Cheat Engine :: View topic - AA custom type with variable

Cheat Engine
The Official Site of Cheat Engine

FAQ

Memberlist

Usergroups

Profile

AA custom type with variable
Goto page 1, 2 Next

Cheat Engine Forum Index -> Cheat Engine Lua Scripting

View previous topic :: View next topic

Author

Message

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Sun Apr 03, 2022 10:06 pm Post subject: AA custom type with variable

Hello,
I want to know that if I can make AA custom type script with "registerCustomTypeAutoAssembler()" .
Actually I am making table for a game which uses a encryption key with 'XOR' and that key is changed in every game session. I have made a script to fetch that key. If I assign that key to any variable and do registersymbol, then can I use them in AA custom type? symbol can be [key]-in asm or key-in lua. Here is what I am trying. I am using raw AA custom type script from CE and modifying as per my requirement

Code:

registerCustomTypeAutoAssembler([[
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)

TypeName:
db 'HWR ENC INT',0

ByteSize:
dd 4

UsesFloat:
db 0 //Change to 1 if this custom type should be treated as a float

CallMethod:
db 1 //Remove or change to 0 for legacy call mechanism

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
//rdx=address
mov eax,[rcx] //eax now contains the bytes 'input' pointed to

//---------------

xor eax, key // key is variable that contains encryption key

//---------------
ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value

pop ebp
ret
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: cdecl void ConvertBackRoutine(int i, PTR_UINT address, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address
//r8=address of output
//example:
mov [r8],ecx //place the integer at the 4 bytes pointed to by r8

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address
//[ebp+10]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+10] //load the output address into ebx

//---------------

xor eax, key // key is variable that contains encryption key

//---------------

mov [ebx],eax //write the value into the address
pop ebx
pop eax

pop ebp
ret
[/32-bit]
]])

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Mon Apr 04, 2022 12:34 am Post subject:

Not directly. The assembly in custom AA types is run in CE's process- pretty much everything else is in the game's process. You can initialize it to 0 and use the Lua function writeIntegerLocal to set it to the correct value. _________________ I don't know where I'm going, but I'll figure it out when I get there.

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Mon Apr 04, 2022 7:22 am Post subject:

ParkourPenguin wrote:

Not directly. The assembly in custom AA types is run in CE's process- pretty much everything else is in the game's process.

You can initialize it to 0 and use the Lua function writeIntegerLocal to set it to the correct value.

Thank you very much ParkourPenguin,
How can I define address part of that custom type??
I don't know how we can write in AA custom type with writeIntegerLocal..
Can you please guide me with example.

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Mon Apr 04, 2022 12:18 pm Post subject:

Code:

alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(xorKey,4)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)
registerSymbol(xorKey)

TypeName:
db 'xor custom type',0

xorKey:
dd 0

ByteSize:
dd 4

UsesFloat:
db 0

CallMethod:
db 1

// cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
ConvertRoutine:
[64-bit]
//rcx=address of input
//rdx=address
mov eax,[rcx]
xor eax,[xorKey]
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
mov eax,[ebp+8]
mov eax,[eax]
xor eax,[xorKey]

pop ebp
ret
[/32-bit]

// cdecl void ConvertBackRoutine(int i, PTR_UINT address, unsigned char *output);
ConvertBackRoutine:
[64-bit]
//ecx=input
//rdx=address
//r8=address of output
xor ecx,[xorKey]
mov [r8],ecx

ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address
//[ebp+10]=address of output
push eax
push ebx
mov eax,[ebp+8]
mov ebx,[ebp+10]
xor eax,[xorKey]
mov [ebx],eax
pop ebx
pop eax

pop ebp
ret
[/32-bit]

Then execute this Lua code eventually:

Code:

writeIntegerLocal('xorKey',...)

Maybe create a timer and read a pointer path until it returns something.

Code:

local t = createTimer()
t.Interval = 1000
t.OnTimer = function(t)
local key = readInteger('[game.exe+123C]+4')
if key then
writeIntegerLocal('xorKey', key)
t.destroy()
end
end

_________________

I don't know where I'm going, but I'll figure it out when I get there.

