Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB-based Displayer

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Sat Jun 16, 2018 5:13 pm    Post subject: AOB-based Displayer Reply with quote

Hey all,

Having trouble with loading up an AOB of a value I want to be able to find everytime I play the game. For some reason when I restart the game to test and perform the action to trigger the activation, the game crashes.

This is the AOB injection table that generates with my changes bolded (not underlined which is explained below the code block).

Code:
[ENABLE]


aobscan(INJECT,F3 0F 10 4E 30 F3 0F 5A C9 F3 0F 10 15) // should be unique
alloc(newmem,$1000,[u]2CF25D1BCC8[/u])

label(code)
label(return)

[b]globalalloc(_ptr,4)[/b]

newmem:

code:
[b]  mov [_ptr],rsi[/b]

  movss xmm1,[rsi+30]
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 10 4E 30

unregistersymbol(INJECT)
dealloc(newmem)


As said, when restarting the game and performing the action to trigger the activation, the game just crashes to desktop. Normally this method of viewing values and address in this read-only fashion has not given me any problems in any other games.

As for the underlined part, I am no expert (in fact rather newbish and just trying to make a game a little more enjoyable for myself) but to me it appears like an address. I'm assuming this would change between restarts or reloads of save games or certain other conditions.

Then on the table itself I have an address for [_ptr]+30. As said, this method usually works fine for most games.

Now, that said. I have tried this very same method with other structures of code like item structure for item stacks and IDs etc, and player structure for stamina and health. They either don't activate outright or crash when successfully activating after a restart.

------------------

So what I did was I downloaded a .CT for the game from another source to see how they retrieved their values. I would just use theirs if it contained the only value I'm interested in, but it doesn't. Here's their code for a structure:

Code:
define(address,Pathea.UISystemNs.MainMenu:GridPlayerAbility:Fresh+23b)
define(bytes,48 63 40 44 85 C0)

[ENABLE]
assert(address,bytes)
alloc(newmem,$100)

label(code)
label(return)

globalalloc(playerAbility_ptr,8)

newmem:
  mov [playerAbility_ptr],rax

code:
  movsxd  rax,dword ptr [rax+44]
  test eax,eax
  jmp return

address:
  jmp newmem
  nop
return:

[DISABLE]
address:
  db bytes
  // movsxd  rax,dword ptr [rax+44]
  // test eax,eax

dealloc(newmem)


Hoping to step up my CE game even just a little from the knowledge I could gain from this technique.. but how are they getting this format of information to use as their injection point?

Code:
define(address,Pathea.UISystemNs.MainMenu:GridPlayerAbility:Fresh+23b)
define(bytes,48 63 40 44 85 C0)


I'm really hoping to employ this technique for the value that I'm after. Any help would be appreciated in stepping toward this goal. Thanks for reading and thanks in advance if anyone can help out!
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Sat Jun 16, 2018 5:48 pm    Post subject: Reply with quote

formatting doesn't work inside code blocks, it's best to use comments to indicate specific lines

try changing
Code:
alloc(newmem,$1000,2CF25D1BCC8)

to
Code:
alloc(newmem,$1000,INJECT)
Most likely it's dynamically generated code and the allocated code is too far from the code for CE to generate a 5 byte jmp to newmem, however the code assumes that the jmp will be 5 bytes, so when instead a larger jump (psuedo) instruction is generated extra bytes are overwritten and some aren't nopped properly, causing a crash when the partially overwritten instructions are executed. This is really only an issue in x64 games.

define allows you to setup a word that will be text-replaced with some other stuff by CE, nothing particularly special. Pathea.UISystemNs.MainMenu:GridPlayerAbility:Fresh+23b would be a debug symbol + an offset. Such symbols often come from a pdb file shipped with the game though there are other options (most commonly if the game is made with mono which is an open source implementation of .NET and CE has some lua code to interface with it and get names from it). There's in option in the memory viewer under the view menu to hide/show symbols iirc.

oh and rsi is an 8 byte register, you should really allocate 8 bytes for it not just 4.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Sat Jun 16, 2018 6:21 pm    Post subject: Reply with quote

Many thanks for the response. I did try to allocate 8 bytes at first but when initially switching from 4 it gave me a warning when I tried to click Ok and I thought, 'nope, it doesn't like that' but after trying again a second time it is starting to let it go through without issues.

Is there any way to tell if some thing are being improperly nopped as you say?

I have had success randomly before trying your suggestion out. The game had a 50/50 chance of crashing when loading it up, sometimes it would work, sometimes not so far. Just tried the 'INJECT' instead of that seemingly random address and it worked this time so... going to restart the game a couple times and see if it is consistent.

Three restarts and on different save files, all seemed to work. Great!

Forgive the newb questions but I am unclear on the methods of getting the information that other table maker used to getting these 'debug symbols'. Would you be able to point me in the right direction for learning about that?
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Sat Jun 16, 2018 8:27 pm    Post subject: Reply with quote

Coreveen wrote:
Is there any way to tell if some thing are being improperly nopped as you say?
pause the game, or let it hit a breakpoint, and assemble the code then go look at it.

The "seemingly random address" is, I believe, the start of the memory region the function was in at the time the script was created. Which would be fine in 32 bit where you can jump to any address (because jmp takes a 32 bit offset) or in 64 bit where it's always in the same place, but not in 64 bit where it can be allocated in different places in memory. Honestly not sure why it doesn't just use the symbol name during generation ...

as for how to see symbols: (and enable mono if you see a mono menu after attaching to the game, note that for some reason it breaks when using the debugger so you may have to reenable it sometimes)

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites