xxxxxxF3xxxxxxxxxxxxxxC7xxxxxxxxxxxxxxF3xxxxxxxxxxxxxx48xxxxxx41xxxxxxxxxx41xxxxxxxxxx)
define(injStep4Hook, aobStep4Hook+18)
assert(injStep4Hook, step4Bytes)
registerSymbol(injStep4Hook)
alloc(memStep4Hook, 0x400, injStep4Hook)
label(ptrStep4Hook)
registerSymbol(ptrStep4Hook)
label(step4n_code)
label(step4o_code)
label(step4exit)
label(step4return)
memStep4Hook:
   dq (double)5000
   align 10 CC
   ptrStep4Hook:
      dq 0
   align 10 CC
   step4n_code:
      mov [ptrStep4Hook],rsi
      mov [rsi+7B8],(float)5000
      movsd xmm1,[memStep4Hook]
      movsd [rsi+7C0],xmm1
   step4o_code:
      // movss [rsi+000007B8],xmm1
   step4exit:
      jmp step4return
////
//// ---------- Injection Point ----------
injStep4Hook:
   jmp step4n_code
   nop
   nop
   nop
   step4return:


aobScanModule(aobStep5Hook, Tutorial-x86_64.exe, 48xxxxxx48xxxxxxxxxxxx8Bxxxx89xx48xxxxxx48xxxxxxxxxxxx8Bxx3Bxxxx)
define(injStep5Hook, aobStep5Hook+E)
assert(injStep5Hook, step5Bytes)
registerSymbol(injStep5Hook)
////
//// ---------- Injection Point ----------
injStep5Hook:
   db 90 90


aobScanModule(aobStep6Hook, Tutorial-x86_64.exe, 48xxxxxxxxxxxx8Bxxxx89xx48xxxxxxxxxxxx8Bxx3Bxxxx74xxEBxx48xxxxxx48xxxxxxxxxxxxBAxxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxx)
define(injStep6Hook, aobStep6Hook+A)
assert(injStep6Hook, step6Bytes)
registerSymbol(injStep6Hook)
////
//// ---------- Injection Point ----------
injStep6Hook:
   db 90 90


aobScanModule(aobStep7Hook, Tutorial-x86_64.exe, 8Bxxxxxxxxxx83xxxxxxxxxxxx8Bxxxxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx)
define(injStep7Hook, aobStep7Hook+6)
assert(injStep7Hook, step7OldBytes)
registerSymbol(injStep7Hook)
////
//// ---------- Injection Point ----------
injStep7Hook:
   db step7NewBytes


aobScanModule(aobStep8Hook, Tutorial-x86_64.exe, 48xxxxxxxxxxxx48xxxxxx48xxxxxx48xxxxxx8Bxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxx48xxxxxx8Bxxxx3Bxxxx74xxEBxx48xxxxxxxxxxxxE8xxxxxxxxE9xxxxxxxx48xxxxxx48xxxxxxxx74xxEBxxE9xxxxxxxx48xxxxxx48xxxxxx48xxxxxx48xxxxxx48xxxxxx8Bxx3Bxxxx)
define(injStep8Hook, aobStep8Hook)
assert(injStep8Hook, step8Bytes)
registerSymbol(injStep8Hook)
alloc(memStep8Hook, 0x400, injStep8Hook)
label(ptrStep8Hook)
registerSymbol(ptrStep8Hook)
label(instStep8Hook)
registerSymbol(instStep8Hook)
label(step8n_code)
label(step8o_code)
label(step8exit)
label(step8return)
memStep8Hook:
   ptrStep8Hook:
      dq 0
   align 10 CC
   step8n_code:
      reassemble(injStep8Hook)
      mov [ptrStep8Hook],rax
   step8o_code:
      // mov rax,[1002CAA70]
   step8exit:
      jmp step8return
   instStep8Hook:
      reassemble(injStep8Hook)
////
//// ---------- Injection Point ----------
injStep8Hook:
   jmp step8n_code
   nop
   nop
   step8return:


aobScanModule(aobStep8WrtHook, Tutorial-x86_64.exe, B9xxxxxxxxE8xxxxxxxx48xxxxxx89xxxx48xxxxxx8Bxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxx48xxxxxxxxxxxxE8xxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxxxx48xxxxxxxxxxxx48xxxxFFxxxxxxxxxxC7xxxxxxxxxxxx8Bxxxx48xxxxxxE8xxxxxxxx)
define(injStep8WrtHook, aobStep8WrtHook+E)
assert(injStep8WrtHook, step8wrtBytes)
registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
label(ptrStep8WrtHook)
registerSymbol(ptrStep8WrtHook)
label(step8wrtn_code)
label(step8wrto_code)
label(step8wrtexit)
label(step8wrtreturn)
memStep8WrtHook:
   ptrStep8WrtHook:
      dq 0
   align 10 CC
   step8wrtn_code:
      mov [ptrStep8WrtHook],rdx
      mov eax,(int)5000
   step8wrto_code:
      mov [rdx+18],eax
      mov rax,[rbp-48]
   step8wrtexit:
      jmp step8wrtreturn
////
//// ---------- Injection Point ----------
injStep8WrtHook:
   jmp step8wrtn_code
   nop
   nop
   step8wrtreturn:


