Resetting a value after disabling script

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Fruitpunch
Novice Cheater
Novice Cheater
Posts: 15
Joined: Sat Sep 09, 2017 1:07 pm
Reputation: 0

Resetting a value after disabling script

Post by Fruitpunch » Fri Dec 29, 2017 7:11 pm

Hello,

I have a script which works per se but I am changing a value in an address where nothing writes. I need to reset the value when the script is disabled. Is there a simple way to do this?

I'd prefer the solution is in Assembly and does not involve aobscan unless there is no other way.

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Fri Dec 29, 2017 7:25 pm

Code: Select all

...
valueAddress:
    dd (int)100
...
Maybe readMem would do it, hard to say with no code posted.

Code: Select all

[Enable]
...
storedValueAddress:
    readMem(valueAddress, 4)
...
[Disable]
...
valueAddress:
    readMem(storedValueAddress, 4)
...

User avatar
FreeER
Expert Cheater
Expert Cheater
Posts: 69
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 11
Contact:

Re: Resetting a value after disabling script

Post by FreeER » Fri Dec 29, 2017 7:39 pm

That depends on how the script works. If you have a static address or pointer then you can use the method TheyCallMeTim13 showed, if you have to hook code to get the address then you could have that hook write the address to memory that you could access later when you disable it. If you've created a thread/timer to constantly write to it (unlikely since you said nothing else writes to it) then you'd probably need to modify that to reset the value when it stops.

Fruitpunch
Novice Cheater
Novice Cheater
Posts: 15
Joined: Sat Sep 09, 2017 1:07 pm
Reputation: 0

Re: Resetting a value after disabling script

Post by Fruitpunch » Sat Dec 30, 2017 8:18 pm

Thanks for the input.

Yeah, I already stumbled upon readmem but since the examples have been just so, I have not been able to understand how to write one correctly.

Is this anywhere near what is should be?

Code: Select all

[ENABLE]
alloc(newmem,2048)
alloc(storedvalue, 4)
alloc(originalvalue, 4)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

originalvalue:
dd (float)1.4

storedvalue:
readMem(originalvalue, 4)

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
dealloc(originalvalue)
readMem(storedvalue, 4)

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Sat Dec 30, 2017 9:23 pm

You have the "newmem" with code but not injection point, if you are only reading and writing to an address that is static or pulled from some other script then it could work. But with that code and the "newmem", it looks like you're trying to inject.

with out knowing the injection point, this is the best I can figure:

Code: Select all

[ENABLE]
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)
readMem

But the "some_injection_point" needs to be an address or you will need to set up an AOB and register the symbol.

Code: Select all

aobScanModule(some_injection_point, GAME.exe, F3xxxxxxxxxxxxxxF3xxxxxxxxD9xxxxF3xxxxxxxx0F2F)
registerSymbol(some_injection_point) // must be unique

Code: Select all

[ENABLE]
aobScanModule(some_injection_point, GAME.exe, { injection point AOB })
registerSymbol(some_injection_point) // must be unique
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)
unregisterSymbol(some_injection_point)
If you are trying to inject then go to the memory view form select some code with the injection point in the middle press Ctrl+C, click Ok on the prompt then post that in a Code Block (</>) and mark the injection point in an understandable way, then people can help a little better.

But this is a trial and error process so just keep trying.

There are some new tutorials on the Cheat Engine Wiki also.
Tutorials
Creating a cheat table - Full guide

Fruitpunch
Novice Cheater
Novice Cheater
Posts: 15
Joined: Sat Sep 09, 2017 1:07 pm
Reputation: 0

Re: Resetting a value after disabling script

Post by Fruitpunch » Sun Dec 31, 2017 3:23 pm

Sorry, I left out too much.

The injection is done at the same point where I am doing the modification.
I'm having trouble getting the right address in the readMem, and no the address is not static.

Can't use another script because there doesn't seem to be other instructions accessing this address.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
alloc(storedvalue, 4)
registersymbol(storedvalue)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

storedvalue:
readMem(xxxx,4) //if I have understood correctly xxxx should be replaced with the address that is stored in r14


"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
readMem(storedvalue,4)
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00

unregistersymbol(storedvalue)

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Sun Dec 31, 2017 5:18 pm

In that case, I would try to find where the R14 registry is written, I'd bet there is a base with an offset, and R14 is calculated with those.

EDIT: Then just inject there and store the base for later use, and you may need to store the offset as well.

Fruitpunch
Novice Cheater
Novice Cheater
Posts: 15
Joined: Sat Sep 09, 2017 1:07 pm
Reputation: 0

Re: Resetting a value after disabling script

Post by Fruitpunch » Mon Jan 01, 2018 12:54 pm

Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.

User avatar
jungletek
Shogun
Shogun
Posts: 88
Joined: Tue Oct 17, 2017 7:31 am
Reputation: 10

Re: Resetting a value after disabling script

Post by jungletek » Mon Jan 01, 2018 6:17 pm

Fruitpunch wrote:
Mon Jan 01, 2018 12:54 pm
Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.
You don't have it straight, to write to an arbitrary address, use the syntax:

Code: Select all

address:
  db 90 90 90
or:

Code: Select all

address:
  mov r14,#999
where 'address' is the address you're trying to write to, can be a hex address, a label name, etc. The first is writing direct byte values (NOPs in this case), the second is using instructions that get converted to the same thing (moving 999 to r14).

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Mon Jan 01, 2018 7:16 pm

Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 39
Contact:

Re: Resetting a value after disabling script

Post by Blayde » Mon Jan 01, 2018 7:37 pm

TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:16 pm
Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Mon Jan 01, 2018 7:47 pm

Blayde wrote:
Mon Jan 01, 2018 7:37 pm
TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:16 pm
Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14
Could you elaborate please. Not sure why you're saying this (on insults intended, just curious).

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 39
Contact:

Re: Resetting a value after disabling script

Post by Blayde » Mon Jan 01, 2018 8:27 pm

TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:47 pm
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:47 pm
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).

User avatar
TheyCallMeTim13
Fearless Donors
Fearless Donors
Posts: 130
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 19

Re: Resetting a value after disabling script

Post by TheyCallMeTim13 » Mon Jan 01, 2018 8:39 pm

Blayde wrote:
Mon Jan 01, 2018 8:27 pm
TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:47 pm
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
TheyCallMeTim13 wrote:
Mon Jan 01, 2018 7:47 pm
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).
Which compare is the concern?

Code: Select all

cmp  [storedvalue+4],0
or

Code: Select all

comiss xmm6,[r14]
My thinking was that the original compare would reset the flags. Am I understanding this wrong?

EDIT:
So cmp sets the CF, OF, SF, ZF, AF, and PF flags in the EFLAGS register according to the result.
And comiss sets the ZF, PF, and CF flags in the EFLAGS register according to the result.

So is it the OF, SF, and AF flags that are the concern?

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 229
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 39
Contact:

Re: Resetting a value after disabling script

Post by Blayde » Mon Jan 01, 2018 9:07 pm

Fruitpunch wrote:
Sun Dec 31, 2017 3:23 pm
....... there doesn't seem to be other instructions accessing this address.
Because it's only compare reg,mem.
TheyCallMeTim13 wrote:
Mon Jan 01, 2018 8:39 pm
.................
Keep it simple and stupid:

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

Done.

Post Reply

Who is online

Users browsing this forum: No registered users