 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mouser
Advanced Cheater
![]() Reputation: 0
Joined: 08 Mar 2015
Posts: 50
|
 Posted: Sun Apr 10, 2016 4:58 am Post subject: How to add more addresses to an AOB script? |
 |
|
I have this script at the moment:
| Code: |
[ENABLE]
aobscanmodule(PlayerPosY,Condemned.exe,89 4E 24 8B 50 04 89 56 28 8B 48 08 89 4E 2C D9)
label(_PlayerPosY)
registersymbol(_PlayerPosY)
PlayerPosY:
_PlayerPosY:
mov [esi+24],ecx
[DISABLE]
_PlayerPosY:
db 89 4E 24
unregistersymbol(_PlayerPosY) |
All I want to do is giving certain addresses a symbol (that the right term?) so I can reference them in other scripts.
This here is the code snippet that got copied to the script automatically, the green line is what is targeted at the moment:
| Code: |
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+279FC
"Condemned.exe"+279EB: CC - int 3
"Condemned.exe"+279EC: CC - int 3
"Condemned.exe"+279ED: CC - int 3
"Condemned.exe"+279EE: CC - int 3
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx - _PlayerPosY (in script above)
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx - This is _PlayerPosZ (not yet in script)
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx - This is _PlayerPosX (not yet in script)
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08] |
This is for a simple teleport or fly thingy-script, that instruction is writing to the address where the final value is stored for player position Y, I can't AOB scan the value address directly because the memory region around it is wildly changing all the time and pointers will stop working in different levels.
So now I need the X and Z coordinates too and give them a label and register them as a symbol, I have marked them above at the end of the lines.
How do I write them into the script I already have? Can it be done without using 3 aobscans or is that the best way to do it?
This memory region seems to be completely stable so can I do something like adding "+5" to the first aob scan to get to the second address and so forth?... or something like that? Would that count as another scan or would that skip the scanning process because the first scan is already done?
And another question, can I reference those addresses in the very same script change what they do, so aob scanning them and further down the script adding jumps, noping them etc? Or would that be a messy way to to it and should always be done in 2 or more scripts?
Final question... do several aobscanmodule's can create problems? Performance wise or even corrupt code (assuming they are written correctly)?
Edit:
I've forgotten to add, is it possible to get the exact location of an address that has a value stored by using the address that writes this value to that address?
Can this be made into a script so that said address kinda behaves like a pointer, so that you can add hotkeyes to it and change the value on the fly?
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Apr 10, 2016 8:18 am Post subject: |
|
|
This will store the base address of the player's location to the PlayerPosPtr symbol.
| Code: | [ENABLE]
aobscanmodule(PlayerPos,Condemned.exe,89 4E 24 8B 50 04 89 56 28 8B 48 08 89 4E 2C D9)
alloc(newmem,$1000,PlayerPos)
label(code)
label(return)
label(PlayerPosPtr) // name our custom variable
newmem:
code:
mov [PlayerPosPtr],esi // move ESI into the value of our variable
mov [esi+24],ecx // ESI is used in the original code to hold the base address
mov edx,[eax+04]
jmp return // notice the jump over our custom variable below
// that way the computer doesn't try to execute our variable as if it were an instruction
PlayerPosPtr: // define a location for our custom variable
dd 0 // reserve 4 bytes for our custom variable
PlayerPos:
jmp code
nop
return:
registersymbol(PlayerPos)
registersymbol(PlayerPosPtr)
[DISABLE]
PlayerPos:
db 89 4E 24 8B 50 04
unregistersymbol(PlayerPos)
unregistersymbol(PlayerPosPtr)
dealloc(newmem) |
Now you can add a table entry to your table.
Check the Pointer checkbox.
In the bottom box, give it the value "PlayerPosPtr".
In the box above that, give it a value of "24".
That entry is now your Y coordinate.
You can add two additional pointers with offsets "28" and "2C" for the rest.
When the game executes your injection normally, it will keep the PlayerPosPtr variable updated.
|
|
| Back to top |
|
|
mouser
Advanced Cheater
![]() Reputation: 0
Joined: 08 Mar 2015
Posts: 50
|
| Posted: Sun Apr 10, 2016 9:32 am Post subject: |
|
|
Hi Zanzer, thanks for the code. When I read your code I was like 'of course the esi register, how could I have not seen this' it's still difficult for me to make the connections.
I've tried it out and it should work, when I enter PlayerPosPtr and add the offset I can compare the value to my older pointers (that work in one level and stop working later) and I see they are the same. The game is paused at that moment. When I get back into the game I suddenly see that the pointeraddress changes now and then and the value is now slightly different than the value of the old pointer. I've lost the address.
Now when I observe the memory region before activating your script and go into the game and move/look around. Nothing changes, the instructions always stay the same, a solid block of text/bytes.
Now when I activate your script and follow the first jump, then go into the game and move around. I can see some instructions changing constantly and the more I move the more they change.
It's hard to explain but I guess this is what changes the pointers. I don't know why that changes all of a sudden?
At first I thought something happens to esi when the script is active... but I'm not technically knowledgeable enough to see how.
I've added a screenshot of the region of the jump, 3 addresses below the jump seen in the screenshot constantly change when I move. The mov instruction at the PlayerPosPtr address turns into an inc and back ( very quick).
Do you have any idea why that happens?
| Description: |
|
| Filesize: |
42.03 KB |
| Viewed: |
6719 Time(s) |
|
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Apr 10, 2016 12:25 pm Post subject: |
|
|
That instruction is likely run for all objects in the game, not only the player.