aobScanModule(aobStep9Hook, Tutorial-x86_64.exe, F3xxxxxxxxF3xxxxxxF3xxxxxxxxxxxxxx0F2Fxx7Axx72xx0F28xxF3xxxxxxxxF3xxxxxxxx0F2Fxxxxxxxxxx7Axx75xx48xxxxxx48xxxxxxxxxxxxE8xxxxxxxxEBxxF3xxxxxxxx48xxxxxxE8xxxxxxxx48xxxxxx48xxxxxx48xxxxxxxxxxxxxx)
define(injStep9Hook, aobStep9Hook+1B)
assert(injStep9Hook, step9Bytes)
registerSymbol(injStep9Hook)
alloc(memStep9Hook, 0x400, injStep9Hook)
label(ptrStep9Hook)
registerSymbol(ptrStep9Hook)
label(step9n_code)
label(step9o_code)
label(step9exit)
label(step9return)
memStep9Hook:
   ptrStep9Hook:
      dq 0
   align 10 CC
   step9n_code:
      pushfq
      mov [ptrStep9Hook],rbx
      cmp dword ptr [rbx+14],1
      jne @f
         mov dword ptr [rbx+08],(float)5000
         jmp step9o_code
      @@:
      mov dword ptr [rbx+08],0
   step9o_code:
      // movss [rbx+08],xmm0
   step9exit:
      popfq
      jmp step9return
////
//// ---------- Injection Point ----------
injStep9Hook:
   jmp step9n_code
   step9return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep2Hook:
   db step2Bytes
unregisterSymbol(injStep2Hook)
unregisterSymbol(ptrStep2Hook)
dealloc(memStep2Hook)


////
//// ---------- Injection Point ----------
injStep3Hook:
   db step3OldBytes
unregisterSymbol(injStep3Hook)


////
//// ---------- Injection Point ----------
injStep4Hook:
   db step4Bytes
unregisterSymbol(injStep4Hook)
unregisterSymbol(ptrStep4Hook)
dealloc(memStep4Hook)


////
//// ---------- Injection Point ----------
injStep5Hook:
   db step5Bytes
unregisterSymbol(injStep5Hook)


////
//// ---------- Injection Point ----------
injStep6Hook:
   db step6Bytes
unregisterSymbol(injStep6Hook)


////
//// ---------- Injection Point ----------
injStep7Hook:
   db step7OldBytes
unregisterSymbol(injStep7Hook)


////
//// ---------- Injection Point ----------
injStep8Hook:
   reassemble(instStep8Hook)
unregisterSymbol(injStep8Hook)
unregisterSymbol(ptrStep8Hook)
unregisterSymbol(instStep8Hook)
dealloc(memStep8Hook)


////
//// ---------- Injection Point ----------
injStep8WrtHook:
   db step8wrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)


////
//// ---------- Injection Point ----------
injStep9Hook:
   db step9Bytes
unregisterSymbol(injStep9Hook)
unregisterSymbol(ptrStep9Hook)
dealloc(memStep9Hook)

_________________
Back to top
View user's profile Send private message Visit poster's website
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun Jan 28, 2018 6:05 pm    Post subject: Reply with quote

thanks for sharing tim, appreciate it.
ill give it a try.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Sun Jan 28, 2018 9:38 pm    Post subject: Reply with quote

Oh are we sharing a single script to do the entire tutorial?

Here's mine, works on everything. Smile
Code:
[ENABLE]
{$lua}
-- CE does not clear the symbol list when attaching to a new process, so we do it
onOpenProcess = function(pid)
  autoAssemble[[
    unregisterSymbol(bypassThread)
    unregisterSymbol(info)
    unregisterSymbol(quit)
  ]]
end
{$asm}

globalalloc(bypassThread, $1000)
createThread(bypassThread)
bypassThread:
  cmp [quit], 0
  je @f
  ret // keeping it simple by just returning and leaking the memory
@@:
  push #100
  call mysleep
  call getForegroundWindow
  push nextCaption
  push 0
  push 0
  push rax
  call FindWindowEx
  mov [info], rax
  test rax,rax
  jz bypassThread
  push 1      // true
  push rax    // hwnd
  call myEnableWindow
  jmp bypassThread
nextCaption:
  db 'Next',0
mysleep:
{$lua}
  if targetIs64Bit() then
    return [[
      pop rax // return address
      pop rcx
      push rax
    ]]
  end
{$asm}
  jmp sleep
FindWindowEx:
{$lua}
  if targetIs64Bit() then return [[
    pop rax // return address
    pop rcx
    pop rdx
    pop r8
    pop r9
    push rax
  ]]
  end
{$asm}
 jmp FindWindowExA
myEnableWindow:
{$lua}
  if targetIs64Bit() then return [[
    pop rax // return address
    pop rcx
    pop rdx
    push rax
  ]]
  end
{$asm}
  jmp EnableWindow
quit:
  dd 0
info:
  resq 1

