Mono can't find address

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
Bakfiets
Noobzor
Noobzor
Posts: 14
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 1

Mono can't find address

Post by Bakfiets » Sun Jul 16, 2017 8:08 am

I have been at a 'godmode' script for a week now, and yesterday it finally finished.
After testing it one last time this morning before uploading, the Mono features are suddenly broken.

I have the adress called HealthHandler:sendDamage+4af. This address has worked for a week, through computer restarts, and without any problems. This morning however, it suddenly stopped working.
The script enables but doesn't inject when using the Mono-address, but DOES when I scan for the aob.
When using "go to address" in the disassembler with "HealthHandler:sendDamage+4af" takes me to a different address, not even close to where i want to be. If i use the AOB then it puts me at the right address.
Does anyone have and idea's or suggestions?

define:
Image

aobscan
Image
scriptShow

Code: Select all

{ Game   : STRAFE.exe
  Version: 1.0.6
  Date   : 2017-07-15
  Author : Bakfiets

  This script allows two 'godmode' functions to be activated
  1) Infinite HP (prevent health damage)
  2) One-shot-kill
}
USEMONO()
define(SENDDAMAGE_MANIPULATION,HealthHandler:sendDamage+4af)
//aobscan(SENDDAMAGE_MANIPULATION,F3 0F 11 A8 84 00 00 00 48 8B 85 D0 FE FF FF 48 8B 40 40 48 85 C0 74 26) // should be unique

[ENABLE]
alloc(code,$1024,0099B17F)
alloc(INF_HP_ENABLED,1)
alloc(ONE_SHOT_ENABLED,1)
alloc(ONE_SHOT_DAMAGE,1)
label(originalcode)
label(return)
label(one_shot)


ONE_SHOT_DAMAGE:
dd 0

INF_HP_ENABLED:
db 0

ONE_SHOT_ENABLED:
db 0

code:
  cmp [rax+90],42c80000 // _initialhealth == (int)100
  jne one_shot //If not 100, jump to one-shot
  cmp [rax+8C],01 // _canHeal == (int)1
  jne originalcode // Second check for monster
  cmp [INF_HP_ENABLED],0
  je originalcode
  //movss [rax+00000084],xmm5
  jmp return

one_shot:
  cmp [ONE_SHOT_ENABLED],0
  je originalcode
  movss xmm5,[ONE_SHOT_DAMAGE]
  je originalcode

originalcode:
  movss [rax+00000084],xmm5
  jmp return

SENDDAMAGE_MANIPULATION:
  jmp code
  nop
  nop
  nop

return:




registersymbol(SENDDAMAGE_MANIPULATION)
registersymbol(INF_HP_ENABLED)
registersymbol(ONE_SHOT_ENABLED)

[DISABLE]
SENDDAMAGE_MANIPULATION:
  db F3 0F 11 A8 84 00 00 00


unregistersymbol(SENDDAMAGE_MANIPULATION)
dealloc(code)

{
// ORIGINAL CODE - INJECTION POINT: 0099B17F

""+99B14A: 48 89 85 48 FF FF FF           -  mov [rbp-000000B8],rax
""+99B151: 48 8B 85 48 FF FF FF           -  mov rax,[rbp-000000B8]
""+99B158: 48 8B C8                       -  mov rcx,rax
""+99B15B: F3 0F 10 81 84 00 00 00        -  movss xmm0,[rcx+00000084]
""+99B163: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+99B167: 48 8B 8D C8 FE FF FF           -  mov rcx,[rbp-00000138]
""+99B16E: F3 0F 10 49 08                 -  movss xmm1,[rcx+08]
""+99B173: F3 0F 5A C9                    -  cvtss2sd xmm1,xmm1
""+99B177: F2 0F 5C C1                    -  subsd xmm0,xmm1
""+99B17B: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+99B17F: F3 0F 11 A8 84 00 00 00        -  movss [rax+00000084],xmm5
// ---------- DONE INJECTING  ----------
""+99B187: 48 8B 85 D0 FE FF FF           -  mov rax,[rbp-00000130]
""+99B18E: 48 8B 40 40                    -  mov rax,[rax+40]
""+99B192: 48 85 C0                       -  test rax,rax
""+99B195: 74 26                          -  je HealthHandler:sendDamage+4ed
""+99B197: 48 8B 85 D0 FE FF FF           -  mov rax,[rbp-00000130]
""+99B19E: 48 8B 40 40                    -  mov rax,[rax+40]
""+99B1A2: 48 8B C8                       -  mov rcx,rax
""+99B1A5: 48 83 EC 20                    -  sub rsp,20
""+99B1A9: 83 38 00                       -  cmp dword ptr [rax],00
""+99B1AC: 49 BB C0 E3 97 52 00 00 00 00  -  mov r11,UnityEngine.Events:UnityEvent:Invoke
}

Squall8
Expert Cheater
Expert Cheater
Posts: 106
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 28

Re: Mono can't find address

Post by Squall8 » Sun Jul 16, 2017 9:17 am

I tend not to over rely on mono, especially in my scripts. Its good for using as reference to find a specific assembly region and dissecting structures. From there you can debug as normal to see if any instruction you found would be viable. Then write your script out through a simple aob injection.

But if you're dead set on keeping it that way, try a couple things:

Code: Select all

1.
Replace - alloc(code,$1024,0099B17F)
with
alloc(code,$1024,STRAFE.exe)
----------------------------------------------------
2.
ONE_SHOT_DAMAGE:
dd 0  //

INF_HP_ENABLED:
db 0  //    Use "dq 0".  Being a 64bit process.

ONE_SHOT_ENABLED:
db 0  //
----------------------------------------------------
3.
alloc(INF_HP_ENABLED,1)  //
alloc(ONE_SHOT_ENABLED,1)  // alloc(ONE_SHOT_ENABLED,8)  //Allocate more memory.
alloc(ONE_SHOT_DAMAGE,1)  //
----------------------------------------------------
4. Double check the flow of your script. I only really took a quick look at it. But make sure everything in there has a chance to execute, nothing gets skipped over (it happens easier than you might think).

Bakfiets
Noobzor
Noobzor
Posts: 14
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 1

Re: Mono can't find address

Post by Bakfiets » Mon Jul 17, 2017 5:11 pm

Hey Squall,

thanks for the general tips, those are really helpful!
I had tried allocating to STRAFE.exe before but it would never activate, somehow it does now.

The reason i wanted to use Mono features is because it would JIT the necessary parts(?), thus not having to take damage before being able to enable the cheat. I also noticed the missing dealloc's, but apart from that i can't find any fault in the code that could trigger it not working with Mono, but working with AOBScan (unless i don't understand some intricincies.

Squall8
Expert Cheater
Expert Cheater
Posts: 106
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 28

Re: Mono can't find address

Post by Squall8 » Mon Jul 17, 2017 5:30 pm

Try using this instead of USEMONO().

Code: Select all

[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}
Also another workaround would be to find an instruction that constantly updates.

Bakfiets
Noobzor
Noobzor
Posts: 14
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 1

Re: Mono can't find address

Post by Bakfiets » Tue Jul 18, 2017 6:09 pm

Squall8 wrote:
Mon Jul 17, 2017 5:30 pm
Try using this instead of USEMONO().

Code: Select all

[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}
Also another workaround would be to find an instruction that constantly updates.
That's funny, this works (for the moment). I thought USEMONO() is equal to the lua-call. Guess not?
*edit* aaaand it stopped working after a couple restarts. Guess ill keep it on aobscan :/

FreeER
Cheater
Cheater
Posts: 31
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 1
Contact:

Re: Mono can't find address

Post by FreeER » Tue Jul 18, 2017 6:40 pm

Bakfiets wrote:
Tue Jul 18, 2017 6:09 pm
I thought USEMONO() is equal to the lua-call. Guess not?
For the record USEMONO is equivalent to the monoAA_USEMONO function (registered as an AA command in mono_initialize) in monoscript.lua, which mostly just calls LaunchMonoCollector with some error checking...
monoAA_USEMONOShow

Code: Select all

function monoAA_USEMONO(parameters, syntaxcheckonly)
  --called whenever an auto assembler script encounters the USEMONO() line
  --the value you return will be placed instead of the given line
  --In this case, returning a empty string is fine
  --Special behaviour: Returning nil, with a secondary parameter being a string, will raise an exception on the auto assembler with that string

  --another example:
  --return parameters..":\nnop\nnop\nnop\n"
  --you'd then call it using usemono(00400500) for example

  if (syntaxcheckonly==false) and (LaunchMonoDataCollector()==0) then
    return nil,translate("The mono handler failed to initialize")
  end

  return "" --return an empty string (removes it from the internal aa assemble list)
end
I don't know mono very well, so I can't really offer any help here (though it does sound a bit like there could be multiple functions with the same name and you're getting whichever one was loaded first...)

Bakfiets
Noobzor
Noobzor
Posts: 14
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 1

Re: Mono can't find address

Post by Bakfiets » Tue Jul 18, 2017 7:16 pm

I guess that must be it freeER.. After checking "instances of class", the list is too long to even start counting. Seems like everything (including seperate body parts) in this game has a healthHandler attached to is :/

FreeER
Cheater
Cheater
Posts: 31
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 1
Contact:

Re: Mono can't find address

Post by FreeER » Tue Jul 18, 2017 8:05 pm

The number of instances shouldn't directly matter, at least in theory, since they would use the same function/code, it's just if you had different functions named the same thing, aka "function overloading", and taking different arguments... IF that's the issue then this may help http://forum.cheatengine.org/viewtopic.php?p=5659563

Squall8
Expert Cheater
Expert Cheater
Posts: 106
Joined: Fri Mar 03, 2017 7:43 am
Reputation: 28

Re: Mono can't find address

Post by Squall8 » Wed Jul 19, 2017 1:07 am

@FreeER
Thanks for the info. I thought they were a bit different.

@Bakfiets
I've been working on quite a few mono games lately (not by choice lol). I'll work on some this weekend and see what I can come up with regarding this issue.

Bakfiets
Noobzor
Noobzor
Posts: 14
Joined: Mon Jul 03, 2017 6:56 pm
Reputation: 1

Re: Mono can't find address

Post by Bakfiets » Wed Jul 19, 2017 5:44 pm

FreeER wrote:
Tue Jul 18, 2017 8:05 pm
The number of instances shouldn't directly matter, at least in theory, since they would use the same function/code, it's just if you had different functions named the same thing, aka "function overloading", and taking different arguments... IF that's the issue then this may help http://forum.cheatengine.org/viewtopic.php?p=5659563
You are making a terrible amount of sense. It indeed has 1 overloading method (or 2, perspectives ;P)
Quick scan of the topic reveals it's an interesting one to read, thank you!

I will certainly post the progress once i can get my hands free from work projects.

@squall8 good luck! may the mono treat you gently, she's a hard mistress. But you have to give her credit for spilling al her junk on demand.

Post Reply

Who is online

Users browsing this forum: No registered users