Script crashing game on activation after restart.

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Sat Jul 21, 2018 11:55 pm

Hello all, looking for someone more experienced that can help me out as I can't for the life of me figure out what's causing the crash.



Basically I located the address and altered it to do what I want it to do but each time I restart the game, unless I perform the unaltered action first in game prior to activating the script it crashes. But if I perform the action once the script works fine. I'm hoping someone can shed some light as to why this is happening and how to fix it. I've included a picture showing the altered code causing the crash in question. Cheers!



[IMG]https://i.imgur.com/GluynQu.png[/IMG]

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1178
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 231
Contact:

Script crashing game on activation after restart.

Post by TheyCallMeTim13 » Sun Jul 22, 2018 12:32 am

Does the code exist before the action is performed?

Do you just change bytes at an address or are you doing an AOB scan in a script?



EDIT:

Seeing the unchanged opcode my also help.
Last edited by TheyCallMeTim13 on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Sun Jul 22, 2018 3:00 am

Sorry I should have been a little more specific. The bytes in the picture are unchanged, a simple nop (db 90) does what I need it to do, and I am accessing it through aobscan. The only issue is I need to perform said unchanged function in game on restart PRIOR to activating the script or it crashes. Almost as if what I'm trying to inject to doesn't exist unless the game sees it first. This is the code to make it simpler.



[COLOR=rgb(44, 130, 201)][ENABLE][/COLOR]



[COLOR=rgb(44, 130, 201)]aobscanmodule(INJECT,Game.exe,74 29 8B 86 EC 00 00 00)

registersymbol(INJECT)[/COLOR]



[COLOR=rgb(44, 130, 201)]INJECT:

db 90 90[/COLOR]



[COLOR=rgb(44, 130, 201)][DISABLE][/COLOR]



[COLOR=rgb(44, 130, 201)]INJECT:

db 74 29 8B 86 EC 00 00 00[/COLOR]



[COLOR=rgb(44, 130, 201)]unregistersymbol(INJECT)[/COLOR]
Last edited by Detrimantix on Thu Jan 01, 1970 12:00 am, edited 3 times in total.

User avatar
FreeER
RCE Fanatics
RCE Fanatics
Posts: 142
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 12
Contact:

Script crashing game on activation after restart.

Post by FreeER » Sun Jul 22, 2018 3:30 am

I don't really see anything obvious... so, maybe just add a flag that's 0 and in newmem test it, if it's 0 set it to 1 and jump to the original code (test+je), otherwise jump back after the injection the same as if it was just a nop (probably easiest to inject at the original test rather than the je).

That way the hack doesn't start until after the original code is run once (and presumably done some initialization etc. that prevents it from crashing later)
Last edited by FreeER on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
koderkrazy
Fearless Donors
Fearless Donors
Posts: 252
Joined: Sun Jun 17, 2018 2:14 pm
Reputation: 165

Script crashing game on activation after restart.

Post by koderkrazy » Sun Jul 22, 2018 3:42 am

The AOB([COLOR=rgb(41, 105, 176)]74 29 8B 86 EC 00 00 00[/COLOR]), that you are using for the scan, looks too short to be unique.



Restart the game, but don't do the action in game.

Then do manual AOB scan like this: Make sure the Writable checkbox is black square.

[IMG]https://image.ibb.co/iP3Egy/Aob_Scan_Unique.jpg[/IMG]

See how many addresses you get...



Now do the action in game and click on 'First Scan' again. Now see how many results you get.

At both times you should get only one result.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Sun Jul 22, 2018 4:59 am

[B][USER=980]@FreeER[/USER] [/B] I think I understand what you mean but I'm not sure the best way to go about that, still got a lot to learn. Do you mind showing me an example?



[B][USER=18664]@koderkrazy[/USER][/B]

You were right I was coming up with more than one address, but the one I wanted was the first one that shows up each time so the result is the same. Even with a longer AOB string and only 1 result I get crash and burn.



Also to specify further, the game crashes when the button is pressed in game, not when the script is activated. And for what it's worth jne seems to works as well as nopping the instruction. If anyone has any other ideas on how to get it to work I'd be eternally grateful.
Last edited by Detrimantix on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
koderkrazy
Fearless Donors
Fearless Donors
Posts: 252
Joined: Sun Jun 17, 2018 2:14 pm
Reputation: 165

Script crashing game on activation after restart.

Post by koderkrazy » Sun Jul 22, 2018 6:02 am

could you try by nopping both cmp and je instructions. Because cmp sets flags.



Provide entire function implementation so that we get better understanding.

[LIST=1]

[*]Select line [ICODE]cmp word ptr[esi+000000cc],14[/ICODE]

[*]Right lick and select 'Select current function'. If it isn't selecting entire function then do it manually select from start till last ret instruction.

[*]Go to menu 'File' -> 'Save disassembled output'

[*]Attach text file here.

[/LIST]



BTW, what game is this?
Last edited by koderkrazy on Sun Jul 22, 2018 6:08 am, edited 3 times in total.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Sun Jul 22, 2018 7:03 am

Sure thing boss, let me know if you need anything else. Nopping the compare flag still causes a crash, I've messed around with most of the opcodes in that area and I'm just lost. And the game I'm working on is Biohazard 3.
Last edited by Detrimantix on Sun Jul 22, 2018 7:13 am, edited 2 times in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1178
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 231
Contact:

Script crashing game on activation after restart.

