 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
AbrasiveZealot
Newbie cheater
![]() Reputation: 0
Joined: 02 Jan 2011
Posts: 21
|
 Posted: Sat Dec 14, 2013 10:32 pm Post subject: Pointers as conditional execution? |
 |
|
Been working on this code for a few hours (I'm new to asm), I've gotten it working but just wondering if anyone knows other ways to accomplish this. All this does is stop the sun from setting in race the sun, but the code chunk that does it is also used for other things. I wasn't able to find anything close by to reliably compare to, so since I already had a pointer to the address I used it for the comparison instead.
| Code: | [enable]
alloc(sun, 1)
RaceTheSun.Transform::SetLocalRotationSafe+1E:
//jump to our allocated memory
jmp sun
nop
sun:
//free register
push ebx
push ebp
//set up known pointer
mov ebx,[RaceTheSun.exe+00959164]
add ebx,4c4
mov ebp,[ebx]
add ebp,13C
//our code (if target is our known pointer, skip past execution)
cmp esi,ebp
je sun+1D
mov [esi+20],ecx
mov edx,[eax+08]
//restore register
pop ebp
pop ebx
//jump back to main code
jmp RaceTheSun.Transform::SetLocalRotationSafe+24
[disable]
dealloc(sun)
RaceTheSun.Transform::SetLocalRotationSafe+1E:
mov [esi+20],ecx
mov edx,[eax+08] |
Because this relies on a pointer to where the sun data is stored this probably wont work on other game versions. Is there a simple way to get around without needing the pointer?
Also, this is for an old version (1.02) so it doesn't connect to the servers. Just using it for learning purposes, don't want to ruin the game for anyone.
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Dec 15, 2013 3:36 pm Post subject: Re: Pointers as conditional execution? |
|
|
| Jamesc00ls0x wrote: | | All this does is stop the sun from setting in race the sun, but the code chunk that does it is also used for other things. I wasn't able to find anything close by to reliably compare to, so since I already had a pointer to the address I used it for the comparison instead. |
Using a pointer for comparison is a method I like because it is more reliable that element comparison as described in tutorial step 9. Anyway if you want to do it another way, well, I assume there is a timer-sorta before the sun rises that you could set to 0 to nail the sun, and this variable seems to be stored at SunStructure+15C.
-So just find out what accesses something (don't care what) that's between SunStructure and SunStructure+15C.
-Amongst the results, pick one that only accesses the SunStructure stuff and nothing else (right click in the find out what... window->check if found opcodes..., the number between () is the number of addresses accessed since you activated the option, so take a line with a "(1)").
-Hijack this bit of code so that it does what it normally does AND also overwrites SunStructure+15C with 0 or whatever midnight corresponds to.
| Jamesc00ls0x wrote: | | Because this relies on a pointer to where the sun data is stored this probably wont work on other game versions. |
Since you're using symbols (things like "RaceTheSun.exe" and "RaceTheSun.Transform::SetLocalRotationSafe") it is already very likely that the hack won't work on other versions. Use aobscans to avoid that. I'll let you google yourself a tutorial on that matter.
Also I couldn't resist making some changes to your code:
| Code: | [enable]
//alloc(sun, 1) //your code takes more than 1 byte. I know alloc gives you a 4096 byte chunk, but technically your using a buffer overflow.
alloc(sun, 100) //I *think* your code uses less than 100 bytes but didn't check.
//declares labels (named address) but does not place them
label(sun_DontWrite)
label(sun_Return)
RaceTheSun.Transform::SetLocalRotationSafe+1E:
//jump to our allocated memory
jmp sun
nop
sun_Return: //this places/gives a value to the sun_Return label
sun:
//free register //<-nope, it just makes a backup of them.
push ebx
push ebp
//set up known pointer
mov ebx,[RaceTheSun.exe+00959164]
//add ebx,4c4
//mov ebp,[ebx]
mov ebp, dword [ebx+4c4] //you can do the 2 lines above in one go
add ebp,13C
//our code (if target is our known pointer, skip past execution)
cmp esi,ebp
//je sun+1D //<-don't do that. It's horrible for readability, and it'll be an hairpull each time you update your code.
je sun_DontWrite
mov [esi+20],ecx //original code
sun_DontWrite: //this places/gives a value to the sun_DontWrite label
mov edx,[eax+08] //original code //<-it can be useful to specify what you added, and what was already there... Mostly for people like me reading your code though.
//restore register
pop ebp
pop ebx
//jump back to main code
//jmp RaceTheSun.Transform::SetLocalRotationSafe+24 //good too
jmp sun_Return //but that way the jump destination is more obvious (and doesn't need updating after a game patch).
[disable]
dealloc(sun)
RaceTheSun.Transform::SetLocalRotationSafe+1E:
mov [esi+20],ecx
mov edx,[eax+08] |
Note that you can do all your pointer walking over only ebx (or ebp), you don't need to use them both. I didn't fix it in your code because if I mix explanations about the basics and code optimization it'll get messy.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
AbrasiveZealot
Newbie cheater
![]() Reputation: 0
Joined: 02 Jan 2011
Posts: 21
|
| Posted: Mon Dec 16, 2013 1:49 pm Post subject: |
|
|
Thanks for the help, in my haste to see my code run I made some beginner errors. I still haven't found a reliable way of getting around having to use the pointer, but I'm sure I'll figure it out eventually. Made some modifications and switched to using aobscan instead of hardcoded offsets, the only thing left is getting rid of the pointer and it should be able to withstand updates.
Race The Sun v1.1, Sun Wont Set (Over Time) MkII
| Code: |
[enable]
//Setup
alloc(SunTime, 1024)
aobscan(SunEntry, 89 4E 20 8B 50 08 89 56 24 8B 40 0C 83 C4 08 6A 02 8B)
label(SunReturn)
label(SunSkipExec)
SunEntry:
jmp SunTime //Jump to our memory
nop //Preserve codeflow
SunReturn: //Set return point
SunTime:
push ebx //Backup register
push ebp //Backup register
mov ebx,[RaceTheSun.exe+00959164] //Set up pointer
mov ebp,dword [ebx+4C4] //Set up pointer
add ebp,13C //Set up pointer
cmp esi,ebp //Compare addresses
je SunSkipExec //If accessing sun position skip past writing
mov [esi+20],ecx //Write memory (original code), should be skipped
SunSkipExec:
mov edx,[eax+08] //Original code that was overwritten for our jump
pop ebp //Restore backup of register
pop ebx //Restore backup of register
jmp SunReturn //Jump out of allocated memory
[disable]
aobscan(SunEntry, E9 ?? ?? ?? ?? 90 89 56 24 8B 40 0C 83 C4 08 6A 02 8B)
SunEntry:
mov [esi+20],ecx //Restore original code
mov edx,[eax+08] //Restore original code
dealloc(SunTime) //Dealloc last (to prevent being in our code when dealloc'd)
|
Once again, thanks for the help!
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Dec 16, 2013 2:42 pm Post subject: |
|
|
| Jamesc00ls0x wrote: | | I still haven't found a reliable way of getting around having to use the pointer, but I'm sure I'll figure it out eventually. |
The method I mentioned in my previous post didn't yield any result?
Now 2 more possible improvements to your script:
1-You've probably noticed that turning your script off takes a while, because you've used a second aobscan in the disable part. Usually aobscans are used that way: | Code: | [enable]
aobscan(SomeLabel, 11 22 33 44....)
registersymbol(SomeLabel) //allows using SomeLabel outside the enable part. You can even use it in the "add address manually" box.
SomeLabel:
//your hack
...
[disable]
unregistersymbol(SomeLabel) //doesn't matter where your write this line, like for the dealloc() those commands are actually executed last.
SomeLabel:
//restore original code |
2-Cheat engine 6.3 introduced the aobscanmodule command which does an aobscan on a specific module (exe or dll). This has the advantage of being much much faster and may help with non-unique (=shitty) signatures. It's used that way: aobscanmodule(SunEntry,RaceTheSun.exe, 89 4E 20 8B 50 08 89 56 24 8B 40 0C 83 C4 08 6A 02 8B) . It's not yet well documented so here's a tip: don't put quotes around RaceTheSun.exe in this command.
The drawbacks are:
-that this won't work with code generated on the fly (flash and .net games).
-that you can't use this command in hacks that are applied on a file (instead or a running program).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
AbrasiveZealot
Newbie cheater
![]() Reputation: 0
Joined: 02 Jan 2011
Posts: 21
|
| Posted: Mon Dec 16, 2013 6:06 pm Post subject: |
|
|
| Didn't know about registersymbol, that's a nice feature. Also, I'm really surprised how much faster the aobscanmodule is, it feels virtually instant, definitely a good addition. Now to really get in to the code and find a good reference I can compare to.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
