Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Code Injection Help

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Tue Aug 22, 2006 1:13 pm    Post subject: Code Injection Help Reply with quote
The only thing I am going from is T-search's help on code injection.
I am attempting to write values to an adobe shockwave game. I want the score to be 5000 decimal.

I used Tsearch to find the value I want to change is located at the DMA address:

80AC588

I turn on the debugger and autohack the address and find the follow opcode:

4AD0BFC mov [eax+0x4],ecx

I then open Cheat Engine and search for a code cave, I use the first one found:

400019

I then go back to Tsearch and open easywriter. I write the following code:
Code:
// Address:      80AC588
// OpCodes:    4AD0BFC mov [eax+0x4],ecx
// Code Cave: 400019


offset 0x400019
mov ecx, 0x1388
mov [eax+0x4], ecx
ret
offset 0x4AD0BFC
call 0x400019


For the unpatch:

Code:
offset 0x4AD0BFC
mov [eax+0x4], ecx


When I turn it on, IE automatically closes. What is the problem? Is it because of a security feature with the new adobe shockwave/flash player 8/9 (Read about it)? If it is, How can I downgrade to flash player 8.

Off Topic: I hate T-Search, how can I use something similar to easywrite in Cheat Engine?
Back to top
View user's profile Send private message AIM Address
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Tue Aug 22, 2006 9:33 pm    Post subject: Reply with quote
I found the auto assembler in cheat engine. I still don't understand the language 100%. Especially labels and what not. I also dont know when Ill need to nop
Back to top
View user's profile Send private message AIM Address
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Wed Aug 23, 2006 1:32 am    Post subject: Reply with quote
I found out what I was doing wrong orignally, I was using a ret command with a code cave, and also my code cave was incorrect. None the less I still can't figure it out. I am pretty sure it has somehting to do with NOPPING and knowing what to use.

Here is disassembled output:

Code:
680e0bf4 - 57                         - push edi
680e0bf5 - 8b 0f                      - mov ecx,[edi]
680e0bf7 - 89 08                      - mov [eax],ecx
680e0bf9 - 8b 4f 04                   - mov ecx,[edi+04]
680e0bfc - 89 48 04                   - mov [eax+04],ecx
680e0bff - ff 75 08                   - push [ebp+08]
680e0c02 - 56                         - push esi
680e0c03 - e8 be 70 fc ff             - call 680a7cc6
680e0c08 - 83 be e4 00 00 00 00       - cmp dword ptr [esi+000000e4],00
680e0c0f - 74 0e                      - je 680e0c1f
680e0c11 - 8d 45 f8                   - lea eax,[ebp-08]
680e0c14 - 50                         - push eax
680e0c15 - 57                         - push edi
680e0c16 - ff 75 0c                   - push [ebp+0c]
680e0c19 - 56                         - push esi
680e0c1a - e8 30 00 00 00             - call 680e0c4f
680e0c1f - 8b 4e 10                   - mov ecx,[esi+10]


680E0BFC is the opcode for the address that held the value. I orignally tried this (134914C is a code cave):
Code:

680e0c1f:
jmp 134914C

134914C:
mov ecx,5000
mov [eax+04],ecx
jmp 680e0bff



I then attempted to use autoassembly and it put both 680e0c1f and 680e0bff as the original code (why?), I also know I should do something with the NOP command for mov ecx,5000
Back to top
View user's profile Send private message AIM Address
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25833
Location: The netherlands
PostPosted: Wed Aug 23, 2006 2:01 am    Post subject: Reply with quote
some more auto assembler info:
http://forum.cheatengine.org/viewforum.php?f=15

about your script:
you say that 680e0bfc would be the spot to place the jump.
but your script places the jump at 680e0c1f

and in the cave jump to 680e0bff.
I'd say: Infinite loop
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Wed Aug 23, 2006 10:31 am    Post subject: Reply with quote
Sorry about that, the 2nd code I posted wasnt my real script, I re-created it while looking at the disassembler output. Made an error, My real script didnt have that error.

