[SOLVED] NOP a Code Injection?

Want Cheat Engine to do something specific and no idea how to do that, ask here. (From simple scripts to full trainers and extensions)
Post Reply
3oddbits
Noobzor
Noobzor
Posts: 9
Joined: Thu Jul 06, 2017 6:32 pm
Reputation: 0

[SOLVED] NOP a Code Injection?

Post by 3oddbits » Thu Jul 06, 2017 10:35 pm

Have a table almost complete, except for two items in the 'Advanced Options / Code List'.
Both are NOP, than when toggled by right click, select 'replace with code that does nothing', both work just fine.
Every attempt to turn those items into <script> in the main table has failed / doesn't work.
Watching multiple YouTube video tutorials hasn't been very helpful in figuring out where I am going wrong.

Am I barking up the wrong tree? Or is it even possible to do that?

( CE 6.7 64bit )

User avatar
++METHOS
Administration
Administration
Posts: 188
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 19

Re: [HELP] NOP a Code Injection?

Post by ++METHOS » Thu Jul 06, 2017 11:34 pm

It is possible to write a script for this. CE will even build the script for you. Without knowing what you are doing or what is happening with the code, we can only speculate the cause for the crashing.

3oddbits
Noobzor
Noobzor
Posts: 9
Joined: Thu Jul 06, 2017 6:32 pm
Reputation: 0

Re: [HELP] NOP a Code Injection?

Post by 3oddbits » Fri Jul 07, 2017 11:16 pm

Thanks for responding.

I tried to look at other tables for examples of scripts, but all I really found was AoB Scans / Injection.

The script attempts ....
Tried going through the memory disassembler, highlight the correct address line, tools, AutoAssemble, cheat framework, and then either code injection or full injection.

In the memory disassembler, when one of the 'Code List' items is toggled, the correct address and the next line both show nop.
Testing shows it works as desired.
In the memory disassembler, every script attempt has shown a hex address, and then a nop in the next line or two or three. And it doesn't work in testing.

Do I need to post one of the script attempts?

User avatar
++METHOS
Administration
Administration
Posts: 188
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 19

Re: [HELP] NOP a Code Injection?

Post by ++METHOS » Sat Jul 08, 2017 12:53 am

When you use a script, a segment of code is allocated for your codecave and the original code jumps to that codecave where your code gets executed, so you would see something in memory viewer like the following:
jmp 02E80000
nop
nop
//rest of originalcode
If you allow CE to set up your script for you and the target is still crashing when you try to execute the script, there are many number of reasons why this could be happening.

It might help if you paste your untouched script here that CE created. Use full injection so that we can see the surrounding code. If you like, you can include what you are wanting to change using comment brackets. For example:
newmem:
mov edx,[eax+4] //want to nop this line
pop edi
jmp return
Is the target an online game or something that might have anti-cheat measures in place? If so, that would be good to know.

3oddbits
Noobzor
Noobzor
Posts: 9
Joined: Thu Jul 06, 2017 6:32 pm
Reputation: 0

Re: [HELP] NOP a Code Injection?

Post by 3oddbits » Sat Jul 08, 2017 4:28 pm

It's a Single Player game, most of the values found are constants ( older game / not a newly released ).

This is the output from the disassembler without and with the NOP applied.

Code: Select all

--> NOP Disabled
************************.exe+25B8E3 - 0F2F C1                     - comiss xmm0,xmm1
************************.exe+25B8E6 - EB 03                        - jmp ************************.exe+25B8EB
************************.exe+25B8E8 - 0F2F D1                     - comiss xmm2,xmm1
************************.exe+25B8EB - 76 05                        - jna ************************.exe+25B8F2
************************.exe+25B8ED - F3 0F11 4F 40            - movss [edi+40],xmm1
************************.exe+25B8F2 - 8B 4D F4                    - mov ecx,[ebp-0C]
************************.exe+25B8F5 - 64 89 0D 00000000     - mov fs:[00000000],ecx { 0 }

--> NOP Enabled
************************.exe+25B8E3 - 0F2F C1                         - comiss xmm0,xmm1
************************.exe+25B8E6 - EB 03                            - jmp ************************.exe+25B8EB
************************.exe+25B8E8 - 0F2F D1                         - comiss xmm2,xmm1
************************.exe+25B8EB - 90                                 - nop 
************************.exe+25B8EC - 90                                 - nop 
************************.exe+25B8ED - F3 0F11 4F 40                - movss [edi+40],xmm1
************************.exe+25B8F2 - 8B 4D F4             		- mov ecx,[ebp-0C]
************************.exe+25B8F5 - 64 89 0D 00000000    	- mov fs:[00000000],ecx { 0 }
This is the saved <script> output :