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Mon Apr 04, 2022 1:15 pm Post subject:

ParkourPenguin wrote:

Then execute this Lua code eventually:

Code:

writeIntegerLocal('xorKey',...)

Maybe create a timer and read a pointer path until it returns something.

Code:

local t = createTimer()
t.Interval = 1000
t.OnTimer = function(t)
local key = readInteger('[game.exe+123C]+4')
if key then
writeIntegerLocal('xorKey', key)
t.destroy()
end
end

Thank you for reply, I have tried this type of script after your first reply. Here is script shared by DB on this page.
https://www.cheatengine.org/forum/viewtopic.php?p=5770306&sid=e740872fd68e82c2bec87ea0787c23c9

but still it shows wrong value. for example if game shows 300 as gold and encryption key is 0xDDCDE7DA then if i do xor on calculator then i got 3721258742 as answer and if I search this as 4 byte in CE then I got perfect address. but even if I change custom value script as "xor eax,DDCDE7DA" , I did not got any result after serching 300 in search bar on first scan. this is weird. I don't know why it shows such because when I have made first custom custom value script many time ago with encryption key like "xor eax,DDCDE7DA" from mgr.inz.player's script on this page https://cheatengine.org/forum/viewtopic.php?t=612088&sid=df755b1eb355bbc5e4596153a4c1ea0f

Last edited by dharmang1910 on Tue Apr 05, 2022 4:25 am; edited 1 time in total

Dark Byte
Site Admin

Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands

Posted: Mon Apr 04, 2022 2:06 pm Post subject:

is the xor key stored next to the address, or is it only stored once in the target process somewhere far away? If next to it, increase the bytesize of the type and encompass the xor key in the data If far away, then you'll have to reload the custom type each time it changes. Or use a lua custom type (slow) _________________ Do not ask me about online cheats. I don't know any and wont help finding them. Like my help? Join me on Patreon so i can keep helping

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Mon Apr 04, 2022 10:06 pm Post subject:

Dark Byte wrote:

is the xor key stored next to the address, or is it only stored once in the target process somewhere far away?
If next to it, increase the bytesize of the type and encompass the xor key in the data

If far away, then you'll have to reload the custom type each time it changes. Or use a lua custom type (slow)

Thank you DB for reply,
xor key is in opcode and I fetch it and store it in 4byte allocated memory for later use.
Here is steps I am doing.
♦ First I run script that fetch some registers and also Encryption key.
♦ Then this key is stored at 4 byte allocated memory named 'mem'
♦ Then I have used above AA custom type script in seprate script with help of "registerCustomTypeAutoAssembler()" so it is make a temp CUstom type.
♦ Then I have used also time script of above to write current Encryption key to 'xorKey'. That did not work.
♦ Then even I have tried to change every 'xor eax,[xorKey]' to the 'xor eax,DDCDE7DA' (current key) after restarting the CE so previous custom type is removed. But after doing so It does not shows the proper result.

So what can I do in such condition. If it was worked first time long ago then why it is not working now??

Edit:

I have add above AA custom type script directly to CE and run below script of "ParkourPenguin" and it works perfectly.

Code:

local t = createTimer()
t.Interval = 1000
t.OnTimer = function(t)
local key = readInteger(getAddressSafe("location")+0xc)
if key then
writeIntegerLocal('xorKey', key)
t.destroy()
end
end

So I think it is not working because I am trying to add temp AA custom type with lua command "registerCustomTypeAutoAssembler()". But why this happens?? Is this command requires any more procedure?

Also want to know that If I want to make float custom type with xor then only editing "UsesFloat: " to db 01 works or have to do something else.

In last I want to say big thanks both of you "DB" and "ParkourPenguin" for helping me. I always learn great things from you.

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Tue Apr 05, 2022 11:13 am Post subject:

dharmang1910 wrote:

Code:

local key = readInteger(getAddressSafe("location")+0xc)

This might be bad. If getAddressSafe returns nil, then that will generate an error (attempt to perform arithmetic on a nil value). Use the same syntax I did:

Code:

local key = readInteger('[location]+0xc')

CE will try to convert the string passed into read* functions into an address. If that fails, then the function returns nothing- i.e. the local variable `key` will be nil and evaluate to false in the `if` statement.

registerCustomTypeAutoAssembler works fine for me.

