 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Leon Neveral
How do I cheat?
![]() Reputation: 0
Joined: 13 May 2015
Posts: 4
|
 Posted: Wed May 13, 2015 2:31 am Post subject: AOB / Register Help |
 |
|
I am having some difficulty with aob scans/registers.
What i am looking to do is an aob scan for say HP
So i find the hp then i find what writes to that address then i show that in the dissembler that gives me the info i need for the aob scan then i go into the auto assemble and add template aob injection. in there i can //out the code that makes me take damage and when i enable the script i no longer take damage But what i would like to do is leave the script as is so i still take damage but be able to manually add an address that points to the HP so i can view/change the HP in the address list.
I am very new to anything over just a normal scan..
Please let me know if you need more info.
Thanks
+edit
Here is a test i have been trying to do.
Using this and enabling it i can use inject as an address in the address list but it does not point to the correct address
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,Tutorial-x86_64.exe,89 02 48 8B 05 2B BA 2C 00) // should be unique
alloc(newmem,$1000,"Tutorial-x86_64.exe"+2C01C)
label(code)
label(return)
newmem:
code:
mov [rdx],1388
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
INJECT:
jmp code
nop
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db 89 02 48 8B 05 2B BA 2C 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Tutorial-x86_64.exe"+2C01C
"Tutorial-x86_64.exe"+2BFF6: 48 89 C1 - mov rcx,rax
"Tutorial-x86_64.exe"+2BFF9: 48 8D 15 D9 FF FF FF - lea rdx,[Tutorial-x86_64.exe+2BFD9]
"Tutorial-x86_64.exe"+2C000: 49 89 E8 - mov r8,rbp
"Tutorial-x86_64.exe"+2C003: E8 C8 9D FE FF - call Tutorial-x86_64.exe+15DD0
"Tutorial-x86_64.exe"+2C008: 8B 45 E0 - mov eax,[rbp-20]
"Tutorial-x86_64.exe"+2C00B: 3B 45 E8 - cmp eax,[rbp-18]
"Tutorial-x86_64.exe"+2C00E: 74 B0 - je Tutorial-x86_64.exe+2BFC0
"Tutorial-x86_64.exe"+2C010: EB 00 - jmp Tutorial-x86_64.exe+2C012
"Tutorial-x86_64.exe"+2C012: 48 8B 15 37 BA 2C 00 - mov rdx,[Tutorial-x86_64.exe+2F7A50]
"Tutorial-x86_64.exe"+2C019: 8B 45 E0 - mov eax,[rbp-20]
// ---------- INJECTING HERE ----------
"Tutorial-x86_64.exe"+2C01C: 89 02 - mov [rdx],eax
"Tutorial-x86_64.exe"+2C01E: 48 8B 05 2B BA 2C 00 - mov rax,[Tutorial-x86_64.exe+2F7A50]
// ---------- DONE INJECTING ----------
"Tutorial-x86_64.exe"+2C025: 8B 00 - mov eax,[rax]
"Tutorial-x86_64.exe"+2C027: 3B 45 E8 - cmp eax,[rbp-18]
"Tutorial-x86_64.exe"+2C02A: 74 02 - je Tutorial-x86_64.exe+2C02E
"Tutorial-x86_64.exe"+2C02C: EB 24 - jmp Tutorial-x86_64.exe+2C052
"Tutorial-x86_64.exe"+2C02E: 48 8B 45 F0 - mov rax,[rbp-10]
"Tutorial-x86_64.exe"+2C032: 48 8B 88 60 07 00 00 - mov rcx,[rax+00000760]
"Tutorial-x86_64.exe"+2C039: BA 01 00 00 00 - mov edx,00000001
"Tutorial-x86_64.exe"+2C03E: 48 8B 45 F0 - mov rax,[rbp-10]
"Tutorial-x86_64.exe"+2C042: 48 8B 80 60 07 00 00 - mov rax,[rax+00000760]
"Tutorial-x86_64.exe"+2C049: 48 8B 00 - mov rax,[rax]
}
|
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed May 13, 2015 11:56 am Post subject: |
|
|
| Leon Neveral wrote: | | I am very new to anything over just a normal scan.. |
Ah, yes, you seem to be mixing up quite a few things there.
First an aobscan is exactly like when you click on "first scan" on the main window, except that:
-you can't do a "next scan" on the result of an aobscan.
