| View previous topic :: View next topic |
| Author |
Message |
Codcat
Advanced Cheater
![]() Reputation: 0
Joined: 21 Aug 2007
Posts: 62
|
 Posted: Mon Jun 23, 2008 10:49 pm Post subject: Help with CE's AutoAssembler |
 |
|
I've always used TSearch for writing my code caves but I wish to use CE's AA instead, I've tried bringing one of my scripts across. I use it in an mmorpg for creating my own static pointer addresses. It works fine in TSearch's Easywrite but trying to use it in CE's autoassembler it will crash the game process after a few seconds.
Here's the code cave i've converted from tsearch correcting the syntax for CE(although i dont know think ths syntax matters much)
| Code: | [ENABLE]
400400:
mov [00400500],eax
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
jmp 00427e58
400420:
mov [00400510],ecx
lea edx,[ecx+0000009c]
jmp 009a5dc1
427E50:
jmp 00400400
nop
nop
nop
9A5DBB:
jmp 00400420
nop
[DISABLE]
427E50:
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
9A5DBB:
lea edx,[ecx+0000009c] |
Here is the original code from tsearch's easywrite:
| Code: | offset 400400
mov dword ptr [400500], eax
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
jmp 427E58
offset 400420
mov dword ptr [400510], ecx
lea edx, dword ptr [ecx+0000009C]
jmp 9A5DC1
offset 427E50
jmp 400400
nop
nop
nop
offset 9A5DBB
jmp 400420
nop
//disable part starts here
offset 427E50
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
offset 9A5DBB
lea edx, dword ptr [ecx+0000009C] |
I've tried using both types of assembler syntax both return the same crashing result. I don't wish to use the memory alloc rather the process memory (code cave). Could it possibly be how CE writes to process memory is different to tsearch? Or have i missed something in the code for AA to use it properly.
|
|
| Back to top |
|
 |
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Jun 24, 2008 12:04 am Post subject: |
|
|
In the AA script you left out dword ptr on allot of it!   
|
|
| Back to top |
|
|
Codcat
Advanced Cheater
![]() Reputation: 0
Joined: 21 Aug 2007
Posts: 62
|
| Posted: Tue Jun 24, 2008 2:48 am Post subject: |
|
|
| Labyrnth wrote: | | In the AA script you left out dword ptr on allot of it! |
yep, it’s how CE's memory viewer interprets it, it’s the same thing either way.
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Jun 24, 2008 3:11 am Post subject: |
|
|
hmmm, i would have the memory window open and go to my first address and enable the script, watch to see if it over writes anything. Disable it again to see if it writes back what was removed. Looking to see if it leaves or overwrites anything.
Then go to the cave and see if that is over writing anything there.
Keep going down the list of address's and see if anything is over written or leaving bytes.
From what i see, i counted the bytes on the scripts and unless im missing the same thing as you. It looks like it is right. So only thing i can think of is to check visually in memory and see what it is doing.
|
|
| Back to top |
|
|
-DEViL-
Expert Cheater
![]() Reputation: 3
Joined: 21 Apr 2007
Posts: 185
|
| Posted: Tue Jun 24, 2008 6:10 am Post subject: |
|
|
try this:
| Code: | [ENABLE]
label(back)
label(back0)
400400:
mov [00400500],eax
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
jmp back
400420:
mov [00400510],ecx
lea edx,[ecx+0000009c]
jmp back0
427E50:
jmp 00400400
nop
nop
nop
back:
9A5DBB:
jmp 00400420
nop
back0:
[DISABLE]
427E50:
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
9A5DBB:
lea edx,[ecx+0000009c] |
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Jun 24, 2008 12:07 pm Post subject: |
|
|
Only thing different in that is your using labels, and he is using code.
Both will work the same, his return jumps are jumping where AA script is sticking labels.
He will have to do what i said and look in memory as his script is turned on.
I think his caves may be to close together and over writing each other.
But the number of bytes in the cave look to be good in size to not do this.
|
|
| Back to top |
|
|
Codcat
Advanced Cheater
![]() Reputation: 0
Joined: 21 Aug 2007
Posts: 62
|
| Posted: Tue Jun 24, 2008 7:24 pm Post subject: |
|
|
Right here we go, problem was I needed a clean up NOP after the first cave.
| Code: | TSearch Injection
00400400 - a3 00 05 40 00 - mov [00400500],eax : 00000000
00400405 - d9 44 24 38 - fld dword ptr [esp+38]
00400409 - d8 4c 24 38 - fmul dword ptr [esp+38]
0040040D - e9 46 7a 02 00 - jmp 00427e58
00400412 - 00 00 - add [eax],al
00400414 - 00 00 - add [eax],al
00400416 - 00 00 - add [eax],al
00400418 - 00 00 - add [eax],al
0040041A - 00 00 - add [eax],al
0040041C - 00 00 - add [eax],al
0040041E - 00 00 - add [eax],al
00400420 - 89 0d 10 05 40 00 - mov [00400510],ecx : 00000000
00400426 - 8d 91 9c 00 00 00 - lea edx,[ecx+0000009c]
0040042C - e9 90 59 5a 00 - jmp 009a5dc1
CE Auto Assembler(fixed)
00400400 - 89 05 00 05 40 00 - mov [00400500],eax : 00000000
00400406 - d9 44 24 38 - fld dword ptr [esp+38]
0040040A - d8 4c 24 38 - fmul dword ptr [esp+38]
0040040E - e9 45 7a 02 00 - jmp 00427e58
00400413 - 90 - nop
00400414 - 00 00 - add [eax],al
00400416 - 00 00 - add [eax],al
00400418 - 00 00 - add [eax],al
0040041A - 00 00 - add [eax],al
0040041C - 00 00 - add [eax],al
0040041E - 00 00 - add [eax],al
00400420 - 89 0d 10 05 40 00 - mov [00400510],ecx : 00000000
00400426 - 8d 91 9c 00 00 00 - lea edx,[ecx+0000009c]
0040042C - e9 90 59 5a 00 - jmp 009a5dc1
00400431 - 90 - nop |
I have a very limited knowledge of ASM so unsure why this starts happening, when using autoassembler the asm started disasembling with an "odd" number so 00400420 was not a viable address to use and the injected code went garbled. As you can see TSearch and CE use a different HEX and number of bytes for the same instruction hence the need for the clean up NOP with CE.
