Unique AOB Quesiton

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Unique AOB Quesiton

Post by Kalas » Fri Mar 17, 2017 4:20 pm

So assuming this is my script:

Code: Select all

[ENABLE]

aobscan(aobStats,F3 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB C0)
alloc(newmem,$100,A00671B2)

label(code)
label(return)

newmem:
  cmp [rsi+B4],1
  jne code
  mov [rsi+2C],(float)500
  jmp return

code:
  movss [rsi+2C],xmm5
  jmp return

aobStats:
  jmp newmem
return:
registersymbol(aobStats)

[DISABLE]

aobStats:
  db F3 0F 11 6E 2C

unregistersymbol(aobStats)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: A00671B2

""+A0067186: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A006718A: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A006718E: F3 0F 11 6D EC                 -  movss [rbp-14],xmm5
""+A0067193: F3 0F 10 46 2C                 -  movss xmm0,[rsi+2C]
""+A0067198: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A006719C: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A00671A0: F3 0F 11 6D E8                 -  movss [rbp-18],xmm5
""+A00671A5: F3 0F 10 45 D8                 -  movss xmm0,[rbp-28]
""+A00671AA: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A00671AE: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+A00671B2: F3 0F 11 6E 2C                 -  movss [rsi+2C],xmm5
// ---------- DONE INJECTING  ----------
""+A00671B7: 48 8B CE                       -  mov rcx,rsi
""+A00671BA: 48 83 EC 20                    -  sub rsp,20
""+A00671BE: 49 BB C0 6E 06 A0 00 00 00 00  -  mov r11,00000000A0066EC0
""+A00671C8: 41 FF D3                       -  call r11
""+A00671CB: 48 83 C4 20                    -  add rsp,20
""+A00671CF: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A00671D3: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A00671D7: F3 0F 11 6D E4                 -  movss [rbp-1C],xmm5
""+A00671DC: F3 0F 10 45 EC                 -  movss xmm0,[rbp-14]
""+A00671E1: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
}
This is my aob: F3 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB C0

when I relaunch the game It changes only the last part, for example instead of C0 It can be C3 or whatever, Is this fixable by adding ?? instead of C0 ?

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Unique AOB Quesiton

Post by Kalas » Fri Mar 17, 2017 4:40 pm

OK so this script is working actually:

Code: Select all

[ENABLE]

aobscan(aobStats,F3 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB ??)
alloc(newmem,$100,A00671B2)

label(code)
label(return)

newmem:
  cmp [rsi+1E0],0
  jne code
  mov [rsi+2C],(float)500
  jmp return

code:
  movss [rsi+2C],xmm5
  jmp return

aobStats:
  jmp newmem
return:
registersymbol(aobStats)

[DISABLE]

aobStats:
  db F3 0F 11 6E 2C

unregistersymbol(aobStats)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: A00671B2

""+A0067186: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A006718A: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A006718E: F3 0F 11 6D EC                 -  movss [rbp-14],xmm5
""+A0067193: F3 0F 10 46 2C                 -  movss xmm0,[rsi+2C]
""+A0067198: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A006719C: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A00671A0: F3 0F 11 6D E8                 -  movss [rbp-18],xmm5
""+A00671A5: F3 0F 10 45 D8                 -  movss xmm0,[rbp-28]
""+A00671AA: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A00671AE: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+A00671B2: F3 0F 11 6E 2C                 -  movss [rsi+2C],xmm5
// ---------- DONE INJECTING  ----------
""+A00671B7: 48 8B CE                       -  mov rcx,rsi
""+A00671BA: 48 83 EC 20                    -  sub rsp,20
""+A00671BE: 49 BB C0 6E 06 A0 00 00 00 00  -  mov r11,00000000A0066EC0
""+A00671C8: 41 FF D3                       -  call r11
""+A00671CB: 48 83 C4 20                    -  add rsp,20
""+A00671CF: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+A00671D3: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+A00671D7: F3 0F 11 6D E4                 -  movss [rbp-1C],xmm5
""+A00671DC: F3 0F 10 45 EC                 -  movss xmm0,[rbp-14]
""+A00671E1: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
}
But I get an Error display when I use it, could the game use any kind of anticheat ?

FreeER
Posts: 15
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 0
Contact:

Re: Unique AOB Quesiton

Post by FreeER » Fri Mar 17, 2017 4:55 pm

First for a question like this you can very quickly just test it yourself and find out, it's much faster than waiting for a response :)

But yeah, CE treats any non-hexadecimal character (and separators: space, comma, and dash -) as a wildcard and it reads either 2 characters or 1 character and a space as a byte (last I knew it doesn't support half-byte wildcards so you can't use 7? and have it match 73 but not 33, but it's been a couple versions since I checked that).

At least going by the github code if it doesn't have nibble (half-byte) support in the latest release it should have at least some support in the next.

https://github.com/cheat-engine/cheat-e ... #L190-L199 (pascal uses a $ prefix for hexadecimal values, scroll up to 165 to see the delims/separators and them being passed to ExtractWord)

And just in case you (or someone reading this later) aren't aware, the changing C0 is coming from the address in the mov r11,00000000A0066EC0 instruction.

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Unique AOB Quesiton

Post by ++METHOS » Fri Mar 17, 2017 5:29 pm

Try this signature:
F3 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB * * * * * * * * 41

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Unique AOB Quesiton

Post by Kalas » Fri Mar 17, 2017 5:46 pm

Can you please explain what * means and how you reached to 41, did you add more bytes?

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Unique AOB Quesiton

Post by Kalas » Fri Mar 17, 2017 5:48 pm

FreeER wrote:
Fri Mar 17, 2017 4:55 pm
First for a question like this you can very quickly just test it yourself and find out, it's much faster than waiting for a response :)

But yeah, CE treats any non-hexadecimal character (and separators: space, comma, and dash -) as a wildcard and it reads either 2 characters or 1 character and a space as a byte (last I knew it doesn't support half-byte wildcards so you can't use 7? and have it match 73 but not 33, but it's been a couple versions since I checked that).

At least going by the github code if it doesn't have nibble (half-byte) support in the latest release it should have at least some support in the next.

https://github.com/cheat-engine/cheat-e ... #L190-L199 (pascal uses a $ prefix for hexadecimal values, scroll up to 165 to see the delims/separators and them being passed to ExtractWord)

And just in case you (or someone reading this later) aren't aware, the changing C0 is coming from the address in the mov r11,00000000A0066EC0 instruction.
oh, well I have much more to learn about Assembly, thank you thoug, now I know wtry the other signature, but what does * means.

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Unique AOB Quesiton

Post by ++METHOS » Fri Mar 17, 2017 5:53 pm

They are wildcard variables for potentially dynamic bytes.

The wildcard in your previous signature was no good:
F3 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB ??
Having a wildcard at the beginning or end of your signature is pointless (unless you are trying to avoid offset injection).

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Unique AOB Quesiton

Post by Kalas » Fri Mar 17, 2017 5:54 pm

Oh ok, well I'm happy to tell you It works :)

Thank you so much!

So wait, assuming my AOB in other game is changing at the middle, I should use the * as well or I'm misunderstanding this completely, could you send me a link to where you can learn about those?

FreeER
Posts: 15
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 0
Contact:

Re: Unique AOB Quesiton

Post by FreeER » Fri Mar 17, 2017 6:28 pm

'*' is exactly the same as '?' or 'z' as far as CE is concerned in an AOB string. It's not a hexadecimal value or a word separator so it can mean anything at all. As ++METHOS said, having a wildcard at the end is pointless since you can just leave it off, after all a wildcard says it can be anything but you aren't specifying what the bytes after your aob string need to be either so they "implicitly" can be anything.

Having them at the start isn't entirely pointless since it does shift the address you get eg if the starting byte, F3, was changing then using

Code: Select all

0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB
as your aob string would give you the address of the 0F not the byte before it (requiring you to use aobStats-1 instead of just aobStats to get the proper address) while using any of these

Code: Select all

? 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

?? 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

* 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

** 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

z 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

zz 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

$ 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB

Code: Select all

$$ 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB
would give you the address of the byte in front of the 0F (whatever it might be).

edit: Assuming of course that 0F 11 6E 2C 48 8B CE 48 83 EC 20 49 BB was a unique signature (meaning doing an Array of Bytes search always returned only 1 result) since it's 1 byte shorter (the F3, more if you use ++METHOS's suggested one which is better) there might be other locations in memory that also matched, since aobscan returns the first match it finds if there was another match in memory with the same byte signature that occurred before the one you cared about then you'd get the address of that memory instead of the intended one (that's why they should be unique).

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests