 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Autem
Expert Cheater
![]() Reputation: 1
Joined: 30 Jan 2023
Posts: 119
|
 Posted: Fri Apr 21, 2023 8:32 pm Post subject: I combined 2 working scripts, and now the game crashes? |
 |
|
Hi, I had two working scripts that I wanted to combine into one. They both work perfectly when they're separate but once I combine them the game crashes at the point where the script would be triggered. Can anyone see what I might have missed? I went over this and proofread it many times but I can't find anything obvious. I thought maybe I missed something with adding a 2, 3, etc... to duplicate labels but nothing stands out.
| Code: | define(address,"WWE2K23_x64.exe"+43E859)
define(bytes,0F BE 40 28 48 83 C4 20)
define(address2,"WWE2K23_x64.exe"+F45DB1)
define(bytes2,0F B6 8E F0 04 00 00)
[ENABLE]
assert(address2,bytes2)
alloc(newmem2,$1000,"WWE2K23_x64.exe"+F45DB1)
registersymbol(odlid)
alloc(odlid,1)
label(code3)
label(return2)
assert(address,bytes)
alloc(newmem,$1000,"WWE2K23_x64.exe"+43E859)
label(code)
label(return)
label(code2)
newmem2:
code3:
movzx ecx,byte ptr [rsi+000004F0]
mov [odlid],ecx
jmp return
address2:
jmp newmem2
nop 2
return2:
newmem:
cmp [odlid],#128
je code2
cmp [odlid],#129
je code2
cmp [odlid],#130
je code2
mov eax,0
code:
add rsp,20
jmp return
code2:
mov eax,2
add rsp,20
jmp return
address:
jmp newmem
nop 3
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
dealloc(odlid)
unregistersymbol(odlid)
{
// ORIGINAL CODE - INJECTION POINT: WWE2K23_x64.exe+43E859
WWE2K23_x64.exe+43E834: 5B - pop rbx
WWE2K23_x64.exe+43E835: C3 - ret
WWE2K23_x64.exe+43E836: 0F B6 15 49 9F 12 03 - movzx edx,byte ptr [WWE2K23_x64.exe+3568786]
WWE2K23_x64.exe+43E83D: 0F B7 CB - movzx ecx,bx
WWE2K23_x64.exe+43E840: E8 7B F9 99 00 - call WWE2K23_x64.exe+DDE1C0
WWE2K23_x64.exe+43E845: 48 85 C0 - test rax,rax
WWE2K23_x64.exe+43E848: 74 19 - je WWE2K23_x64.exe+43E863
WWE2K23_x64.exe+43E84A: 0F B6 15 35 9F 12 03 - movzx edx,byte ptr [WWE2K23_x64.exe+3568786]
WWE2K23_x64.exe+43E851: 0F B7 CB - movzx ecx,bx
WWE2K23_x64.exe+43E854: E8 67 F9 99 00 - call WWE2K23_x64.exe+DDE1C0
// ---------- INJECTING HERE ----------
WWE2K23_x64.exe+43E859: 0F BE 40 28 - movsx eax,byte ptr [rax+28]
// ---------- DONE INJECTING ----------
WWE2K23_x64.exe+43E85D: 48 83 C4 20 - add rsp,20
WWE2K23_x64.exe+43E861: 5B - pop rbx
WWE2K23_x64.exe+43E862: C3 - ret
WWE2K23_x64.exe+43E863: B8 02 00 00 00 - mov eax,00000002
WWE2K23_x64.exe+43E868: 48 83 C4 20 - add rsp,20
WWE2K23_x64.exe+43E86C: 5B - pop rbx
WWE2K23_x64.exe+43E86D: C3 - ret
WWE2K23_x64.exe+43E86E: CC - int 3
WWE2K23_x64.exe+43E86F: CC - int 3
WWE2K23_x64.exe+43E870: 48 83 EC 68 - sub rsp,68
}
address2:
db bytes2
dealloc(newmem2)
{
// ORIGINAL CODE - INJECTION POINT: WWE2K23_x64.exe+F45DB1
WWE2K23_x64.exe+F45D8A: 78 25 - js WWE2K23_x64.exe+F45DB1
WWE2K23_x64.exe+F45D8C: 83 F8 32 - cmp eax,32
WWE2K23_x64.exe+F45D8F: 73 20 - jae WWE2K23_x64.exe+F45DB1
WWE2K23_x64.exe+F45D91: 48 8B 0D 50 61 74 02 - mov rcx,[WWE2K23_x64.exe+368BEE8]
WWE2K23_x64.exe+F45D98: 48 69 D0 E8 00 00 00 - imul rdx,rax,000000E8
WWE2K23_x64.exe+F45D9F: 48 81 C1 98 03 3C 00 - add rcx,003C0398
WWE2K23_x64.exe+F45DA6: 48 03 CA - add rcx,rdx
WWE2K23_x64.exe+F45DA9: 74 06 - je WWE2K23_x64.exe+F45DB1
WWE2K23_x64.exe+F45DAB: 0F B6 49 24 - movzx ecx,byte ptr [rcx+24]
WWE2K23_x64.exe+F45DAF: EB 07 - jmp WWE2K23_x64.exe+F45DB8
// ---------- INJECTING HERE ----------
WWE2K23_x64.exe+F45DB1: 0F B6 8E F0 04 00 00 - movzx ecx,byte ptr [rsi+000004F0]
// ---------- DONE INJECTING ----------
WWE2K23_x64.exe+F45DB8: E8 73 D6 50 FF - call WWE2K23_x64.exe+453430
WWE2K23_x64.exe+F45DBD: 48 8B D8 - mov rbx,rax
WWE2K23_x64.exe+F45DC0: 48 85 C0 - test rax,rax
WWE2K23_x64.exe+F45DC3: 0F 84 DB 01 00 00 - je WWE2K23_x64.exe+F45FA4
WWE2K23_x64.exe+F45DC9: 48 8B 8E 98 00 00 00 - mov rcx,[rsi+00000098]
WWE2K23_x64.exe+F45DD0: 48 89 AC 24 E0 00 00 00 - mov [rsp+000000E0],rbp
WWE2K23_x64.exe+F45DD8: 48 89 BC 24 E8 00 00 00 - mov [rsp+000000E8],rdi
WWE2K23_x64.exe+F45DE0: 4C 8B 41 10 - mov r8,[rcx+10]
WWE2K23_x64.exe+F45DE4: 49 8B C0 - mov rax,r8
WWE2K23_x64.exe+F45DE7: 49 63 08 - movsxd rcx,dword ptr [r8]
} |
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4290
|
| Posted: Fri Apr 21, 2023 8:58 pm Post subject: |
|
|
Buffer overflow:
| Code: | alloc(odlid,1)
...
mov [odlid],ecx |
ECX is a 4-byte value. `odlid` only has 1 byte allocated for it.
The only reason why separate scripts worked is because there was nothing important allocated after `odlid`. When the scrips are combined, that `mov` overwrites the first 3 bytes of code written at `newmem`.
Perhaps you meant `mov byte ptr [odlid],cl` instead. If so, also use `cmp byte ptr [odlid],whatever` too.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
