 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
adaptusaaf
Advanced Cheater
![]() Reputation: 0
Joined: 13 Jan 2008
Posts: 52
|
 Posted: Fri Dec 16, 2011 4:11 pm Post subject: Reading memory and writing memory? |
 |
|
I'm trying to make an aimbot for a game (not with direct x or direct draw or whatever)
I need an automated and real-time way to have cheat engine read the value from one address in the game, and based on my own parameters, write a different value to another address in the game.
For example,
if the value at address "A" is 0, write the value "0" to address "B"
if the value at address "A" is 1, write the value "342" to address "B"
if the value at address "A" is 2, write the value "5" to address "B"
if the value at address "A" is 3, write the value "9000" to address "B"
if the value at address "A" is 4, write the value "0" to address "B"
I need it to do it very quickly though because the aiming is very fast paced.
How do I do this? I would prefer to not use another program but maybe I will have to?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25828
Location: The netherlands
|
| Posted: Fri Dec 16, 2011 8:16 pm Post subject: |
|
|
Use code injection at a part of the game that is executed a lot (e.g once a frame)
I recommend writing the code in a dll for high level calculations and let the hooking be done by ce
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
adaptusaaf
Advanced Cheater
![]() Reputation: 0
Joined: 13 Jan 2008
Posts: 52
|
| Posted: Tue Dec 27, 2011 3:24 pm Post subject: |
|
|
can you give me example of a code that would do this? I'm a noob and don't have slightest idea how to write the code or write dll or hook using CE
I do understand the concept of what you said to do but that's it..
|
|
| Back to top |
|
|
xeratal
Advanced Cheater
![]() Reputation: 1
Joined: 05 Nov 2005
Posts: 93
|
| Posted: Tue Dec 27, 2011 3:59 pm Post subject: |
|
|
I have done something like that in the past for a different kind of hack. It's also kind of ugly but it works for me. I too would love to know how to write dll's which can alter process memory though...
This is an example for you based on my (ugly) code. All you need to do is make a script (CE -> Memory View -> Tools -> Auto Assemble) (I can't remember if there's 1 more step...) and dump this code in, filling in your own values.
Suppose that:
00400000 is the address of the code which is executed a lot (you will have to find this yourself)
00A00000 is the address of A
00B00000 is the address of B
| Quote: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,4096) //2kb should be enough
label(returnhere)
label(exit)
label(label1)
label(label2)
label(label3)
label(label4)
00401000:
jmp newmem
returnhere:
newmem:
mov ax,[esi+1EE] //this is MY GAME's original code @00401000; put your game's original 00401000 code here
cmp [00A00000], 0
jne label1 //if [A] !=0, go to label1
mov [00B00000], 0 //if [A]=0, put 0 in [B]
jmp exit //if put 0 in [B], do not change the val anymore in this run
label1:
cmp [00A00000], 1
jne label2 //if [A] !=1 (or 0), go to label2
mov [00B00000], 156 //if [A]=1, put 342 in [B] (342 in decimal is 156 in hex)
jmp exit //if put 342 in [B], do not change the val anymore in this run
label2:
cmp [00A00000], 2
jne label3 //if [A] !=2 (or 1 or 0), go to label3
mov [00B00000], 5 //if [A]=2, put 5 in [B]
jmp exit //if put 5 in [B], do not change the val anymore in this run
label3:
cmp [00A00000], 3
jne label4 //if [A] !=3 (or 2 or 1 or 0), go to label4
mov [00B00000], 2328 //if [A]=3, put 2328 in [B] (9000 in decimal is 2328 in hex)
jmp exit //if put 2328 in [B], do not change the val anymore in this run
label4:
cmp [00A00000], 4
jne exit //if [A] is none of your wanted values, exit
mov [00B00000], 0 //if [A]=4, put 0 in [B]
jmp exit //if put 0 in [B], do not change the val anymore in this run
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
00401000:
mov ax,[esi+1EE] //my game's original code@00401000 |
Feel free to show me where all my code is crappy; it works fine for my own hack though...
