Cheat Engine

[Chris12]

Greetings

Be warned this might be a complex question.

We are generally using AoBs to locate code in our targets.
When a game is patched the AoBs can change. Of course it's always possible that a patch modifies a function we're interested in so much that it's not recognizable anymore. It's also possible that a functions gets removed completely or replaced by code that looks completely different.

Anyway some time ago I ran into a major roadblock on a project of mine.
The game I'm trying to hack is updated very often since it's a beta. It gets patches everyday.

Many (not all) patterns break every time an update is published.
The changes are relatively small. The functions are still there but they are changed only slightly.

Is there a technique to make better aob patterns?
I tried to find patterns for the calling functions. So I find the calling function of the function I'm interested in and then I'm searching for the n-th function call.
But that still fails sometimes.

I also tried to make a custom search-function to loosely match the opcodes. So I could specify if no 100% match is found then up to one wrong byte is accepted, next up to 2 wrong bytes.

But that worked only sometimes, most of the time it yielded the wrong results.

I tried to identify a function by counting all mov's, all kinds of jumps and all calculation opcodes. But that didn't help much either.

Is there something more advanced?
Should I make larger patterns with more '?' in it or smaller patterns with less wildcards?
Is there some other way to identify functions.

The only thing I can imagine is a proximity match:
In the pre-patched binary: FunctionX is at 34.35246% between start of .text and end.
In the patched binary it should be near that one too.

That works sometimes, but sometimes when the patches are larger functions get shuffled around so that messes everything up much more than it helps.

Any ideas or tips?

[mgr.inz.Player]

We are talking about solution which involves Lua script?

If yes, I have an idea (never used, but may be working):

- you are interested in hacking target function
- if we move up we see other function before
- if we move down we see other function after
- between those functions there are many int3 instructions

For example in Lua library I often see functions in this order:
lua51.lua_gettop (before)
lua51.lua_settop (target)
lua5.1lua_remove (after)
(lua51.lua_settop many times is between gettop and remove)


If "function before" and "function after" doesn't change on update, and they are always is this order, we can use that. We do aobscan for "function before" and aobscan for "function after". (We can optimize aobscans, knowing that "function after" is after "function before")
That way we can find start address and end address of "target function".

We take functionBefore_StartAddress and we go forward, searching for "ret" instruction (you have to use disassembler Lua command and go line by line)

startAddress = functionBefore_RetAddress

We take functionAfter_StartAddress and we go backward, searching for "ret" instruction (you have to use disassembler Lua command and go line by line). That way we get endAddress


Of course you want exact hack point, we have to be more smart. Maybe we can count "special instruction".
Example:

[Chris12]

Nice idea thanks
Unfortunately my target game doesn't have int3 instructions. All functions are tightly packed. There is no space between them.

I tried to identify a function by the functions calling it and the function its calling itself.
That works well if the calling and called functions don't change.

The idea with counting special instructions is really nice!! I'll try that, thanks

[mgr.inz.Player]

"target game doesn't have int3 instructions"
Int3 aren't important.

Summarize it again, all we need is:
- stable functionBefore
- stable functionAfter

- we create AOB for functionBefore (AOB can point at the beginning, middle, or end of this function, it doesn't matter)

- we create AOB for functionAfter (AOB can point at the beginning, middle, or end of this function, it doesn't matter)


Ok we are inside functionBefore, we go forward line by line until we find ret address (opcode C3 or C2 XX XX). And then we go line by line until we find something, different than int3. Bang, we have functionTarget start address

Ok we are inside functionAfter, we go backward line by line until we find ret address (opcode C3 or C2 XX XX). Bang, we have functionTarget end address.


Smart trick:
We search for special (unusual) instruction - "special instruction"............. (example from my previous post)

Maybe there are other "smart" tricks.