-aobscan only keeps the first result.
So "doing an aobscan for HP" is like trying to get HP's address in your search results in one scan and without any other result. Believe it or not but there are (few) games where it actually works...
Anyway what we usually do is an aobscan for the code that modifies or reads the HP, and this is exactly what your script does. INJECT is placed at the address of the code that writes your HP.
I modified your script (attached below) so that it stores the address of your HP at the address HealthPointer. Since HealthPointer is the address of the address of the HP, you'll have to manually add an address, tick pointer and type HealthPointer in the pointer base box instead of just putting HealthPointer in the topmost box.
I put some explanations in the code below, don't hesitate to ask if you have questions.
| Code: | [ENABLE]
aobscanmodule(INJECT,Tutorial-x86_64.exe,89 02 48 8B 05 2B BA 2C 00) // should be unique
alloc(newmem,$1000,Tutorial-x86_64.exe)
label(code)
label(return)
label(HealthPointer) //declares a new variable (HealthPointer), but does not tell CE where it is
registersymbol(HealthPointer) //make HealthPointer usable outside this [enable] section.
//////////////////////// this part is in a new block of memory
newmem:
code:
mov [rdx],eax //keep original code. Here rdx contains the address of our health...
//mov qword ptr [HealthPointer],rdx //...so save it.
//it turns out CE has a bug that prevents it from correctly generating the command above.
//(this crashed when code=0xFFFA0000). So as a work around we use:
push rax //save rax
mov rax,HealthPointer //Put the location of our new health pointer into rax
mov qword [rax],rdx //store the address of our health at the address contained in rax (=HealthPointer).
pop rax //retore rax
//original code
mov rax,[Tutorial-x86_64.exe+2F7A50] //hmm... actually saving and restoring rax wasn't needed after all.
jmp return
//Tells CE where the HealthPointer is.
//this variable MUST be placed in the new block of memory.
HealthPointer:
dq 0 //reserve ourself 8 bytes (dq) to save rdx.
//////////////////////// this part is IN the original game's code
INJECT:
jmp code
nop
nop
nop
nop
return:
registersymbol(INJECT)
//code from here till the end of the code will be used to disable the cheat
INJECT:
db 89 02 48 8B 05 2B BA 2C 00
unregistersymbol(INJECT)
unregistersymbol(HealthPointer)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Tutorial-x86_64.exe"+2C01C
"Tutorial-x86_64.exe"+2BFF6: 48 89 C1 - mov rcx,rax
"Tutorial-x86_64.exe"+2BFF9: 48 8D 15 D9 FF FF FF - lea rdx,[Tutorial-x86_64.exe+2BFD9]
"Tutorial-x86_64.exe"+2C000: 49 89 E8 - mov r8,rbp
"Tutorial-x86_64.exe"+2C003: E8 C8 9D FE FF - call Tutorial-x86_64.exe+15DD0
"Tutorial-x86_64.exe"+2C008: 8B 45 E0 - mov eax,[rbp-20]
"Tutorial-x86_64.exe"+2C00B: 3B 45 E8 - cmp eax,[rbp-18]
"Tutorial-x86_64.exe"+2C00E: 74 B0 - je Tutorial-x86_64.exe+2BFC0
"Tutorial-x86_64.exe"+2C010: EB 00 - jmp Tutorial-x86_64.exe+2C012
"Tutorial-x86_64.exe"+2C012: 48 8B 15 37 BA 2C 00 - mov rdx,[Tutorial-x86_64.exe+2F7A50]
"Tutorial-x86_64.exe"+2C019: 8B 45 E0 - mov eax,[rbp-20]
// ---------- INJECTING HERE ----------
"Tutorial-x86_64.exe"+2C01C: 89 02 - mov [rdx],eax
"Tutorial-x86_64.exe"+2C01E: 48 8B 05 2B BA 2C 00 - mov rax,[Tutorial-x86_64.exe+2F7A50]
// ---------- DONE INJECTING ----------
"Tutorial-x86_64.exe"+2C025: 8B 00 - mov eax,[rax]
"Tutorial-x86_64.exe"+2C027: 3B 45 E8 - cmp eax,[rbp-18]
"Tutorial-x86_64.exe"+2C02A: 74 02 - je Tutorial-x86_64.exe+2C02E
"Tutorial-x86_64.exe"+2C02C: EB 24 - jmp Tutorial-x86_64.exe+2C052
"Tutorial-x86_64.exe"+2C02E: 48 8B 45 F0 - mov rax,[rbp-10]
"Tutorial-x86_64.exe"+2C032: 48 8B 88 60 07 00 00 - mov rcx,[rax+00000760]
"Tutorial-x86_64.exe"+2C039: BA 01 00 00 00 - mov edx,00000001
"Tutorial-x86_64.exe"+2C03E: 48 8B 45 F0 - mov rax,[rbp-10]
"Tutorial-x86_64.exe"+2C042: 48 8B 80 60 07 00 00 - mov rax,[rax+00000760]
"Tutorial-x86_64.exe"+2C049: 48 8B 00 - mov rax,[rax]
} |
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Leon Neveral
How do I cheat?