Code:

registerCustomTypeAutoAssembler[[
// copy + paste the script here
]]

_________________

I don't know where I'm going, but I'll figure it out when I get there.

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Tue Apr 05, 2022 12:53 pm Post subject:

ParkourPenguin wrote:

dharmang1910 wrote:

Code:

local key = readInteger(getAddressSafe("location")+0xc)

This might be bad. If getAddressSafe returns nil, then that will generate an error (attempt to perform arithmetic on a nil value). Use the same syntax I did:

Code:

local key = readInteger('[location]+0xc')

Code:

registerCustomTypeAutoAssembler[[
// copy + paste the script here
]]

Here I have tried with registerCustomTypeAutoAssembler[[]] but it shows wrong value even after running 'key update timer script' but same script added to CE shows perfect value. I don't know why it happens. I have changed alloc and registersymbol of both custom type script and done same for timer script so they do not conflict with each other. Also I have change custom type name. Look at below image after activating "registerCustomTypeAutoAssembler[[]] " lua script, I have run key update timer script but it shows wrong value as below image.

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Tue Apr 05, 2022 2:14 pm Post subject:

Use these functions to print the contents of the scripts and let me know what they are.

Code:

local type1 = getCustomType'xor custom type'
local type2 = getCustomType'Remote xorkey'

assert(type1 and type2, "Create the types first.")

local str = ([[%s:
%s

%s:
%s
]]):format(type1.name, type1.script, type2.name, type2.script)

print(str)
writeToClipboard(str)

_________________

I don't know where I'm going, but I'll figure it out when I get there.

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Tue Apr 05, 2022 9:18 pm Post subject:

ParkourPenguin wrote:

Use these functions to print the contents of the scripts and let me know what they are.

Code:

Thank you for reply,here is output. First one is temp and second is I have added to CE.

Code:

xor custom type:
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(xorKeyt,4)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)
registerSymbol(xorKeyt)

TypeName:
db 'xor custom type',0

xorKeyt:
dd 0

ByteSize:
dd 4

UsesFloat:
db 0

CallMethod:
db 1

// cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
ConvertRoutine:

push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
mov eax,[ebp+8]
mov eax,[eax]
xor eax,[xorKeyt]

pop ebp
ret

// cdecl void ConvertBackRoutine(int i, PTR_UINT address, unsigned char *output);
ConvertBackRoutine:

push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address
//[ebp+10]=address of output
push eax
push ebx
mov eax,[ebp+8]
mov ebx,[ebp+10]
xor eax,[xorKeyt]
mov [ebx],eax
pop ebx
pop eax

pop ebp
ret

Remote xorkey:
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)
alloc(xorkey,4)
registersymbol(xorkey)

TypeName:
db 'Remote xorkey',0

ByteSize:
dd 4

UsesFloat:
db 0 //Change to 1 if this custom type should be treated as a float

CallMethod:
db 1 //Remove or change to 0 for legacy call mechanism

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
//rdx=address
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
xor eax,[xorkey]

ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
xor eax,[xorkey]

pop ebp
ret
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: cdecl void ConvertBackRoutine(int i, PTR_UINT address, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address
//r8=address of output
//example:
xor ecx,[xorkey]
mov [r8],ecx //place the integer at the 4 bytes pointed to by r8

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address
//[ebp+10]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+10] //load the output address into ebx
xor eax,[xorkey]
mov [ebx],eax //write the value into the address
pop ebx
pop eax

pop ebp
ret
[/32-bit]

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Tue Apr 05, 2022 9:43 pm Post subject:

They're two completely different scripts. The first one has critical parts of the script removed- you're lucky it doesn't crash CE.

When I said this:

ParkourPenguin wrote:

registerCustomTypeAutoAssembler works fine for me.

Code:

registerCustomTypeAutoAssembler[[
// copy + paste the script here
]]

I meant you should literally copy the entire script (the one that works) and paste it right there where that comment is.
_________________

I don't know where I'm going, but I'll figure it out when I get there.

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Wed Apr 06, 2022 12:15 am Post subject:

ParkourPenguin wrote:

They're two completely different scripts. The first one has critical parts of the script removed- you're lucky it doesn't crash CE.

When I said this:

ParkourPenguin wrote:

registerCustomTypeAutoAssembler works fine for me.

Code:

registerCustomTypeAutoAssembler[[
// copy + paste the script here
]]

I meant you should literally copy the entire script (the one that works) and paste it right there where that comment is.

Thank you very much for help me.

I will try to copy+paste script that I have put directly to CE(one that works) and will reply here.

Last edited by dharmang1910 on Wed Apr 06, 2022 3:13 am; edited 3 times in total

ParkourPenguin
I post too much

Reputation: 140

Joined: 06 Jul 2014
Posts: 4293

Posted: Wed Apr 06, 2022 12:25 am Post subject:

dharmang1910 wrote:

First one script is yours

It absolutely is not and I'm offended you would claim that.
Edit: language barrier issue

You're missing huge sections of the script. Here's an example:

ParkourPenguin wrote:

Code:

...
// cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
ConvertRoutine:
[64-bit]
//rcx=address of input
//rdx=address
mov eax,[rcx]
xor eax,[xorKey]
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
mov eax,[ebp+8]
mov eax,[eax]
xor eax,[xorKey]

pop ebp
ret
[/32-bit]
...

dharmang1910 wrote:

Code:

...
// cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
ConvertRoutine:

push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
mov eax,[ebp+8]
mov eax,[eax]
xor eax,[xorKeyt]

pop ebp
ret
...

Do you see the difference between them now?
I don't think there's anything more I can do to try to help you.
_________________

I don't know where I'm going, but I'll figure it out when I get there.

Last edited by ParkourPenguin on Thu Apr 07, 2022 12:06 am; edited 1 time in total

dharmang1910
Expert Cheater

Reputation: 0

Joined: 09 May 2010
Posts: 102

Posted: Wed Apr 06, 2022 2:24 am Post subject:

ParkourPenguin wrote:

You're missing huge sections of the script. Here's an example:

ParkourPenguin wrote:

Code:

dharmang1910 wrote:

Code:

Do you see the difference between them now?
I don't think there's anything more I can do to try to help you.

Oh I am not telling that way but just telling you first was taken from your post. I am sorry if that hurts you. I have no intention of that or blaming you.

Here is I have also tried DB's script but it shows wrong output when I use this with registerCustomTypeAutoAssembler[[]] Your script also works perfect when I add it to CE and not with registerCustomTypeAutoAssembler[[]] . My main moto to tell you this nothing else. I confirm this both script works in CE and not in registerCustomTypeAutoAssembler[[]] .

Code:

registerCustomTypeAutoAssembler[[
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
alloc(CallMethod,1)
alloc(xorkeyt,4)
registersymbol(xorkeyt)

TypeName:
db 'Remotexorkey',0

ByteSize:
dd 4

UsesFloat:
db 0 //Change to 1 if this custom type should be treated as a float

CallMethod:
db 1 //Remove or change to 0 for legacy call mechanism

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: cdecl int ConvertRoutine(unsigned char *input, PTR_UINT address);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
//rdx=address
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
xor eax,[xorkeyt]

ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=address of input
//[ebp+c]=address
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
xor eax,[xorkeyt]

pop ebp
ret
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: cdecl void ConvertBackRoutine(int i, PTR_UINT address, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address
//r8=address of output
//example:
xor ecx,[xorkeyt]
mov [r8],ecx //place the integer at the 4 bytes pointed to by r8

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address
//[ebp+10]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+10] //load the output address into ebx
xor eax,[xorkeyt]
mov [ebx],eax //write the value into the address
pop ebx
pop eax

pop ebp
ret
[/32-bit]
]]

Display posts from previous:

	Cheat Engine Forum Index -> Cheat Engine Lua Scripting	All times are GMT - 6 Hours Goto page 1, 2 Next
Page 1 of 2

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum