Page 1 of 2
Resetting a value after disabling script
Posted: Fri Dec 29, 2017 7:11 pm
by Fruitpunch
Hello,
I have a script which works per se but I am changing a value in an address where nothing writes. I need to reset the value when the script is disabled. Is there a simple way to do this?
I'd prefer the solution is in Assembly and does not involve aobscan unless there is no other way.
Re: Resetting a value after disabling script
Posted: Fri Dec 29, 2017 7:25 pm
by ShyTwig16
Maybe
[Link] would do it, hard to say with no code posted.
Code: Select all
[Enable]
...
storedValueAddress:
readMem(valueAddress, 4)
...
[Disable]
...
valueAddress:
readMem(storedValueAddress, 4)
...
Re: Resetting a value after disabling script
Posted: Fri Dec 29, 2017 7:39 pm
by FreeER
That depends on how the script works. If you have a static address or pointer then you can use the method ShyTwig16 showed, if you have to hook code to get the address then you could have that hook write the address to memory that you could access later when you disable it. If you've created a thread/timer to constantly write to it (unlikely since you said nothing else writes to it) then you'd probably need to modify that to reset the value when it stops.
Re: Resetting a value after disabling script
Posted: Sat Dec 30, 2017 8:18 pm
by Fruitpunch
Thanks for the input.
Yeah, I already stumbled upon readmem but since the examples have been just so, I have not been able to understand how to write one correctly.
Is this anywhere near what is should be?
Code: Select all
[ENABLE]
alloc(newmem,2048)
alloc(storedvalue, 4)
alloc(originalvalue, 4)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [r14],(float)1
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
originalvalue:
dd (float)1.4
storedvalue:
readMem(originalvalue, 4)
[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
dealloc(originalvalue)
readMem(storedvalue, 4)
Re: Resetting a value after disabling script
Posted: Sat Dec 30, 2017 9:23 pm
by ShyTwig16
You have the "newmem" with code but not injection point, if you are only reading and writing to an address that is static or pulled from some other script then it could work. But with that code and the "newmem", it looks like you're trying to inject.
with out knowing the injection point, this is the best I can figure:
Code: Select all
[ENABLE]
alloc(newmem,2048)
alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [r14],(float)1
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
storedvalue:
readMem({ Address or AOB Symbol of the original value}, 4)
some_injection_point:
jmp newmem
//any needed nops
returnhere:
[DISABLE]
some_injection_point:
db { original bytes }
{ Address or AOB Symbol of the original value}:
readMem(storedvalue, 4)
dealloc(newmem)
dealloc(storedvalue)
unregisterSymbol(storedvalue)
But the "some_injection_point" needs to be an address or you will need to set up an AOB and register the symbol.
Code: Select all
aobScanModule(some_injection_point, GAME.exe, F3xxxxxxxxxxxxxxF3xxxxxxxxD9xxxxF3xxxxxxxx0F2F)
registerSymbol(some_injection_point) // must be unique
Code: Select all
[ENABLE]
aobScanModule(some_injection_point, GAME.exe, { injection point AOB })
registerSymbol(some_injection_point) // must be unique
alloc(newmem,2048)
alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [r14],(float)1
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
storedvalue:
readMem({ Address or AOB Symbol of the original value}, 4)
some_injection_point:
jmp newmem
//any needed nops
returnhere:
[DISABLE]
some_injection_point:
db { original bytes }
{ Address or AOB Symbol of the original value}:
readMem(storedvalue, 4)
dealloc(newmem)
dealloc(storedvalue)
unregisterSymbol(storedvalue)
unregisterSymbol(some_injection_point)
If you are trying to inject then go to the memory view form select some code with the injection point in the middle press Ctrl+C, click Ok on the prompt then post that in a Code Block (</>) and mark the injection point in an understandable way, then people can help a little better.
But this is a trial and error process so just keep trying.
There are some new tutorials on the Cheat Engine Wiki also.
[Link]
[Link]
Re: Resetting a value after disabling script
Posted: Sun Dec 31, 2017 3:23 pm
by Fruitpunch
Sorry, I left out too much.
The injection is done at the same point where I am doing the modification.