![]() Reputation: 0
Joined: 13 May 2015
Posts: 4
|
| Posted: Wed May 13, 2015 11:24 pm Post subject: Resolved AOB/Register Help |
|
|
| Awesome thanks for the help this worked perfectly and i believe i know a bit more about the scans and how they work now. |
|
| Back to top |
|
|
Leon Neveral
How do I cheat?
![]() Reputation: 0
Joined: 13 May 2015
Posts: 4
|
| Posted: Wed May 20, 2015 12:14 am Post subject: |
|
|
after playing with this a bit i had some questions..
From what you posted
| Quote: |
| Code: |
1. push rax //save rax
2. mov rax,HealthPointer //Put the location of our new health pointer into rax
3. mov qword [rax],rdx //store the address of our health at the address contained in rax (=HealthPointer).
4. pop rax //retore rax
|
|
1. Where do you get rax from
2. I understand that this will take a copy of HealthPointer as an address or what? that was created with Label and put it in rax
3. not sure about this one. From looking at the others it would look like it moves rdx to rax as a qword but your description makes it sound like it is going the other way.
4. i think i am good with this.. just restores rax
also when using mov and pop and push what is it actually storing / moving? A value or an address? I would presume a value and the qword somehow converts it to an address?
Also does it matter where in the code: section you place the modification code?
| Code: |
HERE?
mov [rdx],eax
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
|
| Code: |
mov [rdx],eax
Somewhere in the middle?
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
|
| Code: |
mov [rdx],eax
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
at the end?
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed May 20, 2015 4:10 am Post subject: |
|
|
| Leon Neveral wrote: | | Code: | | 1. push rax //save rax |
1. Where do you get rax from |
From the CPU. CPUs have extra fast built-in memory emplacements called registers, specifically they have 8 registers in 32 bit mode (eax,ebx,ecx,edx,esi,edi,esp,ebp) and 16 registers in 64 bit mode: rax, rbx, rcx, rdx, rbp, rsp, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15.
| Leon Neveral wrote: | | when using mov and pop and push what is it actually storing / moving? A value or an address? I would presume a value and the qword somehow converts it to an address? |
From the CPU's point of view, an address and a value is the same thing. An address is a number, a 4 byte integer for a 32 bit program or a 8 byte integer for a 64 bit program. Specifically, the address is the total number of bytes before the beginning of your variable. You can very well use an address as a value. For example some games use the address of a variable as the encryption key for this variable.
| Leon Neveral wrote: | | Code: | | 2. mov rax,HealthPointer //Put the location of our new health pointer into rax |
2. I understand that this will take a copy of HealthPointer as an address or what? that was created with Label and put it in rax |
When you write | Code: | label(HealthPointer)
HealthPointer:
dq 123456 |
For cheat engine HealthPointer is the address where you write 123456. So if 123456 is written at address 0xABCDEF, CE will simply do a search and replace HealthPointer by 0xABCDEF in your script, and the instruction you quoted will become mov rax, ABCDEF (set rax to ABCDEF).
A programmer will however tell you that he has declared a variable called HealthPointer and initialized it to 123456, and thus HealthPointer=123456, which is valid in other programming languages, but nothing more than a confusing shortcut in assembly. To be accurate, this programmer should say that he has declared a variable at HealthPointer and initialized it to 123456, and thus {the variable at HealthPointer}=123456.
I often take this shortcut.
| Leon Neveral wrote: | | Code: | | 3. mov qword [rax],rdx //store the address of our health at the address contained in rax (=HealthPointer). |
3. not sure about this one. From looking at the others it would look like it moves rdx to rax as a qword but your description makes it sound like it is going the other way. |
Haha, something you really MUST know is the difference betweenandThe first one simply copies rdx into rax, so after this instruction rax=rdx, that's all.
The second one interprets the content of rax as an address, and stores rdx at this address, so if rax=ABCDEF and rdx=333, then this instruction will write 333 at address ABCDEF. Rax and rdx remain unchanged.
And the difference betweenand | Code: | | mov qword [rax],rdx |
? None! Qword is just implied in the first form. Qword means "8 bytes", and rdx is 8 byte long, so if you're storing rdx somewhere you're storing 8 bytes, that is a qword. I just took the habit of always putting the size specifier (byte/word/dword/qword) before the [] because sometimes it matters (ie fstp dword [***] will write a 32 bit float, fstp qword [***] will write a 64 bit float aka double).
| Leon Neveral wrote: | Also does it matter where in the code: section you place the modification code?
| Code: |
HERE?
mov [rdx],eax
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
|
|
Will work.
| Leon Neveral wrote: | | Code: |
mov [rdx],eax
Somewhere in the middle?
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
|
|
Will work.
| Leon Neveral wrote: | | Code: |
mov [rdx],eax
mov rax,[Tutorial-x86_64.exe+2F7A50]
jmp return
at the end?
|
|
Won't work. jmp means jump, so the next instruction that will be executed is the one at address "return", not whatever you write instead of "at the end?".
| Leon Neveral wrote: | | Code: | | 4. pop rax //retore rax |
4. i think i am good with this.. just restores rax |
Mind blown! My disciple has surpassed me!
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Leon Neveral
How do I cheat?
![]() Reputation: 0
Joined: 13 May 2015
Posts: 4
|
| Posted: Wed May 20, 2015 10:50 am Post subject: |
|
|
nice detail Thank you..
so for this
| Quote: | | Code: |
From the CPU. CPUs have extra fast built-in memory emplacements called registers, specifically they have 8 registers in 32 bit mode (eax,ebx,ecx,edx,esi,edi,esp,ebp) and 16 registers in 64 bit mode: rax, rbx, rcx, rdx, rbp, rsp, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15. |
|
can i just pick one to use or does it have to be a specific one? I presume it has to be cpu specific, So if the item or game is 32 bit then use one of the 8 registers and so on?
So far this is the only question  but i am sure i will have more later when playing
Thank you for all your help.. |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed May 20, 2015 11:56 am Post subject: |
|
|
| Leon Neveral wrote: | | Code: |
From the CPU. CPUs have extra fast built-in memory emplacements called registers, specifically they have 8 registers in 32 bit mode (eax,ebx,ecx,edx,esi,edi,esp,ebp) and 16 registers in 64 bit mode: rax, rbx, rcx, rdx, rbp, rsp, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15. |
can i just pick one to use or does it have to be a specific one? |
You can pick whichever you want, but I strongly advise against using esp/rsp. *sp are called stack pointers, and the push/pop instruction will modify *sp and write/read stuff at the address contained in *sp, so if you modify *sp and you're not careful, the very common push/pop instructions will not work and your program will crash.
| Leon Neveral wrote: | | I presume it has to be cpu specific |
It's not really cpu specific, any modern cpu that supports 64 bit instructions (except for itanium processors) will understand all the registers above.
| Leon Neveral wrote: | | So if the item or game is 32 bit then use one of the 8 registers and so on? |
short answer: yes
long answer: you can use more that only those 8. A 64 bit program can use all registers used by a 32bit program, so you can use eax - which is a part of rax - in a 64 bit program.
A 32 bit program can use all the registers used by a 16 bit program, so you can use ax - which is a part of eax - in a 32 bit program.
A 16 bit program... isn't worth the bother.
However a 32 bit program cannot use a 64 bit register, and a 16 bit program cannot... be worth a damn.
Read this for more information: http://en.wikipedia.org/wiki/X86#Purpose and the "structure" paragraph too.
Still an address will always be 64 bit long in a 64 bit program, and must be stored in a register that starts with an "r" (ex: rax), and an address in a 32 bit program will alway be 32 bit long requiring it to be stored in a register that starts with a "e" (ex:eax).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