registerSymbol(info)
registerSymbol(quit)
[DISABLE]
{$lua}
-- if the process is still running then stop the thread by writing 1 to quit
if readInteger(process) ~= nil then return 'quit:\ndd 1' end
{$asm}
unregisterSymbol(info)
unregisterSymbol(quit)
unregisterSymbol(bypassThread)


Yeah, I'm kind of cheating on the x64 code without any shadowspace but... I didn't have any issues so presumably none of those functions actually need it lol
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Mon Jan 29, 2018 12:11 am    Post subject: Reply with quote

FreeER wrote:
...


So what is your code doing, all the "next" buttons where enabled but all the values where still effected, is it just enabling the buttons, or is it bypassing the checks? I couldn't really figure it out, but it's very clean and short.

_________________
Back to top
View user's profile Send private message Visit poster's website
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jan 29, 2018 12:25 am    Post subject: Reply with quote

tim, your code looks great and working.

about free he is enabling the button, just similar to assembly: mov dl, 01

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Mon Jan 29, 2018 12:51 am    Post subject: Reply with quote

Yeah, the caption label set to "Next", had me thinking that. But it's an interesting approach, never even thought about it. I think this punts the box I was in, right out the window. I say PROPs @FreeER, PROPs.
_________________
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Mon Jan 29, 2018 6:45 am    Post subject: Reply with quote

Yep, it just enables the "Next" button. Which is really the goal of the "game" Very Happy
With the windows API it should be the same for every OS version and architecture (x86/x64) as long as the Next button stays a child of the main window (with the same caption of course), though it may turn out that the shadowspace is required for some combination (unlikely but).

I managed to get that working in a C/CPP program after finding the dissect windows feature one day and wondering if I could use that to automatically enable the button Smile I did some work in C to try and automatically find the tutorial window but it'd only work if it had just been opened since it was based on the window caption which is different for each step. When I saw this and decided to make it a single AA script I decided to just check if the foreground window had a child window with the caption "Next" instead so that it could work at any point and without the need for a callback from windows like EnumWindows does.

Part of the reason I shared it is that it does indeed account for everything, but it also uses several features (createThread, lua, globalalloc, "Win API" which isn't a feature but also isn't something you see too often in hacks, etc.) and achieves the result in such a drastically different way from what people often expect (actually changing the value as intended or changing the checks to pass) which I enjoy Smile
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Mon Jan 29, 2018 8:45 am    Post subject: Reply with quote

FreeER wrote:
... achieves the result in such a drastically different way from what people often expect (actually changing the value as intended or changing the checks to pass) which I enjoy Smile


I think this definitely shows there are many ways to reach a goal, which is one of the hardest things to teach about CE or any thing in life really. And like you said, when using CE all that maters is you reach your goal and get the desired effect.

I have to admit a small part of me was like "no way he cheated". Then it's like how do you cheat at cheating, and in the end I don't think any one can. I think I just wished I had come up with that, but such is life. And in the end I'm just fascinated by the approach more than anything.

_________________
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Mon Jan 29, 2018 9:03 am    Post subject: Reply with quote

Yeah it can be difficult to explain that there are multiple approaches, especially when then tutorial asks for very specific settings to pass Smile

And yeah, I can totally understand the "that's cheating" feeling, and in a way it could be in the sense that it doesn't solve each step anymore than clicking the skip button. For the most part what each task is doesn't matter, what the values are don't matter, how many sub-tasks there are don't matter, changing addresses don't matter, etc. the code itself does not matter with this approach Smile Which could easily be considered cheating if you assumed that you were suppose to "beat" each challenge in some way that demonstrates something new (which is the point of the tutorial, introducing new concepts one step at a time).

Unfortunately games do not use Window's windows so this is never directly usable with any of them Laughing (there may be very rare exceptions)
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Mon Jan 29, 2018 9:15 am    Post subject: Reply with quote

Yeah, I liked it, would have given +Rep but you where the last person I gave +Rep to. It just sucks when you figure out you where thinking in a box that got booted out the window, and you can't even figure out why you where in the box to begin with.
_________________
Back to top
View user's profile Send private message Visit poster's website
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jan 30, 2018 2:10 pm    Post subject: Reply with quote

update:
- 64 bit version added

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites