Help seperating me from enimes

Memory scanning, code injection, debugger internals and other gamemodding related discussion
pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Tue Oct 02, 2018 10:40 am

i tried the code above
put this manually in the address memCheat1
but the dissect data show me nothing related to my Gold amount

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Tue Oct 02, 2018 1:22 pm

pharaon wrote:
Tue Oct 02, 2018 10:40 am
i tried the code above
put this manually in the address memCheat1
but the dissect data show me nothing related to my Gold amount
if your looking at "memCheat1" in the dissect data viewer, why? It's the memory you allocated and assembled, and you never stored anything so why would it hold the "gold" amount. You would need to create a place to store some data and then actually store that data. I think you need to step back and take the time to learn some ASM and the basics of programming. Have you done the CE tutorial yet?

EDIT:
Here is an example of what you need to do to store a base address to make your own pointer. From my Far Cry 3 table:

Code: Select all

{$STRICT}

define(address, FC3_d3d11.dll+7D891F)
define(bytes, FF 52 78 84 C0)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
// aobScanModule(aobHealthHook, $MODULE_NAME, E8xxxxxxxx85xx74xx8Bxx8BxxFFxxxx84xx75xxFExx8B)
i2aobScanModule(aobHealthHook, $MODULE_NAME, E8xxxxxxxx85xx74xx8Bxx8BxxFFxxxx84xx75xxFExx8B)
define(injHealthHook, aobHealthHook+D)
// assert(injHealthHook, bytes)
i2assert(injHealthHook, bytes)
registerSymbol(injHealthHook)

alloc(memHealthHook, 0x400, injHealthHook)

label(ptrHealthHook)
registerSymbol(ptrHealthHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memHealthHook:
	ptrHealthHook:
		dd 0  //// Here is where the address will be stored, make sure your using the right data size ("dd" x32 or "dq" x64).
	align 10 CC //// Isn't needed but it looks better in memory view, easier to debug when you can see your code assembled.
	n_code:
		mov [ptrHealthHook],eax //// Here the base address is stored to "ptrHealthHook"
	o_code:
		call dword ptr [edx+78] //// [ignore] This is just original code from the game
		test al,al //// [ignore] This is just original code from the game
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injHealthHook:
	jmp n_code //// Make sure your jumping to the right spot
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injHealthHook:
	db bytes

unregisterSymbol(injHealthHook)

unregisterSymbol(ptrHealthHook)

dealloc(memHealthHook)

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Tue Oct 02, 2018 3:14 pm

ok about your code i want to make clear few things and understand other stuff

mov [ptrHealthHook],eax mov [ptrHealthHook],eax //// Here the base address is stored to "ptrHealthHook"
why it's EAX although call dword ptr [edx+78] is the original game code? shouldn't you be moving EDX instead of EAX

i done this before
globalAlloc(bbase,4)
fstp qword ptr [esp] << original code
mov [bbase],esp

what is the difference between this and reassemble

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Tue Oct 02, 2018 9:19 pm

pharaon wrote:
Tue Oct 02, 2018 3:14 pm
...
mov [ptrHealthHook],eax mov [ptrHealthHook],eax //// Here the base address is stored to "ptrHealthHook"
why it's EAX although call dword ptr [edx+78] is the original game code? shouldn't you be moving EDX instead of EAX
...
Because the call is calling a "set value" function (health, body armor, stamina) that all entities call, so hooking it there keeps me from having to separate player from combatant; and at this point in the opcode the EAX registry holds the address I'm looking for (but it's a few levels back in the pointer chain). Later in the "set value" function ECX holds the address; it just depends on where things are, at the injection point you use. Look into "break and trace", there are some good YT videos.

pharaon wrote:
Tue Oct 02, 2018 3:14 pm
...
i done this before
globalAlloc(bbase,4)
fstp qword ptr [esp] << original code
mov [bbase],esp

what is the difference between this and reassemble
reassemble mostly reinterprets addresses for you, it's more useful with a 64 bit process. It juts reassembles a given instruction, readMem is better for keeping the instruction the exact same and the same size (size being the important part for restoring the original code).
What you have there has nothing to do with reassemble really.

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Tue Oct 02, 2018 9:47 pm

TheyCallMeTim13 wrote:
Tue Oct 02, 2018 9:19 pm

Because the call is calling a "set value" function (health, body armor, stamina) that all entities call, so hooking it there keeps me from having to separate player from combatant; and at this point in the opcode the EAX registry holds the address I'm looking for (but it's a few levels back in the pointer chain). Later in the "set value" function ECX holds the address; it just depends on where things are, at the injection point you use. Look into "break and trace", there are some good YT videos.
i think this is my situation here
so the point i want to understand and get very well is

you said

Code: Select all

and at this point in the opcode the [c]EAX[/c] registry holds the address I'm looking for 
how can i know if EAX or any other register is holding the address i want? and how to find out which address is it?

when i break point the code i get the addresses in the registers but non of those addresses hold my values


and as you can see in the first post the opcode write to too many addresses

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Wed Oct 03, 2018 1:19 am

pharaon wrote:
Tue Oct 02, 2018 9:47 pm
...
how can i know if EAX or any other register is holding the address i want? and how to find out which address is it?

when i break point the code i get the addresses in the registers but non of those addresses hold my values

and as you can see in the first post the opcode write to too many addresses
You'll need to look for a better instruction maybe, but it just depends on how the game is setup.

So, when you set a breakpoint click the memory view window and hit CTRL+B, then select the break point and left click and select "set/change breakpoint condition", then use the info from "see what accesses this address" to set a condition; i.e. EDX == 0xDEADBEEF. This will help with debugging.

Then (after removing the preexisting breakpoint) you can select an instruction and left click and select "break and trace" and use the condition you used to get the right address. Then do the same for another entity and start comparing until you find a difference in the function chain (try it with "Step over instead of single step" to better see the calling functions).

And it helps if you back trace how the pointer chain is setup in the opcode and make a pointer to start comparing addresses and registries. But you have to just "figure out" the different object/class structures to find the pointers and offsets.

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Wed Oct 03, 2018 9:44 am

TheyCallMeTim13 wrote:
Wed Oct 03, 2018 1:19 am
So, when you set a breakpoint click the memory view window and hit CTRL+B, then select the break point and left click and select "set/change breakpoint condition", then use the info from "see what accesses this address" to set a condition; i.e. EDX == 0xDEADBEEF. This will help with debugging.
let me check if i get this right
1- search for gold address <<<< which is the address for the encrypted Gold Value
2- find out what opcode write to this address which is (mov [edx+ecx*4],eax) <<<< the opcode after encryption that write to the address i found.
3- so i go up in code before encryption and find out what write to eax
4- break point that address (eax,[ebp+08]) which write to many other addresses with conditional break point

the question what condition should i use ???
i can't use the address i got in the search because it belong to the after encryption opcode
i can't define what other address i should condition with since it write to lots of address

and when i go up in the opcode chain i got this opcode fmul dword ptr [ebp-14]
which write to only one address( and that address values keep changing) and therefor i can't separate my hero of enemies since i don't got other address to compare with .

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Wed Oct 03, 2018 11:16 am

^ Learn more about the registry. There is more than one registers at any instruction. And again why are you so determined to use this exact spot for the injection, try to find a different place to injection.
https://wiki.cheatengine.org/index.php? ... #Registers

EDIT:
If you can accurately describe/explain the stack, then you should be ok injecting there; but if you can't, you really should find a different spot.

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Wed Oct 03, 2018 4:27 pm

TheyCallMeTim13 wrote:
Wed Oct 03, 2018 11:16 am
And again why are you so determined to use this exact spot for the injection, try to find a different place to injection.
what do you mean different place??
this is the call that is responsible for changing Gold
if i go up i get opcode that write to one address and a lot of functions write to the same address so i can't separate myself from enimies

so what other place do you mean
the issue is to separate my hero from enemies and the two ways i know to do this is by registers or by offsets
for the offsets i find that offset values is changing so can't use it
for registers the register ..the opcode write to many addresses so i can't determine which address is mine and which is enemies to separate by register .

is there other ways to make the code apply cheated gold for only my hero and not enemies

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Wed Oct 03, 2018 8:54 pm

ok that opcode
00DC0006 - fld dword ptr [ebp+08]

is responsible for setting the gold for me and enemies

i did script to get the address of ebp+8

lets say it's 013FF454

my gold and enemies gold is written to the same address

and when i checked out what write to this address got lots of opcode

so i brak point the opcode and when it write my gold amount to the address i changed the value in the address and it changed only for me

so how can i do this in script i mean to make it write the gold only for me without writing it to enemies as well

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Wed Oct 03, 2018 10:19 pm

pharaon wrote:
Wed Oct 03, 2018 4:27 pm

what do you mean different place??
...
I mean just that, find a different place. The instruction you're talking about uses the stack, and you don't seem to understand that; so it'd probably be best to move the injection point somewhere else. You will want to start reversing at the instruction you found, but you don't have to inject there.

pharaon wrote:
Wed Oct 03, 2018 4:27 pm
...
this is the call that is responsible for changing Gold
if i go up i get opcode that write to one address and a lot of functions write to the same address so i can't separate myself from enimies
...
You can't separate entities now, so what's the difference. And don't just look at the address accessed by the instruction, there are other registries. You can chose to read/write from/to whatever address you want in your injection code.

pharaon wrote:
Wed Oct 03, 2018 4:27 pm
...
so what other place do you mean
the issue is to separate my hero from enemies and the two ways i know to do this is by registers or by offsets
for the offsets i find that offset values is changing so can't use it
for registers the register ..the opcode write to many addresses so i can't determine which address is mine and which is enemies to separate by register .
...
Anywhere that works, start reversing how the function works. Figure out how the functions that call it work. And just keep going.
The game separates entities, so somewhere/how you can; you just have to figure out how the game is doing it.

pharaon wrote:
Wed Oct 03, 2018 4:27 pm
...
is there other ways to make the code apply cheated gold for only my hero and not enemies
Maybe. But mostly just start reversing functions.

pharaon wrote:
Wed Oct 03, 2018 8:54 pm
ok that opcode
00DC0006 - fld dword ptr [ebp+08]

is responsible for setting the gold for me and enemies

i did script to get the address of ebp+8

lets say it's 013FF454

my gold and enemies gold is written to the same address

and when i checked out what write to this address got lots of opcode

so i brak point the opcode and when it write my gold amount to the address i changed the value in the address and it changed only for me
...
TheyCallMeTim13 wrote:
Wed Oct 03, 2018 11:16 am
^ Learn more about the registry. There is more than one registers at any instruction. And again why are you so determined to use this exact spot for the injection, try to find a different place to injection.
https://wiki.cheatengine.org/index.php? ... #Registers
...
EBP Stack base pointer for holding the address of the current stack frame.
fld dword ptr [ebp+08] Yes this loads a value from the stack, so comparing it won't do any good. And a lot of opcode will use the stack, so having lots of stuff writing to it is just how it works.
So you should also look into what the stack is.
https://wiki.cheatengine.org/index.php? ... rial:Stack

pharaon wrote:
Wed Oct 03, 2018 8:54 pm
...
so how can i do this in script i mean to make it write the gold only for me without writing it to enemies as well
Just disable the cheat when it's not just you using the code. Basically the same thing you did there.

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Wed Oct 03, 2018 11:37 pm

TheyCallMeTim13

i really appreciate you are trying to help me ...

you are trying to guide me through the basics while i'm talking about some advanced level

the basics i know about the stack and registers

but you just expect if i know the basics i should know the advanced level as well

do you think out of this call there will be a register that hold my bare amount of Gold well that is not true
i break and trace so many times and got nothing
i tried to check what values is being passed to that call before it be called and got nothing

so back tracing is close end for me

i'm stuck in this call to find out how to separate it

you keep talking about the stack
this is the opcode of the function
push ebp
mov ebp,esp
push ebx
push edi
mov eax,esi
call StrongholdBase.dll+2CDE90
call StrongholdBase.dll+2F22EC <<<< effect the display value only and noping it will effect nothing in the game or Gold
fld dword ptr [ebp+08] <<<< the one that set the Gold

so when you say find different place that would be go level up before that call is called which i did already before
and got nothing because non of the registers when i break point and step into one by one holds my gold or enemies gold

so what is your suggestions
what should i be looking for if i go before this call is made

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Thu Oct 04, 2018 1:33 am

In the code for the display, you will be separated from other entities. Inject there, you'll need to reverse how the pointer is setup in the opcode to be able to use a base address to get to the gold amount, the instruction you posted deals with the stack; try and find the real address and not when it's stored on the stack.

pharaon
Expert Cheater
Expert Cheater
Posts: 88
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon » Thu Oct 04, 2018 9:15 am

TheyCallMeTim13 wrote:
Thu Oct 04, 2018 1:33 am
try and find the real address and not when it's stored on the stack.
that is true
and you want me to find the address before it been pushed in the base pointer EBP right

well the problem is i can't define where and when exactly it being pushed
do you know what would be the right way to do that i can get what is the address of ebp+08 but that is into the stack

in the display value call those are the code
StrongholdBase.std::_Mutex::_Mutex+676 - sub esp,08 { 8 }
StrongholdBase.std::_Mutex::_Mutex+679 - and esp,-08 { 248 }
StrongholdBase.std::_Mutex::_Mutex+67C - fstp qword ptr [esp]
StrongholdBase.std::_Mutex::_Mutex+67F - cvttsd2si eax,[esp]

and then eax got the display value once for me and once for other enemies

and before the display and gold call i get this opcode
StrongholdBase.StrongholdBase::Estate::GetKeep+2A45 - mov [esp],edx <<<< edx always have the same address with value 0

and before it this opcode

StrongholdBase.StrongholdBase::Estate::GetKeep+2A40 - mov edx,[ebp-14]


so do you suggest i follow up before [ebp-14]

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1125
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 192
Contact:

Re: Help seperating me from enimes

Post by TheyCallMeTim13 » Thu Oct 04, 2018 12:25 pm

^ Find out where ebp+08 gets it value from. Something puts it on the stack, so try to find when it gets pushed.

Post Reply

Who is online

Users browsing this forum: No registered users