|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Modify_This Newbie cheater Reputation: 0
Joined: 24 Sep 2024 Posts: 23
|
Posted: Tue Oct 15, 2024 10:30 am Post subject: |
|
|
Game Hacking Dojo wrote: | Yes the original code at the injection pointer is reassembled in the hook. To do the effect of writing 0 to the health without the ability to change the instruction itself since we used reassemble, you can use move 0 to eax to before the instruction executes.
Code: | mov eax,0 //there are multiple ways to move 0 to a register but this is easier for you to understand and change
reassemble(INJECT+0B) //mov [ebx+05DB90A0],eax |
|
This seems to work now, thank you, though for some reason when I disable the script, nobody dies, and occasionally the game will crash, so something in the game is not correctly returning back to the original code I would assume. This isn't something new though, so it's not related to the reassemble() because I've noticed it from the beginning. I just wasn't really worried about it at the time since I was more focused on getting the script to work. But now I'm curious why it doesn't return the code to the way it was when disabled. The disabled inject code uses the same few bytes from the aobscan as you can see in my script I provided previously.
Also, the script works for both the 1st and 2nd levels, but only individually, meaning, if I complete level 1, and then the game transitions or automatically loads the next level, the script does not work, and I can't disable it due to the error <Not all instructions could be injected>", so I have to close CE and reopen it. I'm sure this is because when it loads the new level, this level is in a different part of memory, which I can verify by doing a aobscan. So, how would I modify the script to look for this change?
If this opens a whole new can of worms that you don't want to really deal with, just let me know.
|
|
Back to top |
|
|
Game Hacking Dojo Expert Cheater Reputation: 1
Joined: 17 Sep 2023 Posts: 229
|
Posted: Tue Oct 15, 2024 2:46 pm Post subject: |
|
|
The game would crash because the address changes when the game loads a new map. Reassemble() will not update the bytes to the new address because it only gets executed once the script gets activated. The disable section includes the bytes supposed to be rewritten once the script is disabled, and those are set and hard-coded when you first make the script.
A simple and effective solution is to hook above this instruction (mov [ebx+05DB90A0],eax).
This way you don't have to deal with any of the headaches. Oh, but this way I get killed. Then you have to think a bit and make the script write something like this:
Code: | cmp enemy_team,1
je label_kill_enemy
mov eax,my_health
jmp code
label_kill_enemy:
mov eax,0
jmp code
code:
bla bla bla
|
This has to happen somewhere above your original injection point and shouldn't include that instruction with the address in it
|
|
Back to top |
|
|
Modify_This Newbie cheater Reputation: 0
Joined: 24 Sep 2024 Posts: 23
|
Posted: Wed Oct 16, 2024 9:52 am Post subject: |
|
|
Game Hacking Dojo wrote: | The game would crash because the address changes when the game loads a new map. Reassemble() will not update the bytes to the new address because it only gets executed once the script gets activated. The disable section includes the bytes supposed to be rewritten once the script is disabled, and those are set and hard-coded when you first make the script.
A simple and effective solution is to hook above this instruction (mov [ebx+05DB90A0],eax).
This way you don't have to deal with any of the headaches. Oh, but this way I get killed. Then you have to think a bit and make the script write something like this:
Code: | cmp enemy_team,1
je label_kill_enemy
mov eax,my_health
jmp code
label_kill_enemy:
mov eax,0
jmp code
code:
bla bla bla
|
This has to happen somewhere above your original injection point and shouldn't include that instruction with the address in it |
So, I came up with this script which goes back about 20 instructions, due to finding a unique AOBscan. It seems to work for the most part, though only if I update the Changing Offset for each of the instructions, which there are 5.
It also fixes the issue of nobody dies when I disable the script. Though the script still fails and cannot be disabled when the next level loads, but I think that is expected because the address for the code changes. I'll deal with that later.
I tried using the reassemble() for each one, but the game usually crashes. It could be because I have the wrong offset for each reassemble() since it's very tedious trying to count the bytes for 20 instructions, and then assign the correct amount for each of the 5 instructions that require the Changing Offset to be updated. Is there not an option in CE to calculate the number of bytes between instructions?
Also, when you use many instructions like I did in my script, doesn't the script then return to the next instruction after the jump, meaning all those instructions get executed again? Am I expected to add 20 NOPs?
How do you tell it to return back but at the address that is after all those instructions? Please don't tell me the only way is to count all the bytes again from the beginning of the jump, and then add that to the return or something.
Code: |
[ENABLE]
aobscan(INJECT,05 DC 02 00 00 83 EF 04 8B 1F 89 83 * * * * 8D 86 58)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
add eax,000002DC
sub edi,04
mov ebx,[edi]
mov [ebx+05D160A0],eax
lea eax,[esi+00000058]
mov eax,[eax+05D160A0]
mov [edi],eax
add edi,04
lea eax,[esi+00000058]
mov eax,[eax+05D160A0]
mov eax,[eax+05D160A0]
mov [edi],eax
add edi,04
lea eax,[esi+00000028]
mov eax,[eax+05D160A0]
sub [edi-04],eax
sub edi,04
mov eax,[edi]
mov ebx,[edi-04]
cmp ebx,17654
jne code
mov eax,#100
jmp return
code:
mov eax,0
// reassemble(INJECT+0A) //10 for changing offset
// reassemble(INJECT+16) //22 for changing offset
// reassemble(INJECT+24) //36 for changing offset
// reassemble(INJECT+2A) //42 for changing offset
// reassemble(INJECT+3C) //60 for changing offset
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 05 DC 02 00 00
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
Back to top |
|
|
Game Hacking Dojo Expert Cheater Reputation: 1
Joined: 17 Sep 2023 Posts: 229
|
Posted: Wed Oct 16, 2024 11:00 am Post subject: |
|
|
This is not a solution but rather a problem introduction. You didn't go up one instruction to include more (totally useless) offsets in the script to introduce more problems.
You don't need an AOB scan for a game that gets no updates. And if even if this game gets updates if the AOB is complicated for you then don't use it. Start with something easy. Try the "code injection" template instead.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|