So when something else moves, the PlayerPosPtr changes to that object instead.
The code you see below the JMP is the location of the PlayerPosPtr variable.
So when something moves, those bytes are updated.
Since you are viewing those bytes as if they were instructions, it may look odd.
|
|
| Back to top |
|
|
mouser
Advanced Cheater
![]() Reputation: 0
Joined: 08 Mar 2015
Posts: 50
|
| Posted: Sun Apr 10, 2016 1:32 pm Post subject: |
|
|
Do you think it's a lost cause trying to do this with a script like that? I have a feeling this will be a complicated matter trying to pursue this further?
I could just pointerscan for all the areas where there is a new pointer needed, it's messy and I'd rather not but if it's the only way...
Thinking about it, how does a pointer keep being stable when it has to point to an address in an area like that (changing constantly) ?
The pointer I have for the first few level of the game has 5 offsets (pointerscanned automatically), I don't really know how that relates to it's ability to find it's way to the right address though 
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Apr 10, 2016 1:56 pm Post subject: |
|
|
Each offset in the pointer jumps to a different object in memory.
So the base may simply be a static object declared in the code. Lets call it GameData.
Then within that GameData object, it has a variable pointing to a Units object.
Within that Units object, is a Players objects. Being the host, you are the first one in the list.
Then within that Player object is the Location object. That Location object has XYZ coordinates.
So your pointer jumps through each of those objects to find the values you want.
The game has already setup those objects in memory to keep track of your player.
Cheat Engine just makes use of what's already there.
|
|
| Back to top |
|
|
mouser
Advanced Cheater
![]() Reputation: 0
Joined: 08 Mar 2015
Posts: 50
|
| Posted: Sun Apr 10, 2016 2:08 pm Post subject: |
|
|
Ah, interesting... I maybe getting ahead of myself here but when I know the offsets of a pointer. Can I use this information in a script?
Let's say in level one my pointer with 5 offsets is working, in level two however it stops working but I can try and pointerscan for new offsets.
I always want to have hotkeys assigned to an address where I can increase and decrease the value, but I don't want to assign them again later to another pointer in level 2 because the first pointer stopped working.
So I'd need a script that incorporates both of these pointers and can somehow tell when one isn't working anymore and must use the other one, then it assigns the right one to an address where the hotkeys are assigned to....
Does that make any sense or is it overly complicated and I'd be better of finding the physics/gravity and try my luck with that?
(I wouldn't know how to write such a script anyway  )
|
|
| Back to top |
|
|
mouser
Advanced Cheater
![]() Reputation: 0
Joined: 08 Mar 2015
Posts: 50
|
| Posted: Sun Apr 24, 2016 1:39 pm Post subject: |
|
|
Hey Zanzer,
I didn't want to open a new thread for this as my question is based on your code above (putting the value of a register, which is the base address of a structure, into a custom variable.
This is the code-region I am targeting, I think esi contains the base addres for the camera structure: | Code: |
"GrowHome.exe"+808D5F: F3 0F 10 40 0C - movss xmm0,[eax+0C]
"GrowHome.exe"+808D64: F3 0F 10 48 10 - movss xmm1,[eax+10]
"GrowHome.exe"+808D69: F3 0F 10 50 14 - movss xmm2,[eax+14]
"GrowHome.exe"+808D6E: F3 0F 10 58 18 - movss xmm3,[eax+18]
"GrowHome.exe"+808D73: F3 0F 10 20 - movss xmm4,[eax]
"GrowHome.exe"+808D77: F3 0F 10 68 04 - movss xmm5,[eax+04]
"GrowHome.exe"+808D7C: F3 0F 10 70 08 - movss xmm6,[eax+08]
// ---------- INJECTING HERE ----------
"GrowHome.exe"+808D81: F3 0F 11 66 64 - movss [esi+64],xmm4
// ---------- DONE INJECTING ----------
"GrowHome.exe"+808D86: F3 0F 11 6E 68 - movss [esi+68],xmm5
"GrowHome.exe"+808D8B: F3 0F 11 76 6C - movss [esi+6C],xmm6
"GrowHome.exe"+808D90: F3 0F 11 46 70 - movss [esi+70],xmm0
"GrowHome.exe"+808D95: F3 0F 11 4E 74 - movss [esi+74],xmm1
"GrowHome.exe"+808D9A: F3 0F 11 56 78 - movss [esi+78],xmm2
"GrowHome.exe"+808D9F: F3 0F 11 5E 7C - movss [esi+7C],xmm3
"GrowHome.exe"+808DA4: 5E - pop esi |
Here is my script I have based upon your code from above (I probably fucked something up and cant see what )
| Code: |
[ENABLE]
aobscanmodule(Z,GrowHome.exe,F3 0F 11 66 64) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
label(Zptr)
newmem:
code:
nop
nop
nop
nop
nop
mov [Zptr],esi
//movss [esi+64],xmm4
jmp return
Zptr:
dd 0
Z:
jmp code
return:
registersymbol(Z)
registersymbol(Zptr)
[DISABLE]
Z:
db F3 0F 11 66 64
unregistersymbol(Z)
registersymbol(Zptr)
dealloc(newmem)
|
My goal is to assign a variable for esi and reference it with a pointer+offset in my table, I also nopped out the instruction that writes the Z value for the camera as I need that to stop doing that.
When I enable the script, after 2-3 seconds the game crashes.
Can you point me to the error in my script with the information given?
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
