 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
deviluc
Cheater
![]() Reputation: 1
Joined: 02 Jun 2010
Posts: 28
|
 Posted: Sat Jan 26, 2013 4:30 pm Post subject: [ASM] Unknown crash reason |
 |
|
I've got a problem, I'm trying to make a speedhack for Assault Cube (for testing purpose only) but everytime I try to inject the code, the game crashes with the following error message (which I don't understand):
666kb(dot)com/i/cb18oe19zdvyg31e4.jpg
Here is the sourcecode:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(speedx)
label(speedxl)
label(init)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [004FA0D4], 0 //first run?
je init
cmp edx,[005AFB4] //changed x value?
jg speedx //bigger?
jl speedxl //smaller?
mov [esi+34],edx //write x-pos
mov [005AFB4],edx //save current x-pos
jmp returnhere
speedx: //walk in + direction
mov [ebp],edx
sub ebp,[005AFB4] //walk distance
add edx,ebp //double "walked" distance
mov [esi+34],edx //write x-pos
mov [ebp],A //reset ebp
jmp returnhere
speedxl: //walk in - direction
mov [ebp],edx
sub [005AFB4],ebp //walk distance
sub edx,ebp //double "walked" distance
mov [esi+34],edx //write x-pos
mov [ebp],A //reset ebp
jmp returnhere
init: //first run
mov [esi+34],edx //write x-pos
mov [005AFB4],edx //save current x-pos
jmp returnhere
originalcode:
exit:
jmp returnhere
"ac_client.exe"+554E8:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"ac_client.exe"+554E8:
mov [esi+34],edx
mov [esi+38],eax |
I know this is only for the x-position, but I can't go on if it's not working.
The x-position is stored as float.
I would really appreciate if someone could help me...
Last edited by deviluc on Sun Feb 17, 2013 1:57 pm; edited 2 times in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25824
Location: The netherlands
|
| Posted: Sun Jan 27, 2013 2:43 am Post subject: |
|
|
Is 005AFB4 writable ?
mov [esi+38],eax is never executed
Are you sure EBP is at ALL time A when that code executes?
You also never restore the ebp register
and the check for 004FA0D4 isn't doing much as 004FA0D4 is never written in init
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
deviluc
Cheater
![]() Reputation: 1
Joined: 02 Jun 2010
Posts: 28
|
| Posted: Sun Jan 27, 2013 5:57 am Post subject: |
|
|
Thank you for the quick response, as you supposed 005AFB4 is not writable all the time, so I changed it to esi+34 (which does the same I think).
I put mov [esi+38],eax in the code again and instead of using EBP, I'm using the RAX and RCX registers.
The init check was optimised aswell.
Here is the changed code:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(speedx)
label(speedxl)
label(init)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [004FA0D4], 0
je init
cmp edx,[esi+34]
jg speedx
jl speedxl
mov [esi+34],edx
mov [esi+38],eax
jmp returnhere
speedx:
mov [esi+34],edx
mov rax,edx
sub rax,[esi+34]
add edx,[rax]
mov [esi+34],edx
mov [esi+38],eax
jmp returnhere
speedxl:
mov [esi+34],edx
mov [rax],edx
mov rcx,[esi+34]
sub rax,rcx
sub edx,rax
mov [esi+34],edx
mov [esi+38],eax
jmp returnhere
init:
mov [esi+34],edx
mov [esi+38],eax
mov [004FA0D4], 1
jmp returnhere
originalcode:
exit:
jmp returnhere
"ac_client.exe"+554E8:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"ac_client.exe"+554E8:
mov [esi+34],edx
mov [esi+38],eax |
The problem is that the game is still crashing but this time only when i start moving in the game.
|
|
| Back to top |
|
|
deviluc
Cheater
![]() Reputation: 1
Joined: 02 Jun 2010
Posts: 28
|
| Posted: Mon Feb 11, 2013 2:28 pm Post subject: |
|
|
I optimized the code again, but I still get an crash-error-message.
Here is the code:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(xplus)
label(xminus)
label(exit)
newmem:
push ebx
push ecx
cvttss2si ebx,xmm0
cmp ebx, 0
jns xplus
js xminus
mov [esi+34],edx
mov [esi+38],eax
pop ecx
pop ebx
jmp returnhere
xplus:
add ebx, (int)2
cvtsi2ss xmm0,ebx
addss xmm0,[edx]
movss [edx],xmm0
mov [esi+34],edx
mov [esi+38],eax
pop ecx
pop ebx
jmp returnhere
xminus:
sub ebx, 2
cvtsi2ss xmm0,ebx
addss xmm0,[edx]
movss [edx],xmm0
mov [esi+34],edx
mov [esi+38],eax
pop ecx
pop ebx
jmp returnhere
exit:
jmp returnhere
"ac_client.exe"+554E8:
jmp newmem
nop
returnhere:
[DISABLE]
"ac_client.exe"+554E8:
mov [esi+34],edx
mov [esi+38],eax |
Isn't anyone out there being able to help me?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25824
Location: The netherlands
|
| Posted: Mon Feb 11, 2013 3:17 pm Post subject: |
|
|
First post a code injection that doesn't do anything to the game state,but doesn't crash. Then we may be able to start helping. Right now there is no way to know if you messed up one of the original codes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
deviluc
Cheater
![]() Reputation: 1
Joined: 02 Jun 2010
Posts: 28
|
| Posted: Sat Feb 16, 2013 6:43 am Post subject: |
|
|
Ok, I've launched a new attempt but this time I changed the code a bit to make it easier. The game is storing the speed in 2 addresses:
x-speed - esi+28
y-speed - esi+2C
So as you can see, the speed is divided in to components (x and y).
The coordinates are stored in these 2 addresses:
The problem is, that the speed is just stored in these addresses, so that modifying them is senseless. To counter that, I thought of multiplying them by 3(for eg) and add that amount to the x and y cords.
When I'm not moving, the speed is 0 so there will be no movement but when I move, the speed is between -1,0 and +1,0
I browsed to the memory region where the speed addresses are constantly beeing updated and found this code:
| Code: | "ac_client.exe"+554C0:
mov [esi+28],ecx
mov [esi+2C],edx |
So the new values for the speed is comming from ecx and edx. But as I just want to use the new values, this code-fragment is preserved in my changed code.
Here is the code:
| Code: | newmem:
mov [esi+28],ecx //original code
mov [esi+2C],edx
mov [004F3E30],(float)300 //store 300 (as float) in 004F3E30 (writeable, not used)
fld dword ptr [004F3E30] //push the 300 on the float stack
fld dword ptr [esi+28] //push the x-speed value on the float stack
fmul st(0), st(1) //multiply them
fstp dword ptr [004F3E34] //pop the result in 004F3E34 (writeable, not used)
fstp dword ptr [004F3E40] //pop the x-speed value remaing in 004F3E40 (writeable, not used)
//fld dword ptr [esi+2C]
//fadd st(0), st(1)
//fstp dword ptr [esi+2C]
//fstp dword ptr [004F3E34]
fld dword ptr [004F3E30] //push the 300 on the float stack
fld dword ptr [esi+2C] //push the y-speed on the float stack
fmul st(0), st(1) //multiply them
fstp dword ptr [004F3E38] //pop the result in 004F3E38 (writeable, not used)
fstp dword ptr [004F3E44] //pop the remaining value in 004F3E44 (writeable, not used)
//fadd st(0), st(1)
//fstp dword ptr [esi+28]
//fstp dword ptr [004F3E38]
jmp returnhere |
The code is working untill the out-commented part. The float value of 300 is successfully stored ind the given address, but when I'm standing and go to cheat engine and check the result address I can see this: 459.5538025 for the new "x-speed" and 242.2543945 for the new "x-speed".
I'm quite desperate because I really can't imagine how 3 x 0 is equal to 459.5538025
I hope this time, I gave you enough information to get qualified help.
Thanks in advance.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