I'm having trouble getting the right address in the readMem, and no the address is not static.
Can't use another script because there doesn't seem to be other instructions accessing this address.
Code: Select all
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
alloc(storedvalue, 4)
registersymbol(storedvalue)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [r14],(float)1
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
storedvalue:
readMem(xxxx,4) //if I have understood correctly xxxx should be replaced with the address that is stored in r14
"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
readMem(storedvalue,4)
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00
unregistersymbol(storedvalue)
Re: Resetting a value after disabling script
Posted: Sun Dec 31, 2017 5:18 pm
by ShyTwig16
In that case, I would try to find where the R14 registry is written, I'd bet there is a base with an offset, and R14 is calculated with those.
EDIT: Then just inject there and store the base for later use, and you may need to store the offset as well.
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 12:54 pm
by Fruitpunch
Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?
I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 6:17 pm
by jungletek
Fruitpunch wrote: ↑Mon Jan 01, 2018 12:54 pm
Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?
I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.
You don't have it straight, to write to an arbitrary address, use the syntax:
or:
where 'address' is the address you're trying to write to, can be a hex address, a label name, etc. The first is writing direct byte values (NOPs in this case), the second is using instructions that get converted to the same thing (moving 999 to r14).
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 7:16 pm
by ShyTwig16
Not sure if I am understanding correctly but this may be what you are looking for.
Code: Select all
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
globalAlloc(storedvalue, 8) // must be unique symbol
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [storedvalue],r14 // strove the value of r14 for later
cmp [storedvalue+4],0
jne @f
push eax
mov eax,[r14]
mov [storedvalue+4],eax // store the original value only the first time.
pop eax
@@:
mov [r14],(float)1 // write the new value to the address
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00
dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory
luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 7:37 pm
by Blayde
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:16 pm
Not sure if I am understanding correctly but this may be what you are looking for.
Code: Select all
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
globalAlloc(storedvalue, 8) // must be unique symbol
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [storedvalue],r14 // strove the value of r14 for later
cmp [storedvalue+4],0
jne @f
push eax
mov eax,[r14]
mov [storedvalue+4],eax // store the original value only the first time.
pop eax
@@:
mov [r14],(float)1 // write the new value to the address
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00
dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory
luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 7:47 pm
by TimFun13
Blayde wrote: ↑Mon Jan 01, 2018 7:37 pm
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:16 pm
Not sure if I am understanding correctly but this may be what you are looking for.
Code: Select all
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
globalAlloc(storedvalue, 8) // must be unique symbol
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [storedvalue],r14 // strove the value of r14 for later
cmp [storedvalue+4],0
jne @f
push eax
mov eax,[r14]
mov [storedvalue+4],eax // store the original value only the first time.
pop eax
@@:
mov [r14],(float)1 // write the new value to the address
originalcode:
comiss xmm6,[r14]
exit:
jmp returnhere
"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00
dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory
luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14
Could you elaborate please. Not sure why you're saying this (on insults intended, just curious).
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 8:27 pm
by Blayde
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:47 pm
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:47 pm
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 8:39 pm
by TimFun13
Blayde wrote: ↑Mon Jan 01, 2018 8:27 pm
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:47 pm
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
ShyTwig16 wrote: ↑Mon Jan 01, 2018 7:47 pm
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).
Which compare is the concern?
or
My thinking was that the original compare would reset the flags. Am I understanding this wrong?
EDIT:
So cmp sets the CF, OF, SF, ZF, AF, and PF flags in the EFLAGS register according to the result.
And comiss sets the ZF, PF, and CF flags in the EFLAGS register according to the result.
So is it the OF, SF, and AF flags that are the concern?
Re: Resetting a value after disabling script
Posted: Mon Jan 01, 2018 9:07 pm
by Blayde
Fruitpunch wrote: ↑Sun Dec 31, 2017 3:23 pm
....... there doesn't seem to be other instructions accessing this address.
Because it's only compare reg,mem.
ShyTwig16 wrote: ↑Mon Jan 01, 2018 8:39 pm
.................
Keep it simple and stupid:
push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14
Done.