 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
 Posted: Thu Jun 23, 2011 8:44 am Post subject: Insert the auto-assemble cheat into the binary |
 |
|
I used Cheat engine to create my auto assembly cheat, witch works perfectly. (It's in quake 3, when I send kick without any parameter, it executes my code.) But now that it's finished, I have 2 problems.
Here is my code :
| Code: |
fullaccess(adll.dll+12345,4)
fullaccess(adll.dll+1234,4)
00447D6E:
jmp 004E3C22
004E3C22:
mov [adll.dll+12345],AAAAAAAA
mov [adll.dll+1234],AAAAAAAA
jmp 00447d78
|
So as you can see I use fullaccess and dynamic addresses.
So when I get the generated code and inject it into my binary, adll.dll+12345 changes anytime and it's not the right address, and even when I change the address to make it correct before calling my command, it does crash because the address is not writeable.
So here is what I need :
-How to make a dynamic address (adll.dll+12345) writeable-readable-executable all in assembly ?
-How to get the real address of adll.dll+12345 for doing a mov, GetModuleHandleA and GetProcAddress are loaded.
|
|
| Back to top |
|
 |
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
| Posted: Fri Jun 24, 2011 4:01 am Post subject: |
|
|
| I finally found the pointer I needed. But how to do for the fullaccess ??
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25836
Location: The netherlands
|
| Posted: Fri Jun 24, 2011 8:03 am Post subject: |
|
|
virtualprotectex
also, do you mean patching the dll itself, or just using your own code to edit the memory ? Because if you patch you don't need to change the protection( or are you patching from inside the .exe that you have edited)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
| Posted: Sun Jun 26, 2011 9:32 am Post subject: |
|
|
First, thank you for your answer, and thank you for Cheat Engine witch is a realy useful program.
I've already found the function virtualprotect. Am trying to patch the dll from the exe when I type something in console, and I can't edit the dll.
But when I call VirtualProtect it fails. Probably because I can't use ebx for "out" variable, or maybe do I need to open a hook and use virtualprotectex...
Actually, here is how I call VirtualProtect :
| Code: |
push 004E3DF0 // Here, the address to put the old protection (not sure I can write on it but when I tried to put ebx here it did not work)
push 40 // Read-Write-Execute
push 4 // Number of bytes to edit
mov ecx,[00B05068] // Address of the dll
add ecx, 192C2 // Adding something to the dll to get the good address
push ecx // I push it
call eax // Call VirtualProtect (debugging tells me that the function IS called)
test eax, 0
je 004E3CB2 // And here it jumps, witch means that the function failed.
|
Has someone an idea of where could the error come from ?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25836
Location: The netherlands
|
| Posted: Sun Jun 26, 2011 9:52 am Post subject: |
|
|
004E3DF0 is most likely not writable
allocate memory for it or give it an address on the stack
e.g:
| Code: |
push ebp
mov ebp,esp
sub esp,8 //make room for local stack variables
lea ecx,[ebp-4]
push ecx
push 40 // Read-Write-Execute
push 4 // Number of bytes to edit
mov ecx,[00B05068] // Address of the dll
add ecx, 192C2 // Adding something to the dll to get the good address
push ecx // I push it
call eax // Call VirtualProtect (debugging tells me that the function IS called)
pop ebp
test eax, 0
je 004E3CB2 // And here it jumps, witch means that the function failed.
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
| Posted: Sun Jun 26, 2011 10:19 am Post subject: |
|
|
It still jumps with your code... 
Is the call correct ?? I mean the args ?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25836
Location: The netherlands
|
| Posted: Sun Jun 26, 2011 10:36 am Post subject: |
|
|
is the dll loaded at the time of execution ?
If not, load the dll manually using loadlibrary and use the address you get from that
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
| Posted: Sun Jun 26, 2011 2:04 pm Post subject: |
|
|
When I call kick, witch executes my code, the dll is loaded. But I cant debug when the dll is loaded, the breakpoints doesn't do anything... Maybe a patch in the dll...
Maybe should I use VirtualProtectex ?
Or maybe could I create a dll witch does it and then use loadlibrary ? (but I don't know how to do dlls )
|
|
| Back to top |
|
|
tboss
How do I cheat?
![]() Reputation: 0
Joined: 21 May 2009
Posts: 8
|
| Posted: Mon Jul 04, 2011 4:26 am Post subject: |
|
|
| up.
|
|
| Back to top |
|
|
GrandPa
Advanced Cheater
![]() Reputation: 3
Joined: 09 Jul 2010
Posts: 87
Location: Italy
|
| Posted: Sat Dec 10, 2011 8:20 pm Post subject: |
|
|
I had a similar problem to the one placed by tboss, so I'm posting my thread here instead to open a new one. I'm asking for suggestion on it in order to avoid future troubles using this method again.
Like in the example from tboss, my script worked well using CE, but I would like to hard-coding it into the executable. The exec is heavily protected, but a possible workaround to the problem, I thought, was modifying a dll it used. I tried to modify the exec, changing part of its code at run-time, in order to calling the cheat from the dll file as follows:
| Code: |
; I'm not using real exec and dll names just to keep things more quiet
"dll.dll" + patch_offset:
push eax
lea eax,["exe.exe"+offset]
mov [eax],3524c8e8 ;\ to change the original opcode to:
mov [eax+4],909090bf ;/ call "dll.dll"+cheat_offset, nop, nop, nop
pop eax
.... |
At run-time I got a system error telling that an access error occurred.
I think the solution is using VirtualProtect to change that specific code area to writable, making my changes, and then returning the area to the previous state.
Because it was my first time to do it, I red MSDN docs and Dark Byte's suggestions above.
The function in asm, after trial and error, was the following:
| Code: |
"dll.dll" + patch_offset:
push eax
.
. ; other patches needed in dll.dll
.
call MyRoutine
pop eax
MyRoutine:
push ecx ;\ get destroyed because of
push edx ;/ return values
push ebp
mov ebp,esp
sub esp,8
mov ecx,40 ; redundant mov, stays for Read-Write-Execute
lea edx,[ebp-4] ; since being destroyed, for old page status
push edx
push ecx ; pushed Read-Write-Execute
push 4 ; Number of bytes to edit
lea eax,["exe.exe"+offset] ; start address to patch
push eax ; pushed it
call VirtualProtect ; IMPORTED NOWHERE, but available anyway along other functions
pop ebp ; I don't know why it returned back
pop ecx ; old Memory protection (it was 20 == Read-Execute)
lea eax,["exe.exe"+offset] ; because returned 1 == success
mov [eax],3524c8e8 ;\ to change the original opcode to:
mov [eax+4],909090bf ;/ call "dll.dll"+cheat_offset , nop, nop, nop
lea edx,[ebp-4] ; again to store "old" page status
push edx
push ecx ; pushed Read-Execute, returned from previous call
push 4 ; Number of bytes to edit
push eax ; pushed start address to patch
call VirtualProtect
pop ebp ;\
pop edx ; ! restore starting registry
pop ecx ;/
retn
|
I tested my modified dll.dll under the executable and the game ran fine - well, just a bit slower, to tell the truth - but my cheat worked well
_________________
CHEATING is a must,
nowadays, if you like
P L A Y I N G |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