Code: Select all


{ Game   : ************************.exe
  Version: 
  Date   : 2017-07-08
  Author : blah blah blah

  This script does blah blah blah
}

define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  jna ************************.exe+25B8F2
  movss [edi+40],xmm1
  jmp return

address:
  jmp newmem
  nop
  nop
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
  db bytes
  // jna ************************.exe+25B8F2
  // movss [edi+40],xmm1

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+25B8EB

"************************.exe"+25B8C2: F3 0F 58 C2               -  addss xmm0,xmm2
"************************.exe"+25B8C6: F3 0F 11 47 40           -  movss [edi+40],xmm0
"************************.exe"+25B8CB: EB 25                        -  jmp ************************.exe+25B8F2
"************************.exe"+25B8CD: F3 0F 10 47 34           -  movss xmm0,[edi+34]
"************************.exe"+25B8D2: F3 0F 59 05 24 92 6D 01  -  mulss xmm0,[************************.exe+499224]
"************************.exe"+25B8DA: F3 0F 58 C2               -  addss xmm0,xmm2
"************************.exe"+25B8DE: F3 0F 11 47 40           -  movss [edi+40],xmm0
"************************.exe"+25B8E3: 0F 2F C1                    -  comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03                         -  jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1                    -  comiss xmm2,xmm1
// ---------- INJECTING HERE ----------
"************************.exe"+25B8EB: 76 05                        -  jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40           -  movss [edi+40],xmm1
// ---------- DONE INJECTING  ----------
"************************.exe"+25B8F2: 8B 4D F4                       -  mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00     -  mov fs:[00000000],ecx
"************************.exe"+25B8FC: 59                             -  pop ecx
"************************.exe"+25B8FD: 5F                             -  pop edi
"************************.exe"+25B8FE: 5E                             -  pop esi
"************************.exe"+25B8FF: 5B                             -  pop ebx
"************************.exe"+25B900: 8B 4D F0                    -  mov ecx,[ebp-10]
"************************.exe"+25B903: 33 CD                         -  xor ecx,ebp
"************************.exe"+25B905: E8 F8 C0 0E 00            -  call ************************.exe+347A02
"************************.exe"+25B90A: 8B E5                         -  mov esp,ebp
}
After looking at the disassembler output ( and thinking for a bit ), would this code be correct?

Code: Select all

newmem:
  nop
  nop
  movss [edi+40],xmm1
  jmp return

User avatar
++METHOS
Administration
Administration
Posts: 188
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 19

Re: [HELP] NOP a Code Injection?

Post by ++METHOS » Sat Jul 08, 2017 10:23 pm

"game.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1 //----------inject here, instead
"game.exe"+25B8EB: 76 05 - jna game.exe+25B8F2
What happens if you inject 1 line above, instead?

3oddbits
Noobzor
Noobzor
Posts: 9
Joined: Thu Jul 06, 2017 6:32 pm
Reputation: 0

Re: [HELP] NOP a Code Injection?

Post by 3oddbits » Sun Jul 09, 2017 2:26 am

The disassembler output had some arrows not included in my earlier posts.

Code: Select all

this line :
"************************.exe"+25B8E6: EB 03                    -  jmp ************************.exe+25B8EB
goes to this line ( green arrow ) :
"************************.exe"+25B8EB: 76 05                    -  jna ************************.exe+25B8F2
goes to this line ( red arrow ) :
"************************.exe"+25B8F2: 8B 4D F4                 -  mov ecx,[ebp-0C]

Code: Select all

"************************.exe"+25B8E3: 0F 2F C1                 -  comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03                    -  jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1                 -  comiss xmm2,xmm1
"************************.exe"+25B8EB: 76 05                    -  jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40           -  movss [edi+40],xmm1
"************************.exe"+25B8F2: 8B 4D F4                 -  mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00     -  mov fs:[00000000],ecx
I may have tried the suggested injection point earlier, but don't remember clearly.
The 'replace with code that does nothing' always goes back to this line :

Code: Select all

"************************.exe"+25B8E6: EB 03                    -  jmp ************************.exe+25B8EB

This does work properly ( tested ) :

Code: Select all

  Version:
  Date   : 2017-07-08
  Author : 3oddbits

  This script does [REDACTED]
}

define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  nop
  nop
  movss [edi+40],xmm1
  jmp return

code:
  jna ************************.exe+25B8F2
  movss [edi+40],xmm1
  jmp return

address:
  jmp newmem
  nop
  nop
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
  db bytes
  // jna ************************.exe+25B8F2
  // movss [edi+40],xmm1

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+25B8EB

"************************.exe"+25B8C2: F3 0F 58 C2              -  addss xmm0,xmm2
"************************.exe"+25B8C6: F3 0F 11 47 40           -  movss [edi+40],xmm0
"************************.exe"+25B8CB: EB 25                    -  jmp ************************.exe+25B8F2
"************************.exe"+25B8CD: F3 0F 10 47 34           -  movss xmm0,[edi+34]
"************************.exe"+25B8D2: F3 0F 59 05 24 92 54 01  -  mulss xmm0,[************************.exe+499224]
"************************.exe"+25B8DA: F3 0F 58 C2              -  addss xmm0,xmm2
"************************.exe"+25B8DE: F3 0F 11 47 40           -  movss [edi+40],xmm0
"************************.exe"+25B8E3: 0F 2F C1                 -  comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03                    -  jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1                 -  comiss xmm2,xmm1
// ---------- INJECTING HERE ----------
"************************.exe"+25B8EB: 76 05                    -  jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40           -  movss [edi+40],xmm1
// ---------- DONE INJECTING  ----------
"************************.exe"+25B8F2: 8B 4D F4                 -  mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00     -  mov fs:[00000000],ecx
"************************.exe"+25B8FC: 59                       -  pop ecx
"************************.exe"+25B8FD: 5F                       -  pop edi
"************************.exe"+25B8FE: 5E                       -  pop esi
"************************.exe"+25B8FF: 5B                       -  pop ebx
"************************.exe"+25B900: 8B 4D F0                 -  mov ecx,[ebp-10]
"************************.exe"+25B903: 33 CD                    -  xor ecx,ebp
"************************.exe"+25B905: E8 F8 C0 0E 00           -  call ************************.exe+347A02
"************************.exe"+25B90A: 8B E5                    -  mov esp,ebp
}
The same approach also worked on the other 'nop' I wanted to script :

Code: Select all

  Version:
  Date   : 2017-07-08
  Author : 3oddbits

  This script does [REDACTED]
}

define(address,"************************.exe"+2B889E)
define(bytes,FF 48 0C FF 4D 90)

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  nop
  nop
  nop
  dec [ebp-70]
  jmp return

code:
  dec [eax+0C]
  dec [ebp-70]
  jmp return

address:
  jmp newmem
  nop
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
  db bytes
  // dec [eax+0C]
  // dec [ebp-70]

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+2B889E

"************************.exe"+2B8880: E8 AB 45 FC FF           -  call ************************.exe+27CE30
"************************.exe"+2B8885: 83 C4 20                 -  add esp,20
"************************.exe"+2B8888: 8B 85 44 FF FF FF        -  mov eax,[ebp-000000BC]
"************************.exe"+2B888E: 40                       -  inc eax
"************************.exe"+2B888F: 89 45 90                 -  mov [ebp-70],eax
"************************.exe"+2B8892: 85 C0                    -  test eax,eax
"************************.exe"+2B8894: 7E 17                    -  jle ************************.exe+2B88AD
"************************.exe"+2B8896: 56                       -  push esi
"************************.exe"+2B8897: 8B CF                    -  mov ecx,edi
"************************.exe"+2B8899: E8 12 F4 D5 FF           -  call ************************.exe+17CB0
// ---------- INJECTING HERE ----------
"************************.exe"+2B889E: FF 48 0C                 -  dec [eax+0C]
"************************.exe"+2B88A1: FF 4D 90                 -  dec [ebp-70]
// ---------- DONE INJECTING  ----------
"************************.exe"+2B88A4: C7 40 10 00 00 00 00     -  mov [eax+10],00000000
"************************.exe"+2B88AB: 75 E9                    -  jne ************************.exe+2B8896
"************************.exe"+2B88AD: 8B 85 54 FF FF FF        -  mov eax,[ebp-000000AC]
"************************.exe"+2B88B3: 0F B7 C0                 -  movzx eax,ax
"************************.exe"+2B88B6: BA 1B 00 00 00           -  mov edx,0000001B
"************************.exe"+2B88BB: 50                       -  push eax
"************************.exe"+2B88BC: 8D 4A ED                 -  lea ecx,[edx-13]
"************************.exe"+2B88BF: 89 B5 4C FF FF FF        -  mov [ebp-000000B4],esi
"************************.exe"+2B88C5: E8 B6 C0 E9 FF           -  call ************************.exe+154980
"************************.exe"+2B88CA: 8B 7D 94                 -  mov edi,[ebp-6C]
}
Your help got my mental gears turning.
Thank You. :D

[ PS : you can change the thread header from [HELP] to [SOLVED], or anything you think appropriate. ]

Post Reply

Who is online

Users browsing this forum: No registered users