P.S. note that in my own code, I pushed eax at the start and popped it (so that original value is restored). Then I stored the address of my [A] in eax and accessed it from there. If this works for you, you may want to push/pop eax+ebx for [A] and [B] and access them from there... it will probably speed up your (presumably tiny) code which probably won't do much, but I thought it was a nice trick to learn.
|
|
| Back to top |
|
|
adaptusaaf
Advanced Cheater
![]() Reputation: 0
Joined: 13 Jan 2008
Posts: 52
|
| Posted: Tue Dec 27, 2011 5:03 pm Post subject: |
|
|
thank you for that code it seems perfect for what im trying to do (although, instead of 4 'if thens' i have 45, so it could be pretty slow)
I tested it however, by finging an area of the game which is run once per frame, so very realtime, but unfortunately it makes it instant crash. I changed all the values to my own game and triple checked everything, for some reason it just doesn't like the frequently accessed code being rewritten to the newmem, I guess that tiny pause it takes to change the address location crashes the game because its run so frequently.
|
|
| Back to top |
|
|
xeratal
Advanced Cheater
![]() Reputation: 1
Joined: 05 Nov 2005
Posts: 93
|
| Posted: Tue Dec 27, 2011 5:14 pm Post subject: |
|
|
I tried to do something similar but in a "protected area" (pardon my lack of technical terms, I myself am a noob but I'm doing self-learning at what I think is a very fast pace...) of the code and it crashed (actually it got detected and closed itself).
I think what you will want to do to check whether your theory is right is to do it step by step:
e.g. your game code @ 00400000 is like this
00400000 call x
00400005 mov [00400000], 0
Step 1: allocate some memory
Step 2: in allocated memory, put call x, jmp 00400005
Step 3: modify 00400000 to jmp to allocated memory
In this example, your "hack" will do nothing. But it tests whether the jmp can even be made, and if it can then you know you can go from there. If it can't then you have to try something else.
Slightly offtopic: Like for me, I've been trying something exactly like this on a gameguard protected game. Just by doing something like this, the "hack" will get detected (gameguard probably checks for the return address). (I know of other methods to do it but I'm trying to learn more)
|
|
| Back to top |
|
|
adaptusaaf
Advanced Cheater
![]() Reputation: 0
Joined: 13 Jan 2008
Posts: 52
|
| Posted: Tue Dec 27, 2011 5:37 pm Post subject: |
|
|
This particular game has no protection like that at all
I got past the crashing, the problem was that the jmp to the newmem messed up the address right after it, somehow.
to fix it, I made it like this:
| Code: | [ENABLE]
alloc(newmem,4096) //2kb should be enough
label(returnhere)
label(exit)
label(label1)
label(label2)
label(label3)
label(label4)
101A1FF5:
jmp newmem
101A1FF7:
nop
101A1FF8:
nop
101A1FF9:
nop
101A1FFA:
nop
101A1FFB:
nop
101A1FFC:
nop
returnhere:
newmem:
cmp edx,eax //this is MY GAME's original code @00401000; put your game's original 00401000 code here
mov [ecx+000000AC],edx
cmp [0698ADFC], 0
jne exit //if [A] !=0, go to label1
mov [2F34C0AC], 80 //if [A]=0, put 0 in [B]
jmp exit //if put 0 in [B], do not change the val anymore in this run
label1:
cmp [00A00000], 1
jne label2 //if [A] !=1 (or 0), go to label2
mov [00B00000], 160 //if [A]=1, put 342 in [B] (342 in decimal is 156 in hex)
jmp exit //if put 342 in [B], do not change the val anymore in this run
label2:
cmp [00A00000], 2
jne label3 //if [A] !=2 (or 1 or 0), go to label3
mov [00B00000], 240 //if [A]=2, put 5 in [B]
jmp exit //if put 5 in [B], do not change the val anymore in this run
label3:
cmp [00A00000], 3
jne label4 //if [A] !=3 (or 2 or 1 or 0), go to label4
mov [00B00000], 320 //if [A]=3, put 2328 in [B] (9000 in decimal is 2328 in hex)
jmp exit //if put 2328 in [B], do not change the val anymore in this run
label4:
cmp [00A00000], 4
jne exit //if [A] is none of your wanted values, exit
mov [00B00000], 400 //if [A]=4, put 0 in [B]
jmp exit //if put 0 in [B], do not change the val anymore in this run
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
101A1FF5:
cmp edx,eax
101A1FF7:
mov [ecx+000000AC],edx |
However, now the problem is that when it jumps to the newmem, there is nothing but ?? marks everywhere and no code
Any idea why?
-EDIT
ok i figured out what is happening.
the jmp is getting messed up when trying to jmp to newmem.
for some reason, it gets written as a 'near jump' to some ABB00E type/style address instead of the correct address to the newmem. I have no idea why it does this from auto assembler, but I have to manually type in the correct jmp address in the disassembler and then it works perfectly.
|
|
| Back to top |
|
|
xeratal
Advanced Cheater
![]() Reputation: 1
Joined: 05 Nov 2005
Posts: 93
|
| Posted: Tue Dec 27, 2011 5:49 pm Post subject: |
 |
|
Edit: Nice 
P.S. your original crash was my fault; I should have warned you to fill whatever extra bytes you had with NOP's.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
