View previous topic :: View next topic |
Author |
Message |
Kyurino How do I cheat? Reputation: 0
Joined: 13 Mar 2015 Posts: 1
|
Posted: Fri Mar 13, 2015 6:39 pm Post subject: Need help with a script |
|
|
Hey!
I'm having some issues with this script:
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
aobscan(nodamage, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
label(_nodamage)
registersymbol(_nodamage)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
//sub [ebx+00000200],eax
exit:
jmp returnhere
nodamage:
_nodamage:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
sub [ebx+00000200],eax
//Alt: db 80 7B 28 00 D9 18 |
Its a script that makes me not take any damage in Terraria.
When I activate the script its working as intended but the issue is that when i disable the script im still taking no damage until i restart the game. Anyone who can help me with that?
Thanks.
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Fri Mar 13, 2015 6:52 pm Post subject: |
|
|
Hm, did you have a look into the disassembler? Did CE rewrite the memory correctly?
Btw: I'd recommend you to unregister the symbols your preivously registered:
Code: | [DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
sub [ebx+00000200],eax
unregistersymbol(_nodamage)
//Alt: db 80 7B 28 00 D9 18 |
|
|
Back to top |
|
|
justa_dude Grandmaster Cheater Reputation: 23
Joined: 29 Jun 2010 Posts: 891
|
Posted: Sat Mar 14, 2015 12:49 am Post subject: |
|
|
hhhuut wrote: | Btw: I'd recommend you to unregister the symbols your preivously registered |
Why? If it's still registered, it is much easier to troubleshoot, among other things. He can just open up the memory window and ctrl-g (goto) his symbol name to see what's going on.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 943
|
Posted: Sat Mar 14, 2015 2:56 am Post subject: |
|
|
May be your game is updated, the offset in aobscan (after 29 83) no longer is +200.
Try check and fix the [DISABLE] section as hhhuut suggested.
Or try this, hope it work.
Code: | [ENABLE]
// 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12
alloc(mcode,1024)
aobscan(_dmg, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? DD 45 ?? D9 E8 DF F1) // make sure the aob pattern is unique
mcode+100:// <-jmp from here->
readmem(_dmg,6) // (*) run original code 1st
mcode+00:
dd 0 // this will be the VALUE of mcode, used in the Enabled flag Memory Record
mcode+04: // this is Enabled flag -> make a MemoryRecord, AddressType=pointer, base = mcode, offset = 04, ValueType = dword
dd 1 // default Enabled -> the memoryRecord can preset values as dropdown menu by 'Set/Change dropdown selection options'
mcode+106: // continue (*) code from here
// actuall modification
cmp dword ptr[mcode+04],1
jne @f // do nothing if the Enabled flag is not 1
push ecx
mov ecx,[mcode+102] // mcode+102 point to the wildcarded offset
add [ebx+ecx],eax // undo the subtraction by original code
pop ecx
@@:
jmp _dmg+06 // return and continue original code
_dmg: // now hook the original code to our code cave
jmp mcode+100
nop // pad the sixth byte
registerSymbol(mcode) // save symbols for use in [DISABLE]
registerSymbol(_dmg)
// original code
//026C0080 - 29 83 ???????? - sub [ebx+offset1],eax
//026C0086 - C6 83 ???????? 01 - mov byte ptr [ebx+offset2],01
//026C008D - DD 45 ?? - fld qword ptr [ebp-18]
//026C0090 - D9E8 - fld1
//026C0092 - DFF1 - fcomip st(0),st(1)
mcode+180: // this part is to setup mcode+00, not necessary if the Enabled flag Memory Record is not needed.
push eax
mov eax,mcode
mov [eax],eax
pop eax
ret
createThread(mcode+180) // run it once and only once
[DISABLE]
_dmg:
readmem(mcode+100,6)
unregisterSymbol(_dmg)
dealloc(mcode)
unregisterSymbol(mcode)
|
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Sat Mar 14, 2015 9:50 am Post subject: |
|
|
This may be simpler:
Code: | [ENABLE]
aobscanmodule(nodamage,29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
alloc(nodamage_backup,6)
nodamage_backup:
readmem(nodamage,6)
nodamage:
db 90 90 90 90 90 90
registersymbol(nodamage)
registersymbol(nodamage_backup)
[DISABLE]
nodamage:
readmem(nodamage_backup,6)
unregistersymbol(nodamage)
unregistersymbol(nodamage_backup)
dealloc(nodamage_backup) |
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Sat Mar 14, 2015 2:08 pm Post subject: |
|
|
I just checked it out, and yes! the code is rewritten on disable as:
sub [ebx-672352],eax (for me)
i never saw things like that!
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Sat Mar 14, 2015 3:56 pm Post subject: |
|
|
Strange ...
Perhaps it works when commenting the "sub [ebx+200],eax" and using the "db"-instruction instead:
Code: | [DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage:
//sub [ebx+00000200],eax
db 80 7B 28 00 D9 18 |
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Sat Mar 14, 2015 4:43 pm Post subject: |
|
|
@hhhuut
Nope, I've tried, its the same as writing the instruction itself, and its not working.
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Sat Mar 14, 2015 5:14 pm Post subject: |
|
|
Wow, that's weird ...
Any ideas @Dark Byte?