EDIT:
ARGH NO IT'S STILL CRASHING! I now think it has something to do with how CE writes to process memory vs tsearch, i'm running vista 64.
I've checked all addresses after the script has been enabled and everything has been written to correctly yet the game still crashes regardless of what code syntax i use. Remember it doesn't do this with tsearch, what the hell could it be...
EDIT2:
I've found where the problem is, "mov [00400500],eax" will cause the game to crash, "mov dword ptr [400500], eax" in a different format does the exact same thing, the 2nd code cave never gets a chance to execute but im sure it'll be having the same problem copying register into a static address.
Now the interesting thing is if I first enable the code cave using tsearch, then disable, then re-enable using the CE AA script it will WORK and continue to update the pointer address across zoning as intended.
It's like CE has a problem writing to a static address eg. in this case 400500 & 400510 but once it has been written to by tsearch first then CE can then start writing to those addresses without a problem...
Anyone have any ideas!? :-/
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Wed Jun 25, 2008 12:40 pm Post subject: |
|
|
Hmm thats interesting, maybe DarkByte will see this thread and make a reply.
Is this memory cave protected?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Wed Jun 25, 2008 1:56 pm Post subject: |
|
|
The memory region at 00400000 - 00401000 is usually READ-ONLY and NON-EXECUTABLE(Non executable only on pentium 4 and later with NX bit support and PAE paging mode) , writing to that region, or executing code there without making it writable/executable first will result in a access violation.
you can solve this by calling "Fullaccess(00400000,4096)"
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Codcat
Advanced Cheater
![]() Reputation: 0
Joined: 21 Aug 2007
Posts: 62
|
| Posted: Wed Jun 25, 2008 7:34 pm Post subject: |
|
|
Thank you for your responses. I guessed that may be the case so I tried a much higher memory region cave found by CE's code cave finder. Still the same thing, crashing. Interesting how tsearch doesn't have this problem??
Anyway i'll have to come back to it another time, changing games 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Thu Jun 26, 2008 8:10 am Post subject: |
|
|
hint: Don't use codecaves. Allocating memory saves you from a lot of trouble
also, add "Fullaccess(addressyouuse,size)" if you insist on using codecaves
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Thu Jun 26, 2008 2:46 pm Post subject: |
|
|
Oh, it just might be protected memory then.
DB, why do you suggest not using caves?
Like back in the day thats what was used. Is allocation better in some way?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Thu Jun 26, 2008 3:00 pm Post subject: |
|
|
yes, thats why I say to use the fullaccess instruction, that'll make the memory writable and executable.
back in the day (pre win2000) there was no VirtualAllocEx so codecaves where the best thing there was . But you can pretty much assume most people have upgraded to at least win2k by now.
It also saves time finding codecaves and later finding out they get destroyed at runtime, or that your trainer doesn't work on other people's comp because you picked a non-executable code cave, and someone else has the NX protection enabled, and as bonus you don't have to worry about finding a big enough cave when you're going to write a huge chunk of code
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Thu Jun 26, 2008 3:20 pm Post subject: |
|
|
| Ok, see im old school, manual code caves .
|
|
| Back to top |
|
|
Recifense
I post too much
 Reputation: 166
Joined: 17 Mar 2008
Posts: 3688
Location: Pernambuco - Brazil
|
| Posted: Fri Jun 27, 2008 8:32 am Post subject: |
|
|
Hi guys,
Since that code worked with TSearch, I think that this issue deserves more investigation.
I understood that the CE code injection worked fine right after the TSearch injection.
Jazcat, could you please give it another try?
1) Run the following scrip first:
| Code: |
[ENABLE]
label(back)
label(back0)
Fullaccess(400400,512)
400400:
mov [00400500],eax
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
jmp back
400420:
mov [00400510],ecx
lea edx,[ecx+0000009c]
jmp back0
//427E50:
//jmp 00400400
//nop
//nop
//nop
00427e58:
back:
//9A5DBB:
//jmp 00400420
//nop
009a5dc1:
back0:
[DISABLE]
427E50:
fld dword ptr [esp+38]
fmul dword ptr [esp+38]
9A5DBB:
lea edx,[ecx+0000009c]
|
2) Now disable it
3) Run the xxx_xxx´s script
4)Now give us some feedback about it working or not.
By the way, what version of tsearch do you use? Is it TSearchb?
Cheers.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