Here would be the real script:
Code:
680e0bfc:
jmp 134914C

134914C:
mov ecx,5000
mov [eax+04],ecx
jmp 680e0bff


Given this script, I don't think an infinite loop would occur
Back to top
View user's profile Send private message AIM Address
idster
Expert Cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 100
Location: RIGHT BEHIND YOU!!!!
PostPosted: Wed Aug 23, 2006 11:15 am    Post subject: Reply with quote
before u do any hack/code-injection, load the game then speed hack it

it may sound a bit cheesy but giving the speedhack these settings will work
speed=0.00001
sleeptime=100000

the game will look frozen(it's not)

it will be alot easier to hack(and easier to find out what went wrong)
_________________
hackpacks broken/corrupted/overloaded = 44

latest hackpack broken= my own
SA HP (not posted on CE)

Halo 2 MLG rank: 14473



dont belive me? www.ipchicken.com
Back to top
View user's profile Send private message
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Wed Aug 23, 2006 4:18 pm    Post subject: Reply with quote
Freezing the game did nothing at all. True it didnt crash when I injected the code, but as soon as a turn speedhack off IE closed.

Here is the autoassembly code:

Code:
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

680E0BFC:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
mov ecx, 5000


originalcode:
mov [eax+04],ecx
push [ebp+08]

exit:
jmp returnhere
Back to top
View user's profile Send private message AIM Address
ParoXsitiC
Newbie cheater
Reputation: 0

Joined: 22 Aug 2006
Posts: 10
PostPosted: Wed Aug 23, 2006 4:31 pm    Post subject: Reply with quote
I realized that newmem was running 2 address the mov and push, So I decided to set the normal game routine manually:

Code:
alloc(newmem,2048) //2kb should be enough

680E0BFC:
jmp newmem
nop

newmem:
mov ecx, 5000
mov [eax+04],ecx
push [ebp+08]
jmp 680e0c02


Here is the new injected code:

Code:
680e0beb - 8b 48 04                   - mov ecx,[eax+04]
680e0bee - 8d 7e 1c                   - lea edi,[esi+1c]
680e0bf1 - 89 4d fc                   - mov [ebp-04],ecx
680e0bf4 - 57                         - push edi
680e0bf5 - 8b 0f                      - mov ecx,[edi]
680e0bf7 - 89 08                      - mov [eax],ecx
680e0bf9 - 8b 4f 04                   - mov ecx,[edi+04]
680e0bfc - e9 ff f3 9e a4             - jmp 0cad0000
680e0c01 - 90                         - nop
680e0c02 - 56                         - push esi
680e0c03 - e8 be 70 fc ff             - call 680a7cc6
680e0c08 - 83 be e4 00 00 00 00       - cmp dword ptr [esi+000000e4],00
680e0c0f - 74 0e                      - je 680e0c1f
680e0c11 - 8d 45 f8                   - lea eax,[ebp-08]
680e0c14 - 50                         - push eax
680e0c15 - 57                         - push edi
680e0c16 - ff 75 0c                   - push [ebp+0c]

As you can see 680e0bfc now JMPs to the allocated memory (0cad0000)

Here is the allocated memory that was made:

Code:
0cacfff9 - 35 cd 01 00 00             - xor eax,000001cd
0cacfffe - 00 00                      - add [eax],al
0cad0000 - b9 00 50 00 00             - mov ecx,00005000
0cad0005 - 89 48 04                   - mov [eax+04],ecx
0cad0008 - ff 75 08                   - push [ebp+08]
0cad000b - e9 f2 0b 61 5b             - jmp 680e0c02
0cad0010 - 00 00                      - add [eax],al
0cad0012 - 00 00                      - add [eax],al
0cad0014 - 00 00                      - add [eax],al
0cad0016 - 00 00                      - add [eax],al
0cad0018 - 00 00                      - add [eax],al
0cad001a - 00 00                      - add [eax],al
0cad001c - 00 00                      - add [eax],al
0cad001e - 00 00                      - add [eax],al
0cad0020 - 00 00                      - add [eax],al
0cad0022 - 00 00                      - add [eax],al
0cad0024 - 00 00                      - add [eax],al


After I disabled speedhack, IE still closed with an error.
Back to top
View user's profile Send private message AIM Address
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25833
Location: The netherlands
PostPosted: Thu Aug 24, 2006 3:23 am    Post subject: Reply with quote
perhaps that code is also used by other stuff and editing ecx will cause it to crash when used by other code that uses it.

you're saying it's IE, so it's more than likely a interpreter instruction instead of a instruction of the game you're trying to hack.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites