Cheat Engine

Kalibr · Posted: Sat Aug 04, 2007 3:54 am Post subject: Ground Control 2 issues

I'm still a bit noob at this so don't byte my head off eh?

Playing GCII, I am able to find the addy that contains the AP (credit/money type thing) I couldn't find a pointer, so I assume it didn't have one.My first problem is that for the life of me, I can't get why I can't save the address and change it after the prog restarts. (this is prolly DMA, which I still don't get but meh)..MY other problem is that I can't generate a hacked .exe from my injections and stuff. Anyway, I did a "Check what writes to this" and got a nice answer.... So far, so good.

The problem comes when I do a hex search for the number that the info menu recons is the pointer. I get hundreds! they all seem to have drastically different numbers to the AP I have (somewhere like 12k when my AP is like 300). This would be ok, if I could do the code injection alright, but I still don't fully understand what to do with it.

I added in some new code (pretty much copied the old code which said something like "add[edx],eax, and replaced eax with 1f4 (500 in hex). i left the old code as it was (it also had some other stuff which looked leave-aloneable) and injected. It happily gave me 1020 AP per kill (as opposed to 20) for the infantry, but I couldn't find the code in the .exe because it added in another line, and replaced the old code (with the other stuff that I thought I shouldn't change) into a jump thingy!

My question is this: how do I create a hacked exe with some seemingly completely new code?
And also should I also add in some of the old code into the new code if I feel it should be left alone? -OR- is the old code added to my new code?

If you guys want screens, please ask. Otherwise they're a pain in the ass to get...

Negima · Posted: Sat Aug 04, 2007 4:08 am Post subject:

Every adress has a pointer

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

I do not believe that is true.
If the address you find is a static one that controls Hp or what ever then why would it have a pointer?
-----------------------------------------------------------------------------------------

Kalibr:
Can you show some scripts you tried, and memory view screenshots?

I see you are wanting to patch the exe, It could be possible to do it maybe.
I did this very thing with MSN, Never did t on a game but the concept is the same.

Take a look at this tutorial and you will get sort of a guidance on how to patch a file, like your wanting to do. Also it could be in a dll where your code is needing to be patched. Just depends on what module you get your break in.

Here you go, read this and apply what you get to your idea.
This will walk you through doing a patch to msn with CE.
Same basic concept you will use to patch your game if it will work.
You can also take ollydbg and do your patch once you find the location of the code.
-------------------------------------------------------------------------------------
Ever wanted to hack msn nudges. Watch the tutorial

Msn Live Nudge Hack Video Tutorial

Image of the offset and what to do in the exe with hex editor:

==============================================
10:10 AM 12/17/2006 MSN Nudge Hacking by: Lab

Tools:
MsnLive 8.0 [Build 8.0.0812.00]
Cheat Engine

Selecting the Process:
==============================================
1. Open CE and Click the Process View Button
2. Now click the window list button
3. Right click In the top where you see process's and pick filter and type in the name you see at the top of the window."you do not need to type the whole thing just first word or so.
You should now only see the window you want to attach to.
4. Highlight it and click OK.
==============================================

Make the Scans:
==============================================
1. Set to 4 bytes
2. Set value to 1
3. Click First Scan Button
4. Now nudge the contact till it says you cannot nudge any longer.
5. Quickly go back to ce and change the value to 0 and hit Next Scan Button.
* If you take too long to do the next scan you will not find the address you need.
6. After you do the scan for 0, Wait like 3 or 5 seconds. Then do a scan for 1 using the next Scan button.
You should see 2 address's if your lucky.
If you still have too many address's repeat Steps 4,5,& 6.
==============================================

Making the patch:
==============================================
1. After you have found the address.
2. Double click it and it will pop into the bottom of CE.
3. Now check the box to freeze the address.
4. Go nudge the client and see if it works. *You will see it work but not 100%, You still see the message sometimes.
5. Now unfreeze the address.
6. Right click the address and select "See what writes to this address"
7. Nudge the client 1 time.
8. We see 2 Instructions POP. After 30 seconds you see another one show up.
* Dont worry about the new one popping in later.
9. Select the first popped instruction. Should look something like.
"005edd26-89 86 dc 02 00 00 - mov[esi+000002dc],02"
*Yours may look a little different
10. Now select it and make it highlighted and click the Replace Button.
11. Now go to CE th main Window.
12. Lower left corner is "Advanced Options" In there is the Code List.
13. Open it up and right click the code in that list and then select "find in a file"
14. Browse to the msn exe.
15. Click it and select ok. Then give it a name other then your original.
16. Close CE and MSN
17 Launch your new MSN exe and Nudge your contacts to death.
==============================================

Kalibr · Posted: Sat Aug 04, 2007 1:28 pm Post subject:

Alright. I did the msn tut (I had to hack it twice because the fist only worked when the main screen was open too Confused

) Anyway, I solved the pointer problem, (I forgot the damn offsets) but I still can't hack it the way I could MSN. Anyway, I can't find the code in a file, because when I injected it, it added in new code that wasn't being changed at all.

See, I found the thing that writes (add [ecx+7c],eax) and pulled up the code injector. This is what I got.

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

alloc(newmem,2048)

^ because the script is allocating memory for the code to be written is why.

You need to use your own cave.
Scan for a code cave about 256 in size, dont use alloc.

Look at this topic to see how you would rewrite your script using your own cave.
http://forum.cheatengine.org/viewtopic.php?t=112385

After that you will know what is changed and where, address's /asm/ and bytes

Kalibr · Posted: Sat Aug 04, 2007 9:34 pm Post subject:

'Doh!
Alright. I'll give it a go...