@Kyurino:
Can you do a code injection one (or two) instruction(s) above or isn't that possible?
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Sat Mar 14, 2015 9:06 pm Post subject: |
|
|
Writing the same bytes back at the address location in my script causes the pointer offset to change?
|
|
Back to top |
|
|
vng21092 Grandmaster Cheater Reputation: 15
Joined: 05 Apr 2013 Posts: 644
|
Posted: Sat Mar 14, 2015 9:24 pm Post subject: |
|
|
umm... I'm PRETTY sure this has something to do with it... But I might be wrong
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
aobscan(nodamage, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1) <--HERES THE AOBSCAN
label(_nodamage) <--HERES SOMETHING HE CREATED
registersymbol(_nodamage)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
//sub [ebx+00000200],eax
exit:
jmp returnhere
nodamage: <--THIS IS THE AOBSCAN
_nodamage: <--THIS IS NOT THE AOBSCAN (Why is it acting like an injection point?)
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
_nodamage: <--THIS IS NOT THE AOBSCAN
sub [ebx+00000200],eax
//Alt: db 80 7B 28 00 D9 18 |
the aobscan is named "nodamage", yet in all places where hes suppose to reference the aobscan he puts "_nodamage" which is just a symbol he created... thoughts? Which also means when he disables the code, hes not returning the aobscan to its original state (explaining why you still don't take damage), hes leaving the symbol he created with the aobscans original code.
Try this instead:
Code: | [ENABLE]
alloc(noDamage,32)
aobscan(noDamage_aob1, 29 83 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? 01 DD 45 E8 D9 E8 DF F1)
registersymbol(noDamage_aob1)
label(returnhere_noDamage)
//--------------------------------------------------//
noDamage:
//sub [ebx+00000200],eax
jmp returnhere_noDamage
//--------------------------------------------------//
noDamage_aob1:
jmp noDamage
nop
returnhere_noDamage:
[DISABLE]
noDamage_aob1:
sub [ebx+00000200],eax
unregistersymbol(noDamage_aob1)
dealloc(noDamage)
//Alt: db 80 7B 28 00 D9 18 |
|
|
Back to top |
|
|
justa_dude Grandmaster Cheater Reputation: 23
Joined: 29 Jun 2010 Posts: 891
|
Posted: Sat Mar 14, 2015 10:30 pm Post subject: |
|
|
vng21092 wrote: | umm... I'm PRETTY sure this has something to do with it... But I might be wrong...
the aobscan is named "nodamage", yet in all places where hes suppose to reference the aobscan he puts "_nodamage" which is just a symbol he created... thoughts? :roll: Which also means when he disables the code, hes not returning the aobscan to its original state (explaining why you still don't take damage), hes leaving the symbol he created with the aobscans original code. |
Because he's altering the memory at the aobscan, it's not going to be the same when he goes to disable. That's why he's creating a label and assigning it to the appropriate memory address. It's the way DB taught us to do it.
I own Terraria, but the aobscan doesn't find anything on my machine. So it's hard to suggest what might be going on. If I were personally troubleshooting this issue, I would begin by searching for the array of bytes in the memory scanner... then, activate my cheat and note what changes. After disabling the cheat, I would check to see if the code had been properly replaced with whatever was originally there. I am seeing some folks report seeing weird instructions, but without proper context it is difficult to know if bad code has been rewritten or if we're just failing to re-assemble correctly because we're not aligned on an instruction boundry.
edit: derp, I really should know by now that I have to take damage to generate the code that the aob seeks! After taking some damage, the aobscan works. The aobscan finds code that modifies ebx+258, as correctly alluded to by panraven, above. Changing the disable section to
Code: |
[DISABLE]
_nodamage:
sub [ebx+00000258],eax
dealloc(newmem)
|
seems to fix the problem.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Last edited by justa_dude on Sat Mar 14, 2015 10:56 pm; edited 1 time in total |
|
Back to top |
|
|
vng21092 Grandmaster Cheater Reputation: 15
Joined: 05 Apr 2013 Posts: 644
|
Posted: Sat Mar 14, 2015 10:50 pm Post subject: |
|
|
well I was intrigued so I gave it a shot, here is what I whipped up, tested and works fine. Made this in Terraria 1.2.4.1
Code: | [Enable]
//Infinite Health
aobscan(ih_aob1,F2 0F 2C C0 29 83 58 02 00 00)
registersymbol(ih_aob1)
ih_aob1+4:
db 90 90 90 90 90 90
[Disable]
ih_aob1+4:
db 29 83 58 02 00 00
unregistersymbol(ih_aob1) |
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Sat Mar 14, 2015 11:11 pm Post subject: |
|
|
The AOB scan uses wildcards to account for the health offset changing.
My script (and panraven's?) should restore whatever the original code happened to be.
Trying to make the script future proof, in case the offset ever changes again.
|
|
Back to top |
|
|
Rissorr Master Cheater Reputation: 3
Joined: 17 Sep 2013 Posts: 273 Location: Israel!
|
Posted: Sun Mar 15, 2015 3:58 pm Post subject: |
|
|
@vng12092 Thanks bro
Ill try to combine your code with some wildcards to ensure future efficiency (just like Zanzer said )
|
|
Back to top |
|
|
|