Post by TheyCallMeTim13 » Sun Jul 22, 2018 11:31 am

You should refine your AOB so that you only get 1 result.

If the AOB comes up with multiply results, then if the code is JIT code then it may not exist before some action and you might be injecting in the wrong spot. I would make the unique AOB, then restart the PC and game then before doing anything scan for the AOB to see if it exists. The code could be reallocated and JITed for new levels and what not.



Do you use "INJECT" as a symbol anywhere else, the symbol name must be unique?

Before disabling the script, in the memory view form use "go to address" and input the "INJECT" symbol to see where the disabled code is written.



I like to not change bytes to just test the injection it self. So if this crashes then it's not the code; it's the injection spot, memory checks, or something else.

[CODE=cea][ENABLE]

aobscanmodule(INJECT,Game.exe,74 29 8B 86 EC 00 00 00 8B 8E E8 00 00 00 33 D2 C7 46 04 01 07 02 00)

registersymbol(INJECT)

INJECT:

db 74 29



[DISABLE]

INJECT:

db 74 29

unregistersymbol(INJECT)[/CODE]
Last edited by TheyCallMeTim13 on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
FreeER
RCE Fanatics
RCE Fanatics
Posts: 142
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 12
Contact:

Script crashing game on activation after restart.

Post by FreeER » Sun Jul 22, 2018 1:43 pm

While I'd recommend a more unique symbol name the flag approach would be something like

[code]

[ENABLE]

// and yeah, it's best to have a unique aob just in case with modern games

// older ones without dynamic code won't care as long as it's the first (barring updates that could add or move things)

aobscanmodule(INJECT,Game.exe,A9 00 00 00 80 74 29 8B 86 EC 00 00 00 8B 8E E8 00 00 00 33 D2)

alloc(newmem,$1000, INJECT)



newmem:

cmp [flag], 0

jne skip // bypass original check

// otherwise if 0 fallthrough to original

original:

inc [flag] // make it not be 0 in the future

test eax, 80000000 // original (overwritten) test

jmp return // jump to original je

flag: // value indicating whether to run original check or not

dd 0



INJECT:

jmp newmem

return: // define label at je

return+2:

skip: // define label after je



registersymbol(INJECT)

[DISABLE]

INJECT:

db A9 00 00 00 80

unregistersymbol(INJECT)

dealloc(newmem)

[/code]
Last edited by FreeER on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Mon Jul 23, 2018 4:24 am

[B][USER=91]@TheyCallMeTim13[/USER] Tested that earlier on and it doesn't crash with unaltered code so it's not the injection point. I also tried a longer array of bytes string and turn one up only one result each time and it still causes a crash unfortunately.[/B]



[B][USER=980]@FreeER[/USER] Thanks for typing that out I understand it for the most part, just not sure how to really insert my own code into that so it checks that the code has been changed in game first. Sorry still pretty new to assembly please bear with me.[/B]

User avatar
FreeER
RCE Fanatics
RCE Fanatics
Posts: 142
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 12
Contact:

Script crashing game on activation after restart.

Post by FreeER » Mon Jul 23, 2018 3:36 pm

I'm not sure what you mean, you didn't describe your code checking anything just nopping a je so it wasn't taken. The example provided does a similar thing, skipping the je and letting the code after it run, but only after a flag variable is not 0, when it is 0 (the first time) it increments it and does the original test and je.

So if you enable it and then click the button or whatever causes that code to run the first time it'd do whatever it would have without the hack and every other time (until it's disabled and reenabled) it'd skip the je.
Last edited by FreeER on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Mon Jul 23, 2018 5:34 pm

Ah well when I tested the code you posted as is it crashed the game the same way, so I assumed I missed something and just didn't know how to implement it.

User avatar
FreeER
RCE Fanatics
RCE Fanatics
Posts: 142
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 12
Contact:

Script crashing game on activation after restart.

Post by FreeER » Mon Jul 23, 2018 5:50 pm

well, it was worth a shot. Only other thing I can think of without being able to test myself would be changing it to run the original code multiple times eg. 5-25-100 etc. before doing the hack. Basically change the cmp to 0 to check that number and then jl rather than je. Though if the code only runs once when you click a button etc. then that doesn't make much sense to me.

Detrimantix
Noobzor
Noobzor
Posts: 7
Joined: Sat Jul 21, 2018 11:32 pm
Reputation: 0

Script crashing game on activation after restart.

Post by Detrimantix » Mon Jul 23, 2018 10:19 pm

[B][USER=980]@FreeER[/USER][/B]

Basically I'm trying to bypass a trigger for activation, normally the function requires strict timing so I wanted to skip the timing check and just have it activate on button press and it works but again it only works if the function is performed once before injection or else it crashes. My guess is something is loaded into memory when the function is performed and I have to trace it somehow and inject that part first but figuring out what gets loaded has been a headache. I just feel lost looking at the wall of functions. I'll try what you suggested though and see if it helps.



[B][USER=18664]@koderkrazy[/USER][/B]

Did you have a chance to check that disassembled code by any chance? I tried nopping the cmp and je simultaneously earlier and it had the same effect by the way.
Last edited by Detrimantix on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Post Reply

Who is online

Users browsing this forum